On Jul 22, 3:45 pm, asdf wrote:
On Tue, 22 Jul 2008 07:05:53 -0700 (PDT), wrote:
What would be really neat, (but almost certainly not possible using a
standard oyster card) would be to have "magic" cards that change their
number.

For example, a Sunday trip from Watford Junction to London with enough
zone 1 travel to pass the z1-2 cap is cheaper with two cards. - 3.00
each way from WJ-Euston plus 4-80 z1-2 cap. (Z1-8+WatfordJ cap is
12.60) In theory it's maybe possible for the card to tell where it's
being touched in or out before it reveals its serial number (at the
very least it could possibly start a corrupted transmission first
time). So rather than having to have two cards and remember which one
to use when, the card could handle all that logic for you.

(You can do even better if you touch out/in at willesden junction -
total journey cost 6.80 - but that requires you to take the slow
train. I can't see how any hack is going to be able to generate a
valid touch out. I can that a faked touch in might be possible.)

What on earth would be the point in such an elaborate scheme?

That it's a potentially legal way to want to use a hacked card. All
the hack is doing is making sure you don't accidentally use the wrong
card at the wrong point.

If
you've hacked the card then you can just add £100 (or whatever) of
PAYG credit, for free, whenever you feel like it.

Your card would probably be blacklisted during the nightly
synchronisation of the readers with the central database, but it does
give you an unlimited day's travel each day for £3 (or, if you can
change the card's serial number, not even that).

I don't know how quickly the system can react but I'd expect the
system to be transmitting the card reported details back to the
central system. So there's a good chance of your card being disabled
before you even reach your destination if you try and use it on the
tube.

Tim.

wrote in message
...
On Jul 22, 9:40 am, wrote:
On Jul 21, 6:25 pm, Tom Barry wrote:

Adrian wrote:
"Batman55" gurgled happily, sounding much
like
they were saying:

"Details of how to copy the Oyster cards used on London's transport
network can be published, a Dutch judge has ruled. "

Seehttp://news.bbc.co.uk/1/hi/technology/7516869.stmMaxB

And quite right too. Security by obscurity is a laughable farce.

Indeed. What NXP were trying to do smacks of claiming you can walk
safely off Beachy Head after banning the teaching of the Theory of
Gravity.

I notice LUL are still claiming Oyster security is perfectly ok. Do
they live in a parallel universe or something?
The sooner this whole Oyster card b0ll0cks is blown apart the better ,
then we can get back to normal tickets without any you-forgot-to-touch-
out scams.

We don't know what the technique is yet.

Given that the Oyster central database knows how much money you have on you
card, I assume that it's going to work by adding more virtual money to the
card, but not to the database. This will enable you to use the card for
journeys on a part of the system that is not permanently online (which I
guess means only buses).

ISTM that this will only work until the remote machine syncs up with the
central database, when the fraud will be recognised, the card blocked and
the journey analysed to see if there are people making the same journey on
hacked cards.

Methinks no-one will get away using a hacked card for long enough before
they are nabbed, for it to be worth the criminal penalty that they will
receive.

BICBW


tim

Methinks no-one will get away using a hacked card for long enough before
they are nabbed, for it to be worth the criminal penalty that they will
receive.

BICBW


The ideal cards to clone would be the staff gate passes.

"Matthew Dickinson" wrote in message
...

Methinks no-one will get away using a hacked card for long enough before
they are nabbed, for it to be worth the criminal penalty that they will
receive.

BICBW


The ideal cards to clone would be the staff gate passes.

Do they open any station, or just the one that they are located at?

tim

On Tue, 22 Jul 2008 02:24:31 -0700 (PDT), "
wrote:

The easiest exploit is going to be when a few people get together to
exploit the cap. Assuming that only one person uses the card at a time
then AFAIAA technically they're not breaking the rules so long as they
actually exchange the card. Cloning allows them to skip the need to
physically swap the card but can be detected if the card is used at
two remote stations too quickly.

Er, that wouldn't work for capping as the data to perform the cap
would be stored on the card, surely, and just occasionally sent back
to a central server to ensure it hadn't been messed with?

The most likely clone job would be something like topping an
unregistered PAYG card up with 50 quid then making 10 copies of it.

Neil

--
Neil Williams
Put my first name before the at to reply.

On Tue, 22 Jul 2008 19:55:17 +0100, "tim....."
wrote:

The ideal cards to clone would be the staff gate passes.

Do they open any station, or just the one that they are located at?

And no use if a grip is carried out because they aren't valid for
travel (or I don't think so anyway).

Even easier would be to clone a magstripe gate pass, but you'd still
be stuck if you got caught.

Neil

--
Neil Williams
Put my first name before the at to reply.

On Tue, 22 Jul 2008 18:18:08 +0100,
tim..... wrote:

Methinks no-one will get away using a hacked card for long enough before
they are nabbed, for it to be worth the criminal penalty that they will
receive.

I agree. There's "pickpocketing" a card as someone exits the gate.
But it's still not going to work very well if the "pickpocket" makes a
regular journey. It might take a couple of weeks rather than a couple of
days before red flags come up. And it seems unlikely that any casual
user is going to go to all the trouble to save a few pounds - they're
far more likely just to sneak through the gates behind someone else.

Then there's sharing a card to only have one cap. But I wonder how many
people are going to make a journey, then phone their accomplice "Ok, I'm
out. Now you make the journey." It's the sort of thing some university
students might do to prove it can be done but it seems unlikely there
are many other people who will bother. (It would already probably be
possible to do this where there's mobile reception - person 1 makes the
journey as normal. Then then have a laptop with 3G modem and card
transponder. Other person also has a card transponder also wired up to a
laptop. Second person touches with transponder - data is transmitted
from laptop to laptop and the signals replayed to the card. If you were
really careful you might even be able to fool a train inspector with
this technique on the overground.)

Perhaps the biggest threat is from the people who enter at an ungated,
distant station and have a zone 1&2 travelcard. Currently they can just
"forget" to touch out - I don't know what systems are in place to detect
that - but now they can potentially have a fake card that appears to
have a valid touch in if they are inspected on the train. (And is there
anywhere in Z1&2 where you can enter or exit without going through a
gateline? That would be an obvious way to detect cards being used like
this if every Z1&2 station has a gateline)

I suppose the other possibility is to have two fake cards, put a few
(fake) pounds on each, touch in on one and out on the other. (maybe even
have a fake entry on the "out" card). That way, if the system spots the
fake entry while you're travelling it can't block the card before
attempting to exit with it because it will never be used again. But
again, you'd better not have a regular journey doing this because it's
still going to be noticed, just not necessarily easy to automatically
block.


Tim.

--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

http://www.woodall.me.uk/ http://www.locofungus.btinternet.co.uk/

Tim Woodall gurgled happily, sounding much like
they were saying:

(And is there
anywhere in Z1&2 where you can enter or exit without going through a
gateline?

Yes, at least one - Kensington Olympia.

If the encryption really has been cracked and the protocol documented
then it should be straightforward construct a device that can
impersonate a legit card, with a random-but-plausible serial number
and balance and journey history, and make it indistinguishable from
the real thing. The Oyster technology is low tech enough that it
should be possible to do with cheap off the shelf parts, or by
repurposing an existing mass-produced device (possibly even Oyster
cards). If it didn't have a fixed serial number there'd be no way to
block it, short of catching someone in the act.

That said, how widespread are fake magstripe tickets? They don't have
any encryption as far as I know.

U

--
http://londonconnections.blogspot.com/
A blog about transport projects in London

On 22 Jul, 21:28, Tim Woodall wrote:
And is there anywhere in Z1&2 where you can enter or exit without going through a
gateline?

Finsbury Park, Essex Road, Drayton Park (I assume) all DLR stations
except Bank, various NLL stations, Upper Holloway, Paddington H&C if
the concourse gateline is left open, and probably others.

U

--
http://londonconnections.blogspot.com/
A blog about transport projects in London