Home |
Search |
Today's Posts |
|
London Transport (uk.transport.london) Discussion of all forms of transport in London. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
|
#2
|
|||
|
|||
Security of Oyster Cards
(sandy) wrote in message . com...
(Gareth Davis) wrote in message . com... (sandy) wrote in message . com... I leave the station and decide to take a bus. It's a DOO bus so it has a card reader by the driver. I blip the card onto the reader, it lights up green, the driver acknowledges the fare and I make my journey. I go into another tube station to check what has happened on the card's journey history; bus fare deducted 1p, balance £2.49. I did the same again later that evening from my local tube station to home so the first journey was clearly not an isolated incident. This happened about a week ago and checking the journey history yesterday indicates that LU haven't adjusted the balance on the card to deduct the bus fares at their proper amount. This is very worrying. If there isn't sufficent audit carried out to spot this problem then they have not got a hope in hell of spotting hacked Oyster cards. Automated processes should be trawling through the reader events every day and flagging any cards with suspect transactions. This will reduce the life of any hacked card to less than 24 hours. The longer the period is between the checks then the longer the period that a hacked card will be useful for. Apparently this stands at one week and rising. At least it is taking some money off of you though, which was better than the older magnetic ticketing system which would under certain circumstances open the barriers when fed an expired travelcard (I jest not - Google has the details). Nice to see that Cubic have produced another quality system with our millions. I think that this isn't a security fault as such, but rather a bug/"feature" of a system that hasn't become fully operational yet. I do wonder why the bus oyster readers simply aren't set up to reject prepay cards as the tube gate readers are. You managed to make a journeys costing less than the minimum bus fare. The SQL query against the database of card usage to report events like that is trivial and given sufficently powered servers hosting the database should be completed in a very short time frame (i.e. minutes if not seconds) using data from the previous days card transactions. The fact that simple (in programming terms) audits are not happening suggests that the more complex stuff matching journeys with ticket validity is also not happening. This does not bode well for the future. The more the MiFare cards are rolled out round the world then the higher the return to be made from cracking them. Or to put it into perspective, I think it is fair to say that more people will soon be using the MiFare system each day in London alone than used the pay TV system of ITV digital whose smart cards were hacked at great expense (to the hackers). I have not seen any evidence to suggest MiFare is (currently) insecure but you always need more than one level of security, if not to guard against malicious hacking then to guard against a cock up such as setting a 1p fare for a bus journey when the minimum bus fare is 70p (or 65p? with saver tickets). -- Gareth Davis |
#3
|
|||
|
|||
Security of Oyster Cards
Gareth Davis wrote:
The more the MiFare cards are rolled out round the world then the higher the return to be made from cracking them. Or to put it into perspective, I think it is fair to say that more people will soon be using the MiFare system each day in London alone than used the pay TV system of ITV digital whose smart cards were hacked at great expense (to the hackers). The smartcard/encryption used by ITV digital was the SECA system developed by CANAL+ and used widely throughout Europe on other pay-TV networks. Far more people than the 1.1 million ITV digital subscribers stood to be able to benefit from the system being cracked. |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Oyster Cards damaged by proximity door entry cards | London Transport | |||
Oyster and the b***y security question!! | London Transport | |||
New National Security Technology ignored that might have stopped the bombing | London Transport | |||
removing staff? What happens to security? | London Transport | |||
How do you enter your security answer on the Oyster Sales site? | London Transport |