On Jul 22, 8:36 pm, (Neil Williams)
wrote:
On Tue, 22 Jul 2008 02:24:31 -0700 (PDT), "

wrote:
The easiest exploit is going to be when a few people get together to
exploit the cap. Assuming that only one person uses the card at a time
then AFAIAA technically they're not breaking the rules so long as they
actually exchange the card. Cloning allows them to skip the need to
physically swap the card but can be detected if the card is used at
two remote stations too quickly.

Er, that wouldn't work for capping as the data to perform the cap
would be stored on the card, surely, and just occasionally sent back
to a central server to ensure it hadn't been messed with?

I'm assuming they can add the necessary journey history to the cards
to keep them in sync.


The most likely clone job would be something like topping an
unregistered PAYG card up with 50 quid then making 10 copies of it.

But that's going to get flagged at the end of the day when everything
is reconciled - even assuming that multiple cards on the system with
the same serial number don't already flag things up sooner that that.

So the best hope along those lines is to take a card with just enough
money to reach the cap, clone it multiple times and then throw the
cards away at the end of the day.

Another possibility is people claiming to be tourists selling their
now finished with oyster cards for a discount[1]. "I've still got 20
pounds left on my card. I'll sell it to you for a tenner" sort of
thing. They only need to be able to fool the top up/journey history
machine once to pull that off.

Tim.

[1] The fact that tourists can't get their money and deposit back
straight away if they've used both cash and a credit card to top up
the card means I'm sure this is a common genuine situation. TfL
haven't worked out that sending a GBP cheque several weeks later isn't
very useful.