Thread: Security of Oyster Cards
View Single Post
  #30   Report Post  
Old November 20th 03, 06:45 AM posted to uk.transport.london,alt.2600,sci.crypt
Martin Rich Martin Rich is offline
external usenet poster
  
First recorded activity at LondonBanter: Aug 2003
Posts: 141
Default Security of Oyster Cards
On Wed, 19 Nov 2003 05:49:38 +0000, Peter Fairbrother
wrote:

Michael Brown wrote


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

At one time BT phone-call cards used IR pulses to deactivate (melt) each
token on the card. If you covered the relevant part of the card with eg a
good quality clear nail polish the deactivation failed, and you could reuse
the card forever. I don't think they work that way any more.


There aren't any BT phonecards (at least in the sense of cards that
you load value onto and put in a public phone) any more. However the
first generation of BT phone cards were reputed to be very easy to
hack - this sounds like why



Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.


Good point that the risks often have as much, or more, to do with
users' behaviour than the technical characteristics of the card.
Though in practice do people keep their Oyster cards in their wallet?
I keep mine in a separate wallet with my photocard, which is how I've
carried my travelcard for years. The walllet with my cash and credit
cards is separate, but of course it comes out when I want to buy a
paper and a cup of coffee before I get on my train or bus.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose.

Again (and I'm aware this is controversial) I'm not convinced it's a
big deal. Given the extent to which, in my case, Vodafone and Lloyds
TSB can already track my movements,and that TfL is only monitoring my
movements in terms of my use of their services, then I can't get
worried about TfL having a record of my Oyster use.

The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.

OK - but that's an issue with whether the police have excessive
powers, not specifically an issue with Oyster. In any case plastic
cards tend to fall out of pockets, get stolen, and, however good the
security, will eventually get cloned: all reasons why a plastic card
being in a particular place isn't very strong evidence that its owner
was in a particular place

Martin

Reply With QuoteReply With Quote