--- begin forwarded text
Status: RO Date: Mon, 11 Nov 2002 19:32:54 +0000 From: Adam Back <[EMAIL PROTECTED]> To: IanG <[EMAIL PROTECTED]> Cc: "R. A. Hettinga" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], Digital Bearer Settlement List <[EMAIL PROTECTED]> Subject: security of limits in mondex (Re: Spending velocity limit implementation in smart cards) User-Agent: Mutt/1.2.2i Sender: <[EMAIL PROTECTED]> On Mon, Nov 11, 2002 at 12:55:24PM -0500, IanG wrote: > [...] If you are talking about the system, then simply go to > the backends and do some statistics on the backend data > base. Even Mondex uploads transactions, so you would > be able to do the numbers. (From memory, Mondex uploads > the last 10 transactions when you plug it into certain > terminals. Although, this "feature" is contraversial, > as the company has never released sufficient details to > know for sure.) I was wondering about this recently to do with mondex. They claim as you say have limits on transaction uploads, so the user could hide some transactions. Indeed the user need never reconnect to the bank, always refilling via other users and spending to other users. Although they could if they chose implement something on the card to force it to connect within some maxium interval to the bank. And yet I thought they claimed to be able to have some liability limiting factors such as limits on card spending per month, and perhaps card spending ever. And the card itself is just a tamper resistant counter, and signed receipts are exchanged between cards to add to the counter (received payment) and subtract from the counter (send payment)>. But I think these claims are contradictory unless the limiting factors are implemented on the card, in which case they offer limited protection against someone extracting private keys from the card. So are they really uploading everything to bank via other cards even in peer to peer, or perhaps enough information (value, but not user or transaction description) to notice imbalances (corresponding to hacked bottomless cards)? Or is it that the limits in fact implemented on card and their likely effectivness in combatting fraud from tampered cards exaggerated? Adam -- http://www.cypherspace.net/ --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
