Thread: Security of Oyster Cards
View Single Post
  #26   Report Post  
Old November 19th 03, 02:29 PM posted to uk.transport.london,alt.2600,sci.crypt
Ernst Lippe Ernst Lippe is offline
external usenet poster
  
First recorded activity at LondonBanter: Nov 2003
Posts: 6
Default Security of Oyster Cards
On Wed, 19 Nov 2003 18:07:40 +1300, Michael Brown wrote:

Ernst Lippe wrote:
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart
cards for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[...]
I expect that this system should be fairly secure, breaking smart
cards is certainly not trivial. Smart cards have been used for quite
some time, e.g. as electronic purses, in several countries and as far
as I know there have not been any major attacks against the smart
cards themselves.

It's not a partiularily smart card, and it is kinda old news, but the
electronic bus tickets that were used here in New Zealand were broken. To
quote Peter Gutmann's page:

"In October 1997 I broke the security of the smart cards used by the Yellow
Bus Company, Auckland's largest public transport organisation. These are
10-ride rechargeable cards that come in various forms (adult, child,
different numbers of fare stages, and so on). As it turns out the cards have
very little security, so that it's possible to recharge them or copy them
without too much effort (to test this I created a demo $50 test card that
was accepted by the reader as a normal bus pass). I informed the YBC of the
problem, and the story was covered in Computerworld New Zealand, 26 January
1998.

Those cards were not real smartcards, they were simply memory cards, that
do not contain any cryptographical keys and that generally are quite
easy to duplicate. The distinction between memory cards and smartcards
is very important from a security point of view. The oystercards are
(simple) smartcards and simple duplication attacks should not work.


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

All disposible phone-call cards, that I know, are memory-cards (not
full-blown smart-cards). They have been counterfeited quite
frequently, and most telephone companies upgrade to new card types at
regular intervals. In general, this not a very serious problem because
the risk is quite manageable, just like fraud with creditcards.

greetings,

Ernst Lippe

Reply With QuoteReply With Quote