(Gareth Davis) wrote in message . com...
(sandy) wrote in message . com...

I leave the station and decide to take a bus. It's a DOO bus so it
has a card reader by the driver. I blip the card onto the reader, it
lights up green, the driver acknowledges the fare and I make my
journey. I go into another tube station to check what has happened on
the card's journey history; bus fare deducted 1p, balance £2.49. I
did the same again later that evening from my local tube station to
home so the first journey was clearly not an isolated incident. This
happened about a week ago and checking the journey history yesterday
indicates that LU haven't adjusted the balance on the card to deduct
the bus fares at their proper amount.


This is very worrying. If there isn't sufficent audit carried out to
spot this problem then they have not got a hope in hell of spotting
hacked Oyster cards. Automated processes should be trawling through
the reader events every day and flagging any cards with suspect
transactions. This will reduce the life of any hacked card to less
than 24 hours. The longer the period is between the checks then the
longer the period that a hacked card will be useful for. Apparently
this stands at one week and rising.

At least it is taking some money off of you though, which was better
than the older magnetic ticketing system which would under certain
circumstances open the barriers when fed an expired travelcard (I jest
not - Google has the details). Nice to see that Cubic have produced
another quality system with our millions.


I think that this isn't a security fault as such, but rather a
bug/"feature" of a system that hasn't become fully operational yet. I
do wonder why the bus oyster readers simply aren't set up to reject
prepay cards as the tube gate readers are.

--
-sandy

(sandy) wrote in message . com...
(Gareth Davis) wrote in message . com...
(sandy) wrote in message . com...

I leave the station and decide to take a bus. It's a DOO bus so it
has a card reader by the driver. I blip the card onto the reader, it
lights up green, the driver acknowledges the fare and I make my
journey. I go into another tube station to check what has happened on
the card's journey history; bus fare deducted 1p, balance £2.49. I
did the same again later that evening from my local tube station to
home so the first journey was clearly not an isolated incident. This
happened about a week ago and checking the journey history yesterday
indicates that LU haven't adjusted the balance on the card to deduct
the bus fares at their proper amount.


This is very worrying. If there isn't sufficent audit carried out to
spot this problem then they have not got a hope in hell of spotting
hacked Oyster cards. Automated processes should be trawling through
the reader events every day and flagging any cards with suspect
transactions. This will reduce the life of any hacked card to less
than 24 hours. The longer the period is between the checks then the
longer the period that a hacked card will be useful for. Apparently
this stands at one week and rising.

At least it is taking some money off of you though, which was better
than the older magnetic ticketing system which would under certain
circumstances open the barriers when fed an expired travelcard (I jest
not - Google has the details). Nice to see that Cubic have produced
another quality system with our millions.


I think that this isn't a security fault as such, but rather a
bug/"feature" of a system that hasn't become fully operational yet. I
do wonder why the bus oyster readers simply aren't set up to reject
prepay cards as the tube gate readers are.

You managed to make a journeys costing less than the minimum bus fare.
The SQL query against the database of card usage to report events like
that is trivial and given sufficently powered servers hosting the
database should be completed in a very short time frame (i.e. minutes
if not seconds) using data from the previous days card transactions.
The fact that simple (in programming terms) audits are not happening
suggests that the more complex stuff matching journeys with ticket
validity is also not happening. This does not bode well for the
future.

The more the MiFare cards are rolled out round the world then the
higher the return to be made from cracking them. Or to put it into
perspective, I think it is fair to say that more people will soon be
using the MiFare system each day in London alone than used the pay TV
system of ITV digital whose smart cards were hacked at great expense
(to the hackers).

I have not seen any evidence to suggest MiFare is (currently) insecure
but you always need more than one level of security, if not to guard
against malicious hacking then to guard against a cock up such as
setting a 1p fare for a bus journey when the minimum bus fare is 70p
(or 65p? with saver tickets).

--
Gareth Davis

Richard J. wrote

Peter Fairbrother wrote:
Oyster cards have a few unexpected security risks - people tend to
keep them in their wallets, and take their wallets out of their
pockets to wave over the reader. Gives pickpockets a chance to eye up
the wallet, and learn where its owner keeps it, and it gives thugs
the chance/ inspiration to grab the wallet and run.

Unexpected? Why is that any different from the situation with old-style
mag-stripe season tickets? Are you suggesting that people who keep their
Oyster in their wallet didn't keep their old season tickets there?

To quote RP on another list:

"However, you still have to get your wallet out, as the range is
reportedly not enough otherwise. I'd rather *not* take my wallet out in
a place like Kings Cross, and so I always keep my paper ticket in the
breast pocket of my shirt - where it's really easy to take out and use."

Personally, I keep them in my left trousers back pocket.


--
Peter Fairbrother

Gareth Davis wrote:

The more the MiFare cards are rolled out round the world then the
higher the return to be made from cracking them. Or to put it into
perspective, I think it is fair to say that more people will soon be
using the MiFare system each day in London alone than used the pay TV
system of ITV digital whose smart cards were hacked at great expense
(to the hackers).

The smartcard/encryption used by ITV digital was the SECA system developed
by CANAL+ and used widely throughout Europe on other pay-TV networks. Far
more people than the 1.1 million ITV digital subscribers stood to be able to
benefit from the system being cracked.

Martin Rich typed

There aren't any BT phonecards (at least in the sense of cards that
you load value onto and put in a public phone) any more. However the
first generation of BT phone cards were reputed to be very easy to
hack - this sounds like why

Aren't there?

What became of 'phonecard plus'?

--
Helen D. Vecht:
Edgware.

"Ernst Lippe" wrote in message ...
Even though there are some possible attacks, in general it is very
difficult to extract those keys from the smart card.

No it isn't. You rip the lid off the chip and put the EEPROM under
a special microscope. I forget the actual technique used but its been done.
Admittedly its way out of the league of your one man operation but don't
think that professional fraud gangs arn't able to do it.

Companies always expect the software attack but they never think of the
hardware attack. If you can physcally read the transister/capacitor values
then you can get the data out and given that the memory in most of these
cards is only a few kilobytes this wouldn't take too long. Even encrypting
the data is a waste of time since even if you the fraudster doesn't understand
what he's seeing he can still make an exact copies of it onto operationally
identical hardware (ie duplicate the cards).

Of course whether a duplicated card or any data extracted from it is any
use is another question.

B2003

(Matthew) wrote in message . com...
It's difficult to see how something that operates in this way can hope
to replace cash fares, as it is more difficult to charge the card than
to even buy one of the current generation of magnetic cards (bus

You're making the classic mistake of thinking that this is being done for
OUR benefit. Nothing is ever done for the consumers benefit , its done for
the companies benefit and if it happens to benefit the consumer then , well
thats nice, if not , just chuck some marketing at it and the sheep will be
molified.

B2003

On Fri, 21 Nov 2003 12:41:45 GMT, Helen Deborah Vecht
wrote:

Martin Rich typed

There aren't any BT phonecards (at least in the sense of cards that
you load value onto and put in a public phone) any more. However the
first generation of BT phone cards were reputed to be very easy to
hack - this sounds like why

Aren't there?

What became of 'phonecard plus'?

My source is http://www.payphones.bt.com/2001/pho...s/prepaid.html
- this does talk about various dates in April and Septamber 2003 in
the future tense, so it may not be completely authoritative (if you
see what I mean)

Martin

On Wed, 19 Nov 2003 05:49:38 +0000, Peter Fairbrother
wrote:

Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.

Well, I keep mine in the cardholder that came with it. It's exactly the same
as the Travelcard holder except for different colours and the Oyster logos. My
wallet stays in my trousers, where it belongs.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose. The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.

This may be a difficulty. With Blunkett wanting to keep an eye on us 24 hours
a day, we may have to call the Government on this one.

The card itself keeps a record of the last three trips, I'm told.

I wonder if, under freedom of information rules, we might be able to demand a
record of what information TfL has on where we've been.
--
Chris Hansen | chrishansenhome at btinternet dot com

On Sat, 22 Nov 2003 10:09:09 +0000 (UTC), Christian Hansen
wrote:

On Wed, 19 Nov 2003 05:49:38 +0000, Peter Fairbrother
wrote:

Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.

Well, I keep mine in the cardholder that came with it. It's exactly the same
as the Travelcard holder except for different colours and the Oyster logos. My
wallet stays in my trousers, where it belongs.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose. The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.

This may be a difficulty. With Blunkett wanting to keep an eye on us 24 hours
a day, we may have to call the Government on this one.

The card itself keeps a record of the last three trips, I'm told.

I wonder if, under freedom of information rules, we might be able to demand a
record of what information TfL has on where we've been.

The card has more than the last three trips. Have a look on the touch
screen machines at Tube stations (have a look on the 'View Oyster Card
Usage')(

Try the Data Protection Act. Yes, I'm pretty sure you'd be entitled to
a record of details held by TfL. Why not check with them?


Rob.
--
rob at robertwoolley dot co dot uk