This is a note that I wrote when I had first heard of Mondex. Mondex does not currently use infrared signals but instead presumes “IFD”s (InterFace Devices) operated by a merchant, wherever trade using Mondex occurs. These IFDs serve to inform the card owner of the card’s state, convey instructions from the owner to the card, and ultimately perform the money transfers between the card and the IFD operator. Mondex does not build all IFDs but carefully specifies their properties. The card owner must beware of devices not built to those specifications.

Here are some reports of weakness in the Mondex technology.

I describe a money card scheme here that was inspired by Mondex rumors. It avoids IFDs and assumes some sort of owner interface that accompanies, or is integral to the card. The owner is then not at risk of bogus IFDs.

Two money cards, upon command of their respective operators, pass money from one to the other via infrared signals. I think that this requires tamper proof cards.

I understand that the Mondex protocol is currently undisclosed. I have no information about that protocol but am merely describing a protocol that fits the little that I know about Mondex. Are there other guesses? Actually I suspect that there is further complexity in the real protocol to help thwart attacks based on successful tampering with such a card.

When a receiving card, the payee, is instructed by its operator to be ready to receive a payment, it increments an internal counter. The payee transmits an infrared message including its unique id, the counter value and a simple checksum. This message is repeated until some time out or a valid transmission from a payer is received.

The payer card, having been instructed by its operator to pay, awaits such a message. Upon receipt it decrements its local balance and constructs a record consisting of the payee’s id, the payee’s counter value, the payment amount and a secret shared by all money cards. The payer then transmits a message with the payment amount, and the secure hash of the record. This transmission is repeated until an acknowledgment or a time out.

Upon receipt the payee is able to reconstruct the payer’s record and compute the secure hash. If the computed hash matches the received hash then the payee can be sure that some legitimate payer card has decremented its local balance and it is thus valid for the payee to increment its value by that amount. It then transmits one acknowledgment.

If the payee’s transmission is garbled but the checksum does not catch it then the transmitted money is lost. The payer thinks it has authorized a balance increment but no card recognizes the authorization as its own.

Garbled transmission from a payer are ignored when the hash check fails. Subsequent transmissions will hopefully succeed.

Note that this scheme uses no crypto.