Ernst Lippe wrote:
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart
cards for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[...]
I expect that this system should be fairly secure, breaking smart
cards is certainly not trivial. Smart cards have been used for quite
some time, e.g. as electronic purses, in several countries and as far
as I know there have not been any major attacks against the smart
cards themselves.

It's not a partiularily smart card, and it is kinda old news, but the
electronic bus tickets that were used here in New Zealand were broken. To
quote Peter Gutmann's page:

"In October 1997 I broke the security of the smart cards used by the Yellow
Bus Company, Auckland's largest public transport organisation. These are
10-ride rechargeable cards that come in various forms (adult, child,
different numbers of fare stages, and so on). As it turns out the cards have
very little security, so that it's possible to recharge them or copy them
without too much effort (to test this I created a demo $50 test card that
was accepted by the reader as a normal bus pass). I informed the YBC of the
problem, and the story was covered in Computerworld New Zealand, 26 January
1998."

I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

[...]

--
Michael Brown
www.emboss.co.nz : OOS/RSI software and more
Add michael@ to emboss.co.nz - My inbox is always open