Mondex: Early problems of implementation
Felix Stalder, E-Money, Vol.1 No.7. (November, 1998)
On February 13th, 1997, Mondex Canada, a consortium of all of the country's major banks and a number of credit unions, launched the community-wide introduction of the Mondex electronic purse in Guelph, Ontario, a medium sized university town an hour's drive north-west of Toronto. It was, and more than 18 months later still is, the most extensive field test of smart card-based e-cash in North America. It has been closely watched, though the evaluations of the (preliminary) results differ significantly. One group, led by Mondex Canada itself, calls the Guelph experience a "great foundation to build on"[i] while others, critical journalists, academics and activists, call the Mondex plan "a house of cards."[ii]
Such conflicting views are not untypical for the current state of e-purse implementation around the globe.[iii] In Guelph, and elsewhere, these conflicts are rooted in different perspectives on the events. The promoters' claims of success are most often based on the number of cards issued. In Guelph, this figure is slowly rising even surpassing the target initially set out.[iv] The growing diffusion of the technology from the center, Mondex Canada, through the public at large is taken as a sign of increased acceptance by the public. This industry-centered, top-down view of the situation, however, leads to questionable conclusions, as the number of cards issued indicates, most of all, the considerable marketing power of the financial institutions.
Ultimately the success or failure of Mondex and other smart cards will be decided in the market place. There, Mondex has a hard time, attracting lots of explicit and implicit criticism. The problems are concentrated in three areas: security, privacy and utility. While the first two points are raised very explicitly, the latter appears indirectly in the consumers' behaviour of hardly using the card after having received it from the financial institutions. In this context it is not so much the question if this critique, especially in the first two points, is ultimately "justified". That fact it persists indicates the existence of real concerns in the market place which have to be understood and taken seriously.
In this article, I want to look at these three problematic areas and suggest some ways of addressing them.
Being an off-line electronic cash system, Mondex needs to meet an extremely high security standard to keep the circulation closed. If it were possible to introduce unauthorized information into the circulation, this illegal information could not be discerned from legitimate value because money is effectively created with every transaction.[v] To meet the high standard, the Mondex security concept consists of three elements:
The prevention strategy consists of several steps: It begins with the two basic elements in the Mondex system, the hardware of the chip embedded in the card and the software which controls the movement of value between cards. Mondex uses state-of-the-art chip and encryption technology which make it difficult, time-consuming and expensive to break into the system. This sets "the height of the wall", as John Beric, head of security at Mondex International, explains.[vi]
When the Mondex card comes into contact with the financial institution, statistical data is collected based upon which a comprehensive behavioural analysis of the card's usage can be done. This provides an ability to determine the profile of individual cardholders (being updated on a regular basis), and also provides comparative portfolio analysis of such transaction flows with other similar types of customer.
This analysis provides the basis for an immediate drill-down capability to identify individual customers or portfolios which are undertaking exceptional or disproportionate levels of value redemption. The Mondex chip has its own risk management measures, built onto the chip itself, with different 'classes of purse' having different value limits. The current Mondex chip design can be programmed to automatically react to 'unusual' card behaviour, such as very high levels of value turnover, and temporarily close down.
Mondex assures that "cards identified as being unauthorized, reported stolen or potentially fraudulent can be de-linked immediately from the banking system." However, they cannot be delinked from the general circulation of Mondex value. To minimize this problem, Mondex can change some of its security features on the fly, without reissuing new cards. Each card contains not one but two transfer protocols, A and B. Every Mondex card can switch between the two without the user knowing or being able to prevent it. The command to switch from one protocol to the other is transferred in a snowball system from Mondex card to Mondex card. The issuer starts the avalanche by instructing all cards that come in contact with a gateway, for example when downloading a value into the card at an ATM, to switch from A to B. Each card then instructs all cards with which it communicates to switch too. Knowledge about protocol A becomes worthless as soon as a card is switched to protocol B.
In addition to this standard migration it is also possible to introduce additional software upgrades to cards by installing the upgrade at bank ATMs that will automatically upgrade all the cards with which they come in contact.
Whether this security system is effective or not is highly contested. In a report on the security of smart cards, the security specialist Ross Anderson, who is based in Cambridge, UK, concluded that "smart cards are broken routinely, and even a device that was described by a government signals agency as 'the most secure processor generally available' turns out to be vulnerable."[vii] Mondex points out that the scarcity of the technology capable of making counterfeit chip cards offers a considerable barrier. Again, this is contested. Anderson doubts it because, "the spread of nanotechnology means that a rapidly growing number of sites have the equipment on hand to break chips such as ion beam workstations. Tamper resistance at the chip level is getting further and further away."[viii] The cost of actually breaking the Mondex system, he estimates, would be about $ 100 000 for a two-to-four week job at a specialized firm.[ix] The accuracy of this understanding was indicated in June, 1998, when a private cryptographic research company developed a successful way to attack smart cards like the one used by Mondex.[x] Paul Kocher, 25 year-old, principal scientist who developed the attack, concludes: "We have not yet encountered a card that couldn't be broken."[xi]
Since there is a possibility, which has to be taken seriously, that the Mondex chip could be broken, the security concept puts emphasis on detection capabilities in order to discourage attempts to break into the system. However, this has potentially serious repercussions on the degree of privacy the Mondex system offers its users and various advocacy groups have been set in motion, ranging from local activists to international civil rights organizations.
Ever since its public introduction in 1995 in Swindon, UK Mondex has had an uneasy relationship with privacy advocates who suspect it of gathering data about the spending habits of Mondex users. Mondex has tried to convince its critics that this is not the case, that peer-to-peer transfers and those between the consumers and the merchants are not secretly audited by the Mondex issuer. The conflict between Mondex and civil rights groups is rooted in the fact that Mondex cannot, for security reasons, release technical details about the workings of the card. Since no independent information on this point is available, there is a need to trust the information released by Mondex. However, this trust - difficult to assume to begin with - was damaged when Mondex had to revoke early announcements of the technology offering user anonymity [xii] and by a leaked memo about how to divert questions on the issue.[xiii] The problem was exacerbated by Mondex initially being reluctant to provide information about the details of the transfer protocols. While Mondex now provides substantially more information than at the beginning of the Guelph trial, the privacy debate is likely to stay with Mondex and, given the lack of trust among the parties involved, no unilateral effort of Mondex is likely to close off the debate easily.[xiv]
Privacy, however, is an increasingly critical issue in electronic commerce, and in electronic data interchange in general. Introducing a new technology, Mondex targets the technology-literate consumers who will lead the migration of the public at large to a new payment system. However, these early adopters are critical and well-educated consumers, likely to be receptive to information about virtues as well as eventual problems of the technology. The persistence of the debate, independent of whether it is justified or not, is likely to damage Mondex reputation considerably, particular with this crucial group of customers.
The most serious difficulty for the Mondex system comes from consumers themselves. Rather than speaking out loudly, they vote silently by simply staying away from the system, even after having received the card.
Mondex is quite visible in Guelph. There is a Mondex store in the downtown core and advertisement has been very significant. It can be safely assumed that virtually everyone has, at the very least, heard of Mondex. Initially, a significant number of merchants signed up and installed the Mondex card reader on their counters. Casual evidence, gathered in a series of visits to Guelph over the course of this year, offers the following glimpses on the experience. The main student "mall" on a campus of 17,000 did, on the weekday visited, $18.50 in Mondex. The downtown fast-food restaurant, Wimpy Burger, has several Mondex customers a day - virtually all clerks from the Mondex store and Bank across the street. Also the MiniMart, a downtown grocery store, gets only a few Mondex sales a day. The nearby Mexican Restaurant does not take Mondex but estimates that 45% of its income is via debit card, the main electronic competitor to Mondex.
A thorough, independent study would be needed to asses the situation precisely. However, the consistency of the scattered evidence seems to suggest a general trend: Mondex has not (yet) found its niche. Merchants experience only light use of Mondex and to most people Mondex is just another piece of plastic, though one with a few complications to use. It needs to be fed periodically at some kind of ATM-like device, and it is not significantly faster than cash or the very popular debit card. In short, there are very few payment situations in which Mondex is clearly superior to all existing payment options. Furthermore, the direct competition is very strong. Not only from debit cards, but also from cash. Rather than being simply bulky and inconvenient, as portrayed by Mondex, cash is the most immediate experience of money, the one from which all other forms - credit and debit - are derived. If cash were just loose change, then the convenience argument might be convincing. However, cash is much more, it is a complex cultural product, full of symbolic value. All this adds value to the cash experience and is lost in the transition to Mondex without the consumer getting much in return. As the Guelph experience suggests, the problem is not so much that consumers do not know how to use it, but that there are not enough significant reasons why to use it.[xv]
Addressing the problems
In the current critical stage of the introduction of Mondex the different problems sketched above are mutually aggravating. To break what appears to be a deadlock or at least a considerable slow-down, they have to be taken seriously since they are unlikely to go away unless addressed. The first step is to understand that the critics and the early adopters want to be well-informed and are requesting information which will enable them to make their own assessment. Without this, it will be very difficult to develop a trust into the technology. And trust, of course, is what money is all about.
The security issue is here the least complex one. To reveal all the details of the security concepts would be, obviously, counter productive. Since there is a need for a certain degree of secrecy and risk, the issuers of Mondex need back up in their own technology more strongly. For the consumer the security aspect translates into the question: Can the money stored on the card can suddenly lose its value if the system fails? Since this risk is incalculable for the consumers, they demand that the issuer takes that risk and honour all value stored on a Mondex card. Hard-pressed in Guelph, the Royal Bank of Canada and the Canadian Imperial Bank of Commerce (CIBC) have issued this guarantee, but not without limiting it to the Guelph trial only. As long as the issuer is so obviously cautious about taking responsibility for its own technology, rumors about the security problems will have disturbing relevance for consumers, especially because they cannot and do not want to be required to assess if they are justified or not.
The privacy issues can be dealt with more easily by cooperating more actively with privacy commissioners, such as the Privacy Commissioner of Ontario, who as recently released, in collaboration with the Advanced Card Association of Canada, guidelines for how to assess the privacy implications of smart cards.[xvi] Central to the credibility of any privacy initiative is not only collaboration with institutions outside the financial industry, but also the establishment of an independent body that can periodically assess the implementation of privacy policies.
The most difficult problem to solve is the problem of utility. All field tests indicate that people will only change their habits - especially so deeply-rooted and personal a habit as handling cash - if they experience significant, real advantages. If the new thing claims to be like the old one, as Mondex claims to be "just like cash", then there is little added value in return for investing the effort to change. Mondex needs to promote applications in which it is clearly superior to cash and already existing electronic payment systems, from a consumer point-of-view. At the counter in a grocery store this is not to be the case. Places where masses of people need small change and have, up to now, no alternative to it, are more suited to short-term adaptation: public transit, parking meters, pay-phones, vending machines and so on.
People will only start using the technology, if they can trust it, when they can easily assess the risks involved or if they are protected by the issuing institutions against fraud, as they are with credit cards. They will only use the technology if they know that it will offer them a reliable degree of privacy, and most of all, they will only use it, if it makes their lives easier, according to the different things this means for each of them.
[i] PR, November 5, 1997
[ii] See, for example, Jones, David (1997). Mondex: A House of Smart-Cards?. The Convergence, July, 12th available at: http://insight.mcmaster.ca/org/efc/pages/media/convergence.12jul97.html
[iii] See, for a comparative survey: Birch, David (1998). The European Purse Scene: A Snapshot View and Some Predictions. pp. 11-13 E-Money: The Journal for Electronic Commerce for the Financial Industry
[iv] The one year milestone of 10'000 cards issued was reached after 7 month. After one year, 12'000 cards were distributed among the 100'000 inhabitants of Guelph.
[v] The Mondex system does not have "tokens" with a fixed serial number. A transaction in effect destroys money on one side and creates the equivalent amount on the other side, linking both sides only through the transaction record.
[vi] Interview published in Computerworld, May 16, 1997 http://www.idg.co.nz/interview/Beric.htm
[vii] Anderson, Ross; Kuhn, Markus (1996). Tamper Resistance - a Cautionary Note. pp. 1-11 The Second USENIX Workshop on Electronic Commerce Proceedings, Oakland, California, November 18-21 available at: http://www.cl.cam.ac.uk/users/rja14/tamper.html
[viii] Anderson: The unmaking of Mondex, Computerworld, May 12, 1997 http://insight.mcmaster.ca/org/efc/pages/media/nz-computerworld.12may97b.html
[x] The method used is called differential power analysis (DPA). It works by monitoring the power used by the chip on a smart card as it operates. The integrated circuits on chips are built from individual transistors, which exhibit observable electrical behaviour. Small fluctuations in power use can be recorded and subjected to statistical analysis to reveal and extract binary code, including PIN numbers or encryption keys. See http://www.cryptography.com/dpa
[xi] San Jose Mercury News, June 23, 1998.
[xii] See, http://www.privacyinternational.org
[xiii] The publication of leaked material, and its rapid spread on the Internet where it is impossible to retract, is a reality in a competitive, information-rich environment. This has to be taken into consideration.
[xiv] Clarke, Roger (1997). The Monster from the Crypt: Impacts and Effects of Digital Money. Paper presented at the Computer, Freedom & Privacy Conference (CFP'97) available at: http://www.anu.edu.au/people/Roger.Clarke/EC/CFP97.htm
[xv] Sternberg, Sam (1998). Plastic, not Chips. Forbes.com, 20, July. available at: http://www.forbes.com
End of document End of document