Here are some reports of weakness in the Mondex technology.
I describe a money card scheme here that was inspired by Mondex rumors. It avoids IFDs and assumes some sort of owner interface that accompanies, or is integral to the card. The owner is then not at risk of bogus IFDs.
I understand that the Mondex protocol is currently undisclosed. I have no information about that protocol but am merely describing a protocol that fits the little that I know about Mondex. Are there other guesses? Actually I suspect that there is further complexity in the real protocol to help thwart attacks based on successful tampering with such a card.
When a receiving card, the payee, is instructed by its operator to be ready to receive a payment, it increments an internal counter. The payee transmits an infrared message including its unique id, the counter value and a simple checksum. This message is repeated until some time out or a valid transmission from a payer is received.
The payer card, having been instructed by its operator to pay, awaits such a message. Upon receipt it decrements its local balance and constructs a record consisting of the payee’s id, the payee’s counter value, the payment amount and a secret shared by all money cards. The payer then transmits a message with the payment amount, and the secure hash of the record. This transmission is repeated until an acknowledgment or a time out.
Upon receipt the payee is able to reconstruct the payer’s record and compute the secure hash. If the computed hash matches the received hash then the payee can be sure that some legitimate payer card has decremented its local balance and it is thus valid for the payee to increment its value by that amount. It then transmits one acknowledgment.
If the payee’s transmission is garbled but the checksum does not catch it then the transmitted money is lost. The payer thinks it has authorized a balance increment but no card recognizes the authorization as its own.
Garbled transmission from a payer are ignored when the hash check fails. Subsequent transmissions will hopefully succeed.
Note that this scheme uses no crypto.