(Matthew) writes:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID

According to http://www.google.co.uk/search?q=cac...hl=en&ie=UTF-8

Embedded in the smartcard is a small microchip, which can handle and
store information, and an ariel. When the card is touched to the
cardreader, power flows through the aerial and information moves from
the card to the reader and back again. Communication between the card
and reader is by radio signals and takes less than a fifth of a
second.

If these cards are what have been introduced in Espoo/Helsinki/Vantaa
over the last year or so, then the above is theoretical nonsense.
As a regular bus user I can honestly say that the new cards make
embarkation massively slower than the old 'punch-card' tickets.

Old method : click-click - half a second
New method : wave. nothing. press. nothing. hold. nothing. give to
friend - he holds it against the sensor. nothing. give
back to original person and hold it near the sensor.
beeeep! - 5 seconds or so.

If you've got exact change, then cash is quicker than the cards.
I've seen some people even give up and eventually just pay in cash!

Sorry, no cryptographic insight, but simply an IMHO of why the
things should be burnt and their inventor publicly flogged, hehehe.

Phil

--
Unpatched IE vulnerability: ADODB.Stream local file writing
Description: Planting arbitrary files on the local file system
Exploit: http://ip3e83566f.speed.planet.nl/eeye.html
(but unrelated to the EEye exploit)