-----Original Message-----
From: Steve Reid <[EMAIL PROTECTED]>
Date: Tuesday, 14 December, 1999 5:34 AM
Subject: Re: Debit card fraud in Canada
>
>I'm not sure if I'd trust a smartcard-based system that didn't require
>on-line connectivity. From what little I've seen such things usually
>(always?) depend on the tamper resistance of the device for their
>security (eg. M*nd*x).
Well, actually not just the the tamper resistant device. Smart e-cash like
CAFE (1995) also relies on cryptographic protocols to ensure that even if
the tamper resistant device is broken (by an attacker), then it can still
detect someone who double spends (copies and spends more then once) the
digital coins.
About Mondex, probably you are right. No information is available about the
internals of Mondex, and is kept secret, unlike CAFE which the specification
was made open (it was a research project anyway). We can assume that Mondex
does rely heavily on the tamper resistant device.
Keep in mind that what I discuss here is not credit nor debit system, it is
a cash system (ie. the money is in the card), and it is an off-line
transaction.
There are someways to "convert" a debit based system into an off-line but
still secure payment system. We did some research ('playing') on it. Very
simple but the transaction is traceable (unlike most e-cash system).
-mukti
