(Gareth Davis) wrote in message . com...
(sandy) wrote in message . com...

I leave the station and decide to take a bus. It's a DOO bus so it
has a card reader by the driver. I blip the card onto the reader, it
lights up green, the driver acknowledges the fare and I make my
journey. I go into another tube station to check what has happened on
the card's journey history; bus fare deducted 1p, balance £2.49. I
did the same again later that evening from my local tube station to
home so the first journey was clearly not an isolated incident. This
happened about a week ago and checking the journey history yesterday
indicates that LU haven't adjusted the balance on the card to deduct
the bus fares at their proper amount.


This is very worrying. If there isn't sufficent audit carried out to
spot this problem then they have not got a hope in hell of spotting
hacked Oyster cards. Automated processes should be trawling through
the reader events every day and flagging any cards with suspect
transactions. This will reduce the life of any hacked card to less
than 24 hours. The longer the period is between the checks then the
longer the period that a hacked card will be useful for. Apparently
this stands at one week and rising.

At least it is taking some money off of you though, which was better
than the older magnetic ticketing system which would under certain
circumstances open the barriers when fed an expired travelcard (I jest
not - Google has the details). Nice to see that Cubic have produced
another quality system with our millions.


I think that this isn't a security fault as such, but rather a
bug/"feature" of a system that hasn't become fully operational yet. I
do wonder why the bus oyster readers simply aren't set up to reject
prepay cards as the tube gate readers are.

--
-sandy

(sandy) wrote in message . com...
(Gareth Davis) wrote in message . com...
(sandy) wrote in message . com...

I leave the station and decide to take a bus. It's a DOO bus so it
has a card reader by the driver. I blip the card onto the reader, it
lights up green, the driver acknowledges the fare and I make my
journey. I go into another tube station to check what has happened on
the card's journey history; bus fare deducted 1p, balance £2.49. I
did the same again later that evening from my local tube station to
home so the first journey was clearly not an isolated incident. This
happened about a week ago and checking the journey history yesterday
indicates that LU haven't adjusted the balance on the card to deduct
the bus fares at their proper amount.


This is very worrying. If there isn't sufficent audit carried out to
spot this problem then they have not got a hope in hell of spotting
hacked Oyster cards. Automated processes should be trawling through
the reader events every day and flagging any cards with suspect
transactions. This will reduce the life of any hacked card to less
than 24 hours. The longer the period is between the checks then the
longer the period that a hacked card will be useful for. Apparently
this stands at one week and rising.

At least it is taking some money off of you though, which was better
than the older magnetic ticketing system which would under certain
circumstances open the barriers when fed an expired travelcard (I jest
not - Google has the details). Nice to see that Cubic have produced
another quality system with our millions.


I think that this isn't a security fault as such, but rather a
bug/"feature" of a system that hasn't become fully operational yet. I
do wonder why the bus oyster readers simply aren't set up to reject
prepay cards as the tube gate readers are.

You managed to make a journeys costing less than the minimum bus fare.
The SQL query against the database of card usage to report events like
that is trivial and given sufficently powered servers hosting the
database should be completed in a very short time frame (i.e. minutes
if not seconds) using data from the previous days card transactions.
The fact that simple (in programming terms) audits are not happening
suggests that the more complex stuff matching journeys with ticket
validity is also not happening. This does not bode well for the
future.

The more the MiFare cards are rolled out round the world then the
higher the return to be made from cracking them. Or to put it into
perspective, I think it is fair to say that more people will soon be
using the MiFare system each day in London alone than used the pay TV
system of ITV digital whose smart cards were hacked at great expense
(to the hackers).

I have not seen any evidence to suggest MiFare is (currently) insecure
but you always need more than one level of security, if not to guard
against malicious hacking then to guard against a cock up such as
setting a 1p fare for a bus journey when the minimum bus fare is 70p
(or 65p? with saver tickets).

--
Gareth Davis

Gareth Davis wrote:

The more the MiFare cards are rolled out round the world then the
higher the return to be made from cracking them. Or to put it into
perspective, I think it is fair to say that more people will soon be
using the MiFare system each day in London alone than used the pay TV
system of ITV digital whose smart cards were hacked at great expense
(to the hackers).

The smartcard/encryption used by ITV digital was the SECA system developed
by CANAL+ and used widely throughout Europe on other pay-TV networks. Far
more people than the 1.1 million ITV digital subscribers stood to be able to
benefit from the system being cracked.