Security of Oyster Cards
 

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID

According to http://www.google.co.uk/search?q=cac...hl=en&ie=UTF-8

Embedded in the smartcard is a small microchip, which can handle and
store information, and an ariel. When the card is touched to the
cardreader, power flows through the aerial and information moves from
the card to the reader and back again. Communication between the card
and reader is by radio signals and takes less than a fifth of a
second.

Once issued, Oyster cards can be topped up to meet the travel needs of
each customer. This can be done at the upgraded ticket machines in
stations, at any of the local ticket outlets or at a station ticket
office. The ability for customers to purchase and top up smartcards
away from the station i.e. internet and telesales are being developed
for introduction next year.

Individual members of the TranSys consortium have successfully
installed, operated or are developing similar systems around the
world, including in San Francisco, Los Angeles and Hong Kong and
therefore can use their experience to build and maintain a world class
system for London.

Smartcards are amongst the most secure ways to store information and
users of Oyster can be confident of the security of the data on their
card. Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.

----

I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.

I can see potentially two (or three) ways of doing this system:

using a globally unique identifier - a unique ID on the card. All
information is stored on London Transport's servers. When a card is
used, radio contact is made to the central server to find what value
is remaining on the card.

I don't believe that this is the case. Considering the large number of
readers (handheld, fitted to buses and underground gates), and the
speed of operation, this doesn't seem feasible. The only security
problem I can see with this method, assuming it is in use, is cloning:
e.g., cloning an annual travel card (value up to £2500). This could be
detected fairly easily, in that I assume that the train readers store
information, which is regularly analyzed to detect fraudulent
acitivity.

secondly: using encrypted information stored on the card as to what
the card's capabilities (e.g., 1 month bus pass, expiring 20th
November, valid zones 1-4). Some kind of public/private key would work
well here, in that the public key would not be keept secure.

The problem with this is that the cards are reusable, and have some
kind of recharge functionality. This means that a potentially large
number of devices would have to have the ability to modify the
information. It also doesn't really handle the question of how the
promised ability to renew online will be functionality.

This appears to be implied from the fact that the blurb states that
there is a private key technology work 'known only to the device
readers'. Given that there are thousands of these readers fitted to
every bus, train station, and possibly some other forms of transport
as well, how secure can something equipped to thousands of devices be;
if the system can be cracked, you can be sure that it will be worth
someone's while to do so.

thirdly: a combination of the two: the cards do appear to have some
kind of unique identifier, as it is possible to enter your id number
into their website, which is linked to your details. This does not
preclude them from storing validity information as well, for the
benefit of devices that are not connected up to the central database.


Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Thanks

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

Security of Oyster Cards
 

On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID
very large snip

Given the fact that these cards are smart cards, I believe
that your speculations are wrong. I could not find any
technical information about the card, but I have some
experience with smart cards, so here are my speculations.

The system is probably based on conventional secret key encryption, I
would not be surprised when it simply uses single DES. The oyster card
would contain several cryptographical keys. For example, it will
contain a key that is used to write info about the card capabilities.
You will need that key to be able to update the info on the card. The
card will also contain some authentication key that readers will use
to verify that it is a valid card. Card authentication will use some
challenge-response protocol, where the reader will generate a random
challenge and the card should return the value of this challenge
encrypted with the authentication key. Again, when you will need to
have this key in order to convince the card readers.

Even though there are some possible attacks, in general it is very
difficult to extract those keys from the smart card.

The next problem is, how do these readers work? In order to
authenticate the card they will also need the same authentication keys
that the card has. Every reader has a SAM (Security Access Module)
that securely holds these keys, in most cases the SAM is just another
type of smart card. What basically happens is that the SAM and the
postcard will engage in some end-to-end secure communication
protocol, after which the SAM will tell the reader if the card was OK
or not. The SAM will not be able to encrypt external data with the
authentication key, otherwise it could be used to imitate the
oyster cards. So even when you steal a SAM, it is of little use, you can
only use it to read and validate other oyster cards.

The keys for updating the oyster cards are not available on the SAM for
the normal card readers. It is very likely that they are only stored
in some secure central location and that all places where you can
update the card will have to communicate with this central
location. Again, this will be an end-to-end secure protocol between the
oyster card and the central location.

Another trick that is likely to be used is key diversification. The
keys for a specific card is derived from some master key in such a way
that it is unique for this card, e.g. the card authentication key for
a card is probably derived from a master authentication key by
encrypting the card id with the master authentication key. In this
way, even when one card is cracked, you still don't have the keys for
the other cards.

I expect that this system should be fairly secure, breaking smart cards
is certainly not trivial. Smart cards have been used for quite some
time, e.g. as electronic purses, in several countries and as far as I
know there have not been any major attacks against the smart cards
themselves.

BTW, one of the major reasons that many public transportation
institutions are highly interested in smart cards is that it will give
them a wealth of information about the travel patterns of their
customers, which they don't have now.

greetings,

Ernst Lippe

Security of Oyster Cards
 

Security of Oyster Cards
 

John Hadstate wrote:

(Matthew) wrote in message
Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


All of the above adds up to a classic case of "security by obscurity."
This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

On the other hand, if the cost/risk of analysis is
sufficiently high, there would be 'practical' security,
I suppose. (Actually, banknotes are similar in this
respect, I believe. There are saying, though, that
the techniques/knowhow of the fraudsters are now quite
comparable to those of the governments in making
banknotes.)

M. K. Shen

Security of Oyster Cards
 

"Mok-Kong Shen" schrieb im Newsbeitrag ...


John Hadstate wrote:

(Matthew) wrote in message
Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


All of the above adds up to a classic case of "security by obscurity."
This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

On the other hand, if the cost/risk of analysis is
sufficiently high, there would be 'practical' security,
I suppose. (Actually, banknotes are similar in this
respect, I believe. There are saying, though, that
the techniques/knowhow of the fraudsters are now quite
comparable to those of the governments in making
banknotes.)
Actually, today banknotes aren't naively stuffed fithe anti-forgery-features
but the idea is to make it unprofitable to fake a banknote in a small-scale
production. So, a forger is forced to go large-scale which in turn is easily
detectable (duplicate serial numbers or unexplainable inflation for instance)
and which also justifies a large-scale counteraction to find and disable him.

Lots of Greetings!
Volker

Security of Oyster Cards
 

On 18 Nov 2003 16:13:18 GMT, Huge wrote:
The hardware is a Philips MIFARE card.

http://www.nationalsmartcard.com.au/news.cfm?newsid=128

That page says "The Oyster card has attracted widespread criticism
in the UK press over the alleged incompatibility of the card with
a similar scheme being developed by the UK's national rail network.".

What is this rival system? It's the first I've heard about it.

Security of Oyster Cards
 

(Matthew) writes:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID

According to http://www.google.co.uk/search?q=cac...hl=en&ie=UTF-8

Embedded in the smartcard is a small microchip, which can handle and
store information, and an ariel. When the card is touched to the
cardreader, power flows through the aerial and information moves from
the card to the reader and back again. Communication between the card
and reader is by radio signals and takes less than a fifth of a
second.

If these cards are what have been introduced in Espoo/Helsinki/Vantaa
over the last year or so, then the above is theoretical nonsense.
As a regular bus user I can honestly say that the new cards make
embarkation massively slower than the old 'punch-card' tickets.

Old method : click-click - half a second
New method : wave. nothing. press. nothing. hold. nothing. give to
friend - he holds it against the sensor. nothing. give
back to original person and hold it near the sensor.
beeeep! - 5 seconds or so.

If you've got exact change, then cash is quicker than the cards.
I've seen some people even give up and eventually just pay in cash!

Sorry, no cryptographic insight, but simply an IMHO of why the
things should be burnt and their inventor publicly flogged, hehehe.

Phil

--
Unpatched IE vulnerability: ADODB.Stream local file writing
Description: Planting arbitrary files on the local file system
Exploit: http://ip3e83566f.speed.planet.nl/eeye.html
(but unrelated to the EEye exploit)

Security of Oyster Cards
 

On 18 Nov 2003 03:47:35 -0800, (Matthew) wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[snip]
I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.
[snip]

I can see potentially two (or three) ways of doing this system:
[snip]
Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Out of curiosity why do you wish to know?

As one of the people who wrote the spec for Prestige (but not to the
technical level of detail you are enquiring about) I am somewhat
concerned. Perhaps you can enlighten me as to your motives?

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.
--
Paul C
Admits to Working for London Underground!

Security of Oyster Cards
 

In message , Paul Corfield
writes

So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.

But any travelcard covers buses in any zone. And, next year there will
only be one bus zone anyway....
At an LU station he'd get a 57 which would tell him nothing except the
brand of a well known tinned food manufacturer...
(And a request to pay the difference, of course)
--
Kat Women and cats will do as they please, and men and dogs should relax
and get used to the idea - Robert A. Heinlein

Security of Oyster Cards
 

On Tue, 18 Nov 2003 07:42:09 +0000, John Hadstate wrote:

(Matthew) wrote in message . com...
I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.


Smartcards are amongst the most secure ways to store information and
users of Oyster can be confident of the security of the data on their
card.

Says who?

Of course, this was a quote from either the transport company, who
spent a lot of money on this and is therefore convinced that it must
be secure or from the manufacurer that certainly will not make much money
by selling insecure products.

Nevertheless, I think that the statement that smart cards are one of the
most secure ways to store information is basically correct.


Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


All of the above adds up to a classic case of "security by obscurity."

It might, when they have let some incompetent persons design the
system. On the other hand, virtually all companies are highly
secretive about their security measures, but this does not necessarily
imply that these measures are inadequate.

This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

Smartcard companies have employed some very competent people. For
example, one of the main designers of the electronic smart card purse,
that we use here, was Joan Daemen (also responsible for Rijndael).

Smartcards are basically dedicated crypto engines, and you can use
them to build very secure systems (and yes you can also use them
to build insecure systems). Just like other forms of cryptography
smartcards are generally the strongest part of the system, and
most attackers will simply try to attack the other parts.

greetings,

Ernst Lippe

Security of Oyster Cards
 

"Matthew" wrote in message
om...
I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

This is funny: "Because the Oyster card is contactless, customers only need
to touch the cardreaders with their Oyster cards as they pass through ticket
gates at London Underground or National Rail stations or board a bus. "

If they are contactless, then whey do the customers need touch the
cardreaders? :)

Here's a bit of info on the cards themselves:
http://rapidttp.com/transponder/presre13.html

I have one similar (dumb card) produced by honeywell for my work badge. It
simply contains an eprom with an embedded code, which is activiated when
swiped near a transponder containing an EM field. The transponder reads the
code, sends the information to a computer which then decided whether or not
to unlock the door. (Oddly enough I have no physical access to the
mainframe. Probably a good idea.)

I read recently that Phillips - who makes the Oyster card - is going to roll
these out in a massive scale in China for transportation purposes.

K (Smile, you're happy now.)

Security of Oyster Cards
 

On Tue, 18 Nov 2003 18:50:53 +0000, Paul Corfield wrote:

On 18 Nov 2003 03:47:35 -0800, (Matthew) wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[snip]
I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.
[snip]

I can see potentially two (or three) ways of doing this system:
[snip]
Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

...and more importantly, what strategies have been built into the system to cope when (not if) they
are hacked. Anyone deigning a system on the assumption that it is totally secure is a fool, although
can we expect any better from the morons who run most things in the UK ?

Security of Oyster Cards
 

Kai wrote:

"Matthew" wrote in message
om...
I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

This is funny: "Because the Oyster card is contactless, customers only need
to touch the cardreaders with their Oyster cards as they pass through ticket
gates at London Underground or National Rail stations or board a bus. "

If they are contactless, then whey do the customers need touch the
cardreaders? :)

They originally said you could keep it in your pocket and sail through
the gates, but you can't! So they then changed it to the above wording.

However, you can leave it in your bag and wave your bag over the reader
(I have done it).

I think they are just overstating the case so that people don't hold it
six inches above the reader and then complain that it doesn't work.

Security of Oyster Cards
 

In message , Dave Newt
writes


Kai wrote:

"Matthew" wrote in message
om...
I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

This is funny: "Because the Oyster card is contactless, customers only need
to touch the cardreaders with their Oyster cards as they pass through ticket
gates at London Underground or National Rail stations or board a bus. "

If they are contactless, then whey do the customers need touch the
cardreaders? :)

They originally said you could keep it in your pocket and sail through
the gates, but you can't! So they then changed it to the above wording.

However, you can leave it in your bag and wave your bag over the reader
(I have done it).

I think they are just overstating the case so that people don't hold it
six inches above the reader and then complain that it doesn't work.

Sometimes just waving it over the reader doesn't work; you may have been
lucky. From my observation and experience, some readers are more
sensitive than others.
--
Kat Women and cats will do as they please, and men and dogs should relax
and get used to the idea - Robert A. Heinlein

Security of Oyster Cards
 

Mok-Kong Shen wrote in message ...
John Hadstate wrote:

(Matthew) wrote in message
Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


If memory serves the system is based on the Philips MiFare system
which you can read all about (including the 3 pass authentication
procedure) at:
http://www.semiconductors.philips.co...sheets/#mifare

The key length in use is 48 bits per sector of the card, given the
fastest that the select and authentication phase can be completed in
is 5ms then it would take over 44.5 thousand years to try all the
combinations. And this would only grant you access to a single part of
the card. I would expect several sectors to be used in practise,
perhaps split up between ticket types and stored payment uses.

Direct attack on the cards is clearly out of the question, since all
the cards should (I say should, given the vulnerability that used to
be present in the old magnetic ticketing system I would not put it
past Cubic to screw it up again) have different keys programmed onto
them, then attacking multiple cards at the same time is a pointless
exercise - unless you were lucky to get a card with a key near the
beginning of your test range.

We already know that the system 'trusts' the content of the card and
there is no live database link available to all of the readers,
otherwise we would not have to 'collect' tickets purchased online from
a designated gateline. Giving everything a live link would be
prohibitively expensive (mobile and handheld units are in use on
moving vehicles that may be underground) and would only ever be
required if the keys were broken. However if the keys are broken and
cards rewritten then I do not see how the system can detect it. Other
then perhaps some kind of off line database crawling process looking
for anomalies.


All of the above adds up to a classic case of "security by obscurity."
This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

I believe the card interface system is fairly secure on paper, the
question is how secure is the rest of the infrastructure around it? I
would expect the keys to leak out of the staff that designed the
system before they are cracked, or the website backend to be hacked to
start issuing recharge requests without payment. Even if the keys were
broken they can be rewritten on the cards making the whole system
secure again, although the amount of time it would take to rewrite all
the cards may be vast, certainly not an overnight fix - but could be
done quietly without anyone having to own up to the problem. Also once
a suspect card gets a cancel request raised it then I would expect all
mobile terminals to know about it within hours (as soon as they are
docked next). Overall I believe the system does have good potential to
recover from a compromise BUT it has to be noticed first.


On the other hand, if the cost/risk of analysis is
sufficiently high, there would be 'practical' security,
I suppose. (Actually, banknotes are similar in this
respect, I believe. There are saying, though, that
the techniques/knowhow of the fraudsters are now quite
comparable to those of the governments in making
banknotes.)

M. K. Shen

The rewards in cracking this system are also very high though, given
the retail cost of travel passes. I personally spend about 800UKP on
travel in London each year, and I live and work about 4 miles from the
centre. People made money selling tickets that exploited a problem in
the magnetic ticketing system because of this cost but these tickets
were obviously not valid for travel to the naked eye.

However the real fraud with the smart cards is already happening and
is far less technical. Most of the railway companies operating out of
London have not equipped their ticket barriers to accept the
smartcards or issued their staff with scanners (or maybe they just
can't be bothered to carry them). The result is the staff have to
assume you have a valid ticket loaded onto your smart card if you are
carrying one because they have no way of checking otherwise. For those
of you who have never seen one, they all look identical and you
usually do not get a printed paper receipt to go with it if you book
online.

Pretending you have a valid pass on a line where you know it will not
get scanned is the real weakness at the moment, and it is this that
makes the whole system a bit of a joke.

I'm sure the tens of millions could have been better spent elsewhere
on the network with a much larger benefit for the passengers.

--
Gareth Davis

Security of Oyster Cards
 

On 18 Nov 2003 13:40:14 -0800, (Gareth
Davis) wrote:

Pretending you have a valid pass on a line where you know it will not
get scanned is the real weakness at the moment, and it is this that
makes the whole system a bit of a joke.

The solution to this, for the short term, is to issue a paper ticket
with the electronic one. For online transactions, this could be sent
through the post or maybe even collected from a ticket machine?

MK Metro issue a "validation receipt" from the bus ticket machine when
a pass is loaded onto one of their contact-type smartcards. This is
required when using one of the many Council-subsidised services not
operated by MK Metro on which the tickets are valid. (I do wonder,
out of interest, if MK Metro was involved in any research prior to
implementation - are there any other bus operators in the country
using a similar system, I wonder?)

Of course, this won't work for pay-as-you go - but before that can be
implemented for National Rail, there'll need to be as good as 100%
reader coverage anyway.

Neil

--
Neil Williams
is a valid email address, but is sent to /dev/null.
Try my first name at the above domain instead if you want to e-mail me.

Security of Oyster Cards
 

This thread is filling me with dread,Judge.
Over here in Ireland we have recently had a gent called Mr Churcher writing
to the papers about his involvement in a "New Integrated Ticketing" system
for Dublin`s public transport providers.
Mr Churcher avers to his involvement with other systems such as Octopus in
Hong Kong and speaks of adapting this technology to suit our particular
operating conditions.
The projected cost for the design and introduction of this Irish Octopus is
27 Million Euro.
However given Mr Carmodys post re Helsinki`s adaptation I am now somewhat
a-tremble at what lies ahead......

Security of Oyster Cards
 

Volker Hetzer wrote:


Actually, today banknotes aren't naively stuffed fithe anti-forgery-features
but the idea is to make it unprofitable to fake a banknote in a small-scale
production. So, a forger is forced to go large-scale which in turn is easily
detectable (duplicate serial numbers or unexplainable inflation for instance)
and which also justifies a large-scale counteraction to find and disable him.

I am not sure duplicated serial numbers or unexplainable
inflation, especially the latter, are practical
characteristics that are 'effectively' checkable.
(Define 'unexplainable inflation'!) It's 'olds' now that
e.g. 50 Euro banknotes had been forged quite well. They
were presumably produced in regions not within EU
influences. Someone told me that certain sophisticated
techniques previously employed in DM are not used in Euro
because Euro is made by diverse member countries and not
all of them had such techniques at their disposal and so
they agreed on sort of a gcd.

M. K. Shen

Security of Oyster Cards
 

Paul Corfield wrote in message . ..
On 18 Nov 2003 03:47:35 -0800, (Matthew) wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[snip]
I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.
[snip]

I can see potentially two (or three) ways of doing this system:
[snip]
Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Out of curiosity why do you wish to know?


So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.

Apparently one of the sub threads got itself crossposted to
alt.2600 :-O. Since when have hackers not divulged the details
of secure systems in public forums?

But just to put your mind at rest I'll include a special sig line
that should attact some attention.

---

' The decline of the nuclear family and the fission of traditonal
communities, has lead to an inertia in the pouplation time-bomb, sex
can now also be used
as a 'weapon of mass destruction' against those that that are seen as
undesirable. All it takes is the suppourt of an extremist faction to
ensure
that a 'massacre'or atorcity of the rights of otherwise inocent lives
is fufilled.

Security of Oyster Cards
 

"Ernst Lippe" wrote in message ...
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID
very large snip

Given the fact that these cards are smart cards, I believe
that your speculations are wrong. I could not find any
technical information about the card, but I have some
experience with smart cards, so here are my speculations.

The cards are manufactured by Philips, and are described here
http://www.semiconductors.philips.co...nders/ebg0038/

Here is some interesting information regarding what is and isn't on
the card (all the information is stored on the chip) from
http://www.computerweekly.com/Article123251.htm

Monk added that memory capacity is a key benefit of the Oyster card.

"For example, the technology could offer discounts right across the
different modes of transport in London," he said. "Current magnetic
cards cannot provide the level of stored data that smartcards can."

He also expects to see a decline in the amount of travelcard-related
fraud and theft. "If someone steals an Oyster card we can deactivate
it immediately and they are left holding nothing more than a piece of
plastic."

Apparently the promised ability to recharge the card by telephone and
internet will operate in a rather inconvenient way (you will have to
make your way to specific stations, even if your card happens to be a
bus pass)

'Travellers can renew Travelcards on their Oyster card over the
telephone or using the internet. The ticket is automatically loaded
when the smartcard is touched on a dedicated card terminal at a Tube
station gate at a nominated station.'

It's difficult to see how something that operates in this way can hope
to replace cash fares, as it is more difficult to charge the card than
to even buy one of the current generation of magnetic cards (bus
passes and travel cards), which are currently available from
newsagents and other retailers, providing a convient service, as well
as revenue source for the retailers.

Security of Oyster Cards
 

Paul Corfield wrote in message . ..
On 18 Nov 2003 03:47:35 -0800, (Matthew) wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[snip]
I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.
[snip]

I can see potentially two (or three) ways of doing this system:
[snip]
Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Out of curiosity why do you wish to know?

As one of the people who wrote the spec for Prestige (but not to the
technical level of detail you are enquiring about) I am somewhat
concerned. Perhaps you can enlighten me as to your motives?

let me see. I could either be:

(a) a criminal determined to save the £7.50/week cost of my zone 4
pass, and asking how to do this in a public forum, conveniently
providing my name and email address

or
(b) someone with an enquiring mind intrigued about the technical
workings of a system, and concerned/interested about the security of
it.

I will leave you to work it out.

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.

I don't believe that there is anything especially confidential about
the mechanics of this system. True security works through secure keys
and public algorithms, not by hiding ones methods. In fact, it is
possible to buy mifare readers/writers online, as well as the cards,
so the general principles are public knowledge. Trade secrets of this
nature are usually protected by patents, which are published and
available for all to see. The technical workings of this sytem, if not
the precise coding and file structure, are most likely well-known.

Security of Oyster Cards
 

On Tue, 18 Nov 2003 21:21:14 +0000, Dave Newt wrote:

Kai wrote:

This is funny: "Because the Oyster card is contactless, customers only need
to touch the cardreaders with their Oyster cards as they pass through ticket
gates at London Underground or National Rail stations or board a bus. "

If they are contactless, then whey do the customers need touch the
cardreaders? :)

They originally said you could keep it in your pocket and sail through
the gates, but you can't! So they then changed it to the above wording.

However, you can leave it in your bag and wave your bag over the reader
(I have done it).

I think they are just overstating the case so that people don't hold it
six inches above the reader and then complain that it doesn't work.

The reason that you need to be very close is that the cards
have no internal power source, they get all their power from
electromagnetic radiation from the reader. And the reader
cannot send out very strong signals because that would
interfere with other equipment.

greetings,

Ernst Lippe

Security of Oyster Cards
 

Ernst Lippe wrote:
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart
cards for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[...]
I expect that this system should be fairly secure, breaking smart
cards is certainly not trivial. Smart cards have been used for quite
some time, e.g. as electronic purses, in several countries and as far
as I know there have not been any major attacks against the smart
cards themselves.

It's not a partiularily smart card, and it is kinda old news, but the
electronic bus tickets that were used here in New Zealand were broken. To
quote Peter Gutmann's page:

"In October 1997 I broke the security of the smart cards used by the Yellow
Bus Company, Auckland's largest public transport organisation. These are
10-ride rechargeable cards that come in various forms (adult, child,
different numbers of fare stages, and so on). As it turns out the cards have
very little security, so that it's possible to recharge them or copy them
without too much effort (to test this I created a demo $50 test card that
was accepted by the reader as a normal bus pass). I informed the YBC of the
problem, and the story was covered in Computerworld New Zealand, 26 January
1998."

I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

[...]

--
Michael Brown
www.emboss.co.nz : OOS/RSI software and more :)
Add michael@ to emboss.co.nz - My inbox is always open

Security of Oyster Cards
 

Michael Brown wrote


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

At one time BT phone-call cards used IR pulses to deactivate (melt) each
token on the card. If you covered the relevant part of the card with eg a
good quality clear nail polish the deactivation failed, and you could reuse
the card forever. I don't think they work that way any more.



Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose. The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.


--
Peter Fairbrother

Security of Oyster Cards
 

Paul Corfield wrote in message . ..

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.

Well at the moment the system seems to let you travel on buses quite
happily without charging you the full fa

I bought a weekly travelcard on an oyster. When the travelcard
expired I went to an LU ticketmachine to see what else, if anything, I
could do with this Oystercard. Review journey history - quite
interesting. Buy another season ticket - later maybe. Top up pre-pay
- oh what's this? I topped up £2.50 and checked the card and sure
enough it now showed a balance of £2.50.

I leave the station and decide to take a bus. It's a DOO bus so it
has a card reader by the driver. I blip the card onto the reader, it
lights up green, the driver acknowledges the fare and I make my
journey. I go into another tube station to check what has happened on
the card's journey history; bus fare deducted 1p, balance £2.49. I
did the same again later that evening from my local tube station to
home so the first journey was clearly not an isolated incident. This
happened about a week ago and checking the journey history yesterday
indicates that LU haven't adjusted the balance on the card to deduct
the bus fares at their proper amount.

Now, I appreciate that pre-pay hasn't gone live officially yet, but it
is possible to store value on the cards and use that value to buy
single tube tickets - the machine prints you a paper one rather than
loading the ticket onto the oyster. And you are charged the full fare
for these tickets. Even so - being able to get an apparently valid[1]
ride on a bus for a penny must surely be a bit of a bug?

I'm not going to take the **** by making millions of bus journeys for
a penny all over town, but the £1.68 I appear to have saved will count
as some small recompense for the time and energy London Transport have
stolen off me over the years through their failure to run a proper
service.

[1] Yes, yes I know it's probably not /really/ valid, but
- a) the LED shows green and indicates a fare has been paid
- b) the drivers and/or conductors don't really give a monkeys about
collecting the correct fare or have the knowledge/training to
appreciate what has just happened
- c) I've lived in London for over 8 years and travelled extensively
on tube, train and bus and I have seen a ticket check probably less
that half a dozen times
- d) even if an inspector did check your oyster card - would it tell
him anything other than a valid fare had been paid?

--
Cheers
-sandy

Security of Oyster Cards
 

On Wed, 19 Nov 2003 18:07:40 +1300, Michael Brown wrote:

Ernst Lippe wrote:
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart
cards for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[...]
I expect that this system should be fairly secure, breaking smart
cards is certainly not trivial. Smart cards have been used for quite
some time, e.g. as electronic purses, in several countries and as far
as I know there have not been any major attacks against the smart
cards themselves.

It's not a partiularily smart card, and it is kinda old news, but the
electronic bus tickets that were used here in New Zealand were broken. To
quote Peter Gutmann's page:

"In October 1997 I broke the security of the smart cards used by the Yellow
Bus Company, Auckland's largest public transport organisation. These are
10-ride rechargeable cards that come in various forms (adult, child,
different numbers of fare stages, and so on). As it turns out the cards have
very little security, so that it's possible to recharge them or copy them
without too much effort (to test this I created a demo $50 test card that
was accepted by the reader as a normal bus pass). I informed the YBC of the
problem, and the story was covered in Computerworld New Zealand, 26 January
1998.

Those cards were not real smartcards, they were simply memory cards, that
do not contain any cryptographical keys and that generally are quite
easy to duplicate. The distinction between memory cards and smartcards
is very important from a security point of view. The oystercards are
(simple) smartcards and simple duplication attacks should not work.


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

All disposible phone-call cards, that I know, are memory-cards (not
full-blown smart-cards). They have been counterfeited quite
frequently, and most telephone companies upgrade to new card types at
regular intervals. In general, this not a very serious problem because
the risk is quite manageable, just like fraud with creditcards.

greetings,

Ernst Lippe

Security of Oyster Cards
 

In article ,
Matthew wrote:
It's difficult to see how something that operates in this way can hope
to replace cash fares, as it is more difficult to charge the card than
to even buy one of the current generation of magnetic cards (bus
passes and travel cards), which are currently available from
newsagents and other retailers, providing a convient service, as well
as revenue source for the retailers.

Pass agents (ie, newsagents where you can buy a travelcard) are
starting to get Oyster card updating hardware, too - the one opposite
Finchley Central station in Station Road has one.

I don't know what features their terminals have.

--
Good night little fishey-wishes.... I've counted you, so no
sneaky eating each other.
-- FW (should I worry?)

Security of Oyster Cards
 

Security of Oyster Cards
 

Peter Fairbrother wrote:
Oyster cards have a few unexpected security risks - people tend to
keep them in their wallets, and take their wallets out of their
pockets to wave over the reader. Gives pickpockets a chance to eye up
the wallet, and learn where its owner keeps it, and it gives thugs
the chance/ inspiration to grab the wallet and run.

Unexpected? Why is that any different from the situation with old-style
mag-stripe season tickets? Are you suggesting that people who keep their
Oyster in their wallet didn't keep their old season tickets there?
--
Richard J.
(to e-mail me, swap uk and yon in address)

Security of Oyster Cards
 

On Wed, 19 Nov 2003 05:49:38 +0000, Peter Fairbrother
wrote:

Michael Brown wrote


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

At one time BT phone-call cards used IR pulses to deactivate (melt) each
token on the card. If you covered the relevant part of the card with eg a
good quality clear nail polish the deactivation failed, and you could reuse
the card forever. I don't think they work that way any more.


There aren't any BT phonecards (at least in the sense of cards that
you load value onto and put in a public phone) any more. However the
first generation of BT phone cards were reputed to be very easy to
hack - this sounds like why



Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.


Good point that the risks often have as much, or more, to do with
users' behaviour than the technical characteristics of the card.
Though in practice do people keep their Oyster cards in their wallet?
I keep mine in a separate wallet with my photocard, which is how I've
carried my travelcard for years. The walllet with my cash and credit
cards is separate, but of course it comes out when I want to buy a
paper and a cup of coffee before I get on my train or bus.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose.

Again (and I'm aware this is controversial) I'm not convinced it's a
big deal. Given the extent to which, in my case, Vodafone and Lloyds
TSB can already track my movements,and that TfL is only monitoring my
movements in terms of my use of their services, then I can't get
worried about TfL having a record of my Oyster use.

The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.

OK - but that's an issue with whether the police have excessive
powers, not specifically an issue with Oyster. In any case plastic
cards tend to fall out of pockets, get stolen, and, however good the
security, will eventually get cloned: all reasons why a plastic card
being in a particular place isn't very strong evidence that its owner
was in a particular place

Martin

Security of Oyster Cards
 

Security of Oyster Cards
 

Security of Oyster Cards
 

Richard J. wrote

Peter Fairbrother wrote:
Oyster cards have a few unexpected security risks - people tend to
keep them in their wallets, and take their wallets out of their
pockets to wave over the reader. Gives pickpockets a chance to eye up
the wallet, and learn where its owner keeps it, and it gives thugs
the chance/ inspiration to grab the wallet and run.

Unexpected? Why is that any different from the situation with old-style
mag-stripe season tickets? Are you suggesting that people who keep their
Oyster in their wallet didn't keep their old season tickets there?

To quote RP on another list:

"However, you still have to get your wallet out, as the range is
reportedly not enough otherwise. I'd rather *not* take my wallet out in
a place like Kings Cross, and so I always keep my paper ticket in the
breast pocket of my shirt - where it's really easy to take out and use."

Personally, I keep them in my left trousers back pocket.


--
Peter Fairbrother

Security of Oyster Cards
 

Gareth Davis wrote:

The more the MiFare cards are rolled out round the world then the
higher the return to be made from cracking them. Or to put it into
perspective, I think it is fair to say that more people will soon be
using the MiFare system each day in London alone than used the pay TV
system of ITV digital whose smart cards were hacked at great expense
(to the hackers).

The smartcard/encryption used by ITV digital was the SECA system developed
by CANAL+ and used widely throughout Europe on other pay-TV networks. Far
more people than the 1.1 million ITV digital subscribers stood to be able to
benefit from the system being cracked.

Security of Oyster Cards
 

Martin Rich typed

There aren't any BT phonecards (at least in the sense of cards that
you load value onto and put in a public phone) any more. However the
first generation of BT phone cards were reputed to be very easy to
hack - this sounds like why

Aren't there?

What became of 'phonecard plus'?

--
Helen D. Vecht:
Edgware.

Security of Oyster Cards
 

"Ernst Lippe" wrote in message ...
Even though there are some possible attacks, in general it is very
difficult to extract those keys from the smart card.

No it isn't. You rip the lid off the chip and put the EEPROM under
a special microscope. I forget the actual technique used but its been done.
Admittedly its way out of the league of your one man operation but don't
think that professional fraud gangs arn't able to do it.

Companies always expect the software attack but they never think of the
hardware attack. If you can physcally read the transister/capacitor values
then you can get the data out and given that the memory in most of these
cards is only a few kilobytes this wouldn't take too long. Even encrypting
the data is a waste of time since even if you the fraudster doesn't understand
what he's seeing he can still make an exact copies of it onto operationally
identical hardware (ie duplicate the cards).

Of course whether a duplicated card or any data extracted from it is any
use is another question.

B2003

Security of Oyster Cards
 

Security of Oyster Cards
 

On Fri, 21 Nov 2003 12:41:45 GMT, Helen Deborah Vecht
wrote:

Martin Rich typed

There aren't any BT phonecards (at least in the sense of cards that
you load value onto and put in a public phone) any more. However the
first generation of BT phone cards were reputed to be very easy to
hack - this sounds like why

Aren't there?

What became of 'phonecard plus'?

My source is http://www.payphones.bt.com/2001/pho...s/prepaid.html
- this does talk about various dates in April and Septamber 2003 in
the future tense, so it may not be completely authoritative (if you
see what I mean)

Martin

Security of Oyster Cards
 

On Wed, 19 Nov 2003 05:49:38 +0000, Peter Fairbrother
wrote:

Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.

Well, I keep mine in the cardholder that came with it. It's exactly the same
as the Travelcard holder except for different colours and the Oyster logos. My
wallet stays in my trousers, where it belongs.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose. The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.

This may be a difficulty. With Blunkett wanting to keep an eye on us 24 hours
a day, we may have to call the Government on this one.

The card itself keeps a record of the last three trips, I'm told.

I wonder if, under freedom of information rules, we might be able to demand a
record of what information TfL has on where we've been.
--
Chris Hansen | chrishansenhome at btinternet dot com

Security of Oyster Cards
 

On Sat, 22 Nov 2003 10:09:09 +0000 (UTC), Christian Hansen
wrote:

On Wed, 19 Nov 2003 05:49:38 +0000, Peter Fairbrother
wrote:

Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.

Well, I keep mine in the cardholder that came with it. It's exactly the same
as the Travelcard holder except for different colours and the Oyster logos. My
wallet stays in my trousers, where it belongs.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose. The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.

This may be a difficulty. With Blunkett wanting to keep an eye on us 24 hours
a day, we may have to call the Government on this one.

The card itself keeps a record of the last three trips, I'm told.

I wonder if, under freedom of information rules, we might be able to demand a
record of what information TfL has on where we've been.

The card has more than the last three trips. Have a look on the touch
screen machines at Tube stations (have a look on the 'View Oyster Card
Usage')(

Try the Data Protection Act. Yes, I'm pretty sure you'd be entitled to
a record of details held by TfL. Why not check with them?


Rob.
--
rob at robertwoolley dot co dot uk