When he joined the Zlín-based Monet+ in 1999, his first task was helping colleagues travel across Slovakia to manually update software in payment terminals. Today, Milan Hrdlička is an expert who has helped develop systems protecting transactions in the largest Czech banks. He was at the birth of the revolutionary CryptoPlus platform, withstood an unfair attack from a competitor, and worked to put top-tier banking security right into people’s pockets—directly into their smartphones. How is the code that powers critical infrastructure developed, and why is it sometimes necessary to examine smart cards under a microscope in France?
Milan, when you joined Monet+, word has it you were immediately greeted with a massive field trip to Slovakia to service the terminals of the Slovnaft network. What was that like back then?
It was a totally different era. The internet as we know it today simply didn’t exist. Terminals at gas stations worked by dialing a connection via modem every night to send data to the headquarters. The idea of doing a remote mass software update like you would today was absolutely unthinkable. Once, a problem arose, and we had to manually reinstall thousands of terminals across the whole of Slovakia. Everyone at Monet+ who had hands, feet, and could drive a car headed out into the field. It was a huge learning experience because we were training the staff on the spot and seeing our technology in real-world operation at the customers’ locations.
From a security perspective, where was the biggest problem back then, and how did you solve it?
The market was struggling with fraud involving old magnetic stripe cards, which were relatively easy to copy. Monet+ therefore decided to rely on smart cards. I jumped onto a moving train and was tasked with developing a communication gateway for the so-called CASSIS server. This was a central security encryption module—an “armored box” of sorts—that verified cryptographic packages for every transaction from the gas stations and securely recognized if it was a genuine transaction, which de facto eliminated fraud. And if smart cards served so well in protecting payments, why not entrust them with even more demanding tasks? I believe that was the primary area for which Monet+ s.r.o. hired me back then. It was the beginning of the birth of the CryptoPlus platform, which brought PKI smart cards with the highest level of security for private keys for electronic signatures.
So your main domain became the CryptoPlus platform, which represented a huge leap in digital security for the Czech Republic. Why was it so groundbreaking at the time?
My task was to fully integrate secure smart cards with cryptography into the Windows operating system. Until then, software protection was the norm—people had their private keys for electronic signatures stored somewhere in the computer’s memory, from where they could theoretically be stolen or copied. CryptoPlus generated that key directly inside the physical smart card. For us, the smart card meant absolutely reliable protection. Once you have that card, you simply cannot “pry” the private key out of it. The only thing you can do is enter the correct PIN, and only then will the card allow you to create an electronic signature.
This system was apparently quite successful—word is that the largest banks in our country still run on its legacy after an incredible twenty-five years…
We were true pioneers with this technology. We started with the first certification authority (I.CA) and ČSOB’s corporate clients. Subsequently, it became the standard; we supplied it to Tatra banka, Komerční banka, Česká spořitelna, and even outside of banking, like the Czech Social Security Administration. The solution was built so robustly that some of its “offspring” in Komerční banka and Česká spořitelna are still running reliably today. For corporate banking, where hundreds of millions in payments flow, it was one of the few methods those banks truly trusted.
There is a detective-like plot associated with Komerční banka, though. A competitor supposedly tried to squeeze you out by claiming they had “cloned” your invincible smart card. What happened?
That was probably the worst case of unfair competition I’ve ever encountered. The competing firm sent a letter to the bank’s board claiming our technology was full of holes and could be cloned. It meant a risk of losing trust in the technology. We managed to agree with the bank to give them a new card and let them prove it. The guys came back a few days later with an “epoxy clone,” showing that the original keys could be used from it. Furthermore, they brought the original card cut in half, claiming they had to destroy it for security reasons. The bank was in shock.
How did you eventually get out of that? Did they actually crack the chip?
It immediately occurred to me to look at the system logs. I found the record of all communication with their so-called epoxy “clone” and discovered it wasn’t a clone at all—they had simply physically moved our original chip into that epoxy. They intentionally cut the original plastic card so that it wouldn’t be obvious the chip had been swapped. Eventually, we took the whole thing under microscopes to the manufacturer’s special laboratories in France. There, the fraud was definitively proven—they were exposed by the different glue on the back of the chip. The original chip was supposed to have transparent glue, but this one had black. Naturally, the bank stayed with our technology.
When did you realize that the future wasn’t just in plastic smart cards, but in mobile phones?
The turning point came around 2012 when our CASE system was created. We had the idea of using mobile phones for one-time passwords much earlier, but it was ahead of its time back then. Ultimately, market demand and pressure from operators forced us to find a solution that didn’t require hardware cards or expensive verification SMS messages, for which banks were paying huge amounts of money. We developed a mobile token—an app where a notification pops up with the transaction details, and you confirm it with a PIN (and today, with a fingerprint or face ID). It was hugely successful; for example, our Smart klíč system completely replaced those SMS messages for ČSOB.
Was that the springboard for what we know today as Bank ID?
Exactly. We started promoting the concept of identity federation. The point was to decouple complex banking or business applications from the user verification process. Instead of every bank service handling logins on its own, we created a central “identity provider.” This system securely verifies that you are indeed who you say you are and issues a digital “receipt” to other applications that they can trust. Both Bank iD and the state identity (NIA ID) operate on this principle today.
When you look at today’s cyber threats, where do you see the biggest weakness? Is it still the technology?
Paradoxically, no. Today, authentication systems are so strong that it has become much easier for attackers to target the human. People are losing hundreds of millions of crowns a year because they fall victim to social engineering. Attackers artificially create a sense of panic or use emotional blackmail—for example, pretending to save money or a child in distress. Once you get a user into a state of panic, they stop thinking rationally and will personally give the attacker access even to the best-secured systems.
Monet+ has grown from a tight-knit group of enthusiasts to a firm of nearly 300 people. How has that reflected in the way you work?
We had to change our mindset. Previously, it was about a developer essentially designing, writing, and launching the entire system himself—but that required everyone to be a “superman.” Today, I advocate an approach that resembles Ford’s assembly line. We have specialized architects who devise the overall concept, analysts for detailed designs, developers for writing code, and independent testers. Everyone performs their part with maximum expertise, which allows us to create incredibly robust, secure, and high-quality systems without having to find a team composed purely of superheroes.
You’ve been at Monet+ for twenty-five years. What is it about code and cybersecurity that keeps you here?
What has always fascinated me most is real-time communication and, above all, the massive impact on reality. These systems are in live production and do things that are absolutely crucial for the functioning of society and millions of people. I know very well that if our technologies suddenly stopped working, there would be a massive problem out there. It’s simply the adrenaline and the responsibility that keep you going.
