LegCo Paper No. CB(1) 273/96-97(01)

Paper for the Bills Committee
Banking (Amendment) Bill 1996
Security of the Mondex scheme

Introduction

At the Bills Committee meeting on 22 October 1996, Members have requested for further information on -

  1. the security procedures for transferring Mondex value from the Global Key Centre (GKC) located in the UK to the Originator in Hong Kong over the telephone;
  2. security of the Mondex chip and safeguards against counterfeit value; and
  3. offences for counterfeiting Mondex value.

Transfer of Mondex value by telephone

2. Members have raised concerns on whether fraudsters can tap into the telephone line and obtain or receive the Mondex value transferred from the Global Key Centre (GKC) located in the UK to the local Originator in Hong Kong. The HKMA has obtained further information from The Hongkong and Shanghai Banking Corporation Ltd, which has in place the following security safeguards to ensure secure transfer of Mondex value from the GKC to the local Originator over the telephone* -

  1. transfer must be made between two Mondex chips of the appropriate purse class. The card held by the GKC can only transfer value to an Originator card (i.e. the value cannot simply be transferred to a non-Mondex chip card or an "ordinary" Mondex card). Cards of both types are only held in highly secure locations; and
  2. Value transfer messages include data that are wholly unique for all time including -
    1. unique identifiers of each card; and
    2. a unique sequence number for the transaction.

This uniqueness prevents a potential fraudster from using any given message to achieve some illicit purpose - such as attempting to duplicate or divert a value transfer. The protocol used in the value transfer process uses sophisticated cryptography to protect the value as it moves from one card to another.

3. The above safeguards are designed to ensure that Mondex value will only be transferred from the GKC card to the Originator’s card if all the identification and protection conditions are met. If any of these conditions is not met, the transfer will fail.

Chip security and safeguards against counterfeiting

4. In designing the Mondex chip security, Mondex has already built in the following safeguards against alteration of data of the chip through physical penetration or logical (software) penetration -

  1. physical penetration - physical barriers, created during the manufacturing process prevent optical or electrical reading or physical alteration of the chip’s contents;
  2. software penetration - features of the software code resident on the chip prevent data stored in memory from being accessed or changed except according to predefined authorisation and access protocols. As an example, Modex International have advised that, if a Mondex chip is exposed to high levels of either radiation or microwaves, it will cease to function.

5. Mondex International is satisfied that the tamper-resistance features of the Mondex chip and the software code present very significant barriers to the alteration of data on the chip for fraudulent purposes. Mondex security is based on continuous, ongoing refinement to achieve further levels of defence against potential future attack. Mondex will regularly migrate to faster and more powerful chips as they become available to make more facilities available to Mondex users and to increase the level of security. This safeguard is designed to discourage potential hackers as any discoveries they might make will rapidly become useless and valueless.

6. The expert Task Force established under the Bank for International Settlements on security of electronic money also confirms that the security technology developed so far should be able to afford a high degree of security to electronic money schemes. In its interviews with suppliers, the Task Force was "impressed with the amount of research that has been undertaken and resources that have been expended on the security of electronic money products." It considers that "many sophisticated security measures have been developed that should provide a high degree of security for electronic money products in their initial stages." It does however recognise the complexity of such products and concludes that "an integrated, overall risk-management approach to security, including independent security assessments, is an important component of the security of these new products." It will also be necessary to ensure that security measures keep pace with changes in technology which would make outside penetration more feasible.

7. The Mondex Hong Kong Dollar Originator has available a range of risk management instruments designed to detect, isolate and contain fraud. The monitoring system is designed to capture and analyse data on trends and unusual situations and has been assessed by an independent specialist consultancy firm to be fit for the purpose. In cases where suspicious behaviour was identified, they would be investigated and if necessary, appropriate measure would be taken, for instance, to contain the loss by changing the security mechanism and to isolate the suspect cards. As a last resort, The Mondex Hong Kong Dollar Originator has in place a comprehensive set of contingency procedures for scheme closedown. In any event, if there were to be fraudulent Mondex value in the system, The Mondex Hong Kong Dollar Originator holds itself to be liable to redeem HK Dollar counterfeit value presented in good faith by bona fide cardholders. The risk of the fraudulent creation of HK Dollar Mondex value is thus borne by The Mondex Hong Kong Dollar Originator.

Offences in creating or using fraudulent Mondex value

8. The Banking Ordinance does not create a specific offence for creation of fraudulent Mondex value. However, the following offences under the Theft Ordinance may have been committed by persons who create fraudulent Mondex value, depending on the circumstances of the case -

  1. section 17(1) - obtaining property by deception. This offence would be committed when a person uses a stored value card fraudulently to obtain goods or cash;
  2. section 18A(1) - obtaining services by deception. This offence would be committed by a person who uses a stored value card fraudulently to obtain services; and
  3. section 19 - false accounting. The offence is committed by a person who creates fraudulent value as this involves falsifying records required for accounting purposes or making use of such record which to his knowledge is false in a material particular.

9. All the above offences are serious offences for which an offender is liable for up to 10 years imprisonment.

Hong Kong Monetary Authority
November 1996

* -- These are in addition to the security measures which exist within GKC itself.

Last Updated on 15 December 1998