Secruity Issues with the new GoCard

[Gingerbeer]

http://technology.timesonline.co.uk/tol/news/tech_and_web/article4184481.ece

I was recently in London and read this storey I believe it is the same technology in Brisbane, the problem for me isnt so much the money its is all the personal details that is kept on the card.

Also another acticle below saying the same stuff, but it sound likes to easy for anyone organised enough and smart enough


Hackers Crack London Tube Oyster Card


It just goes to show, having an aluminium lined wallet could really be useful! Hackers in the Netherlands found they could clone an access card using the Mifare chip, after that they traveled to London to try their technique out on the Oyster card (used on the London Underground), which uses the same chip.

It just goes to show...implementation of these cards really isn't good yet.


Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the "smartcards" commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and "the most anyone could gain from a rogue card is one day's travel." But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

Apparently they can only use the cloned card for one day's travel, but still...what would stop them from doing it every day?

Or cloning an access card to a more important place and wreaking some havoc there.


The hackers scanned one of the Underground's many card readers to collect the cryptographic key that purportedly keeps the system secure. The keys were uploaded to a laptop, essentially turning them into portable card readers. The hackers then brushed up against passengers to wirelessly upload the information on their Oyster cars. That information in hand, it was a simple matter of using it to program new cards.

Jacobs says the same technique can clone smartcards that provide access to secure buildings. "An employee can be cloned by bumping into that person with a portable card reader," he told the Times. "The person whose identity is being stolen may then be completely unaware that anything has happened. At the technical level there are currently no known countermeasures."

So break out your tinfoil hats and alumnium hats, the smartcard hackers are coming to a building near you soon.

The Dutch government are taking this VERY seriously, planning to replace all 120,000 smart cards used by their employees for access. That will be an expensive excercise.

I wonder will Oyster make any changes following the media coverage on this?

And what rights does a consumer have after their card is cloned and their credit used, are they insured? Would they even notice? Who's responsiblity is it?

[ozbob]

Yes, this has been mentioned a few times before --> http://railbotforum.org/mbs/index.php?topic=738.0

TransLink has said they can identify quickly any cloned cards.  There would be a mismatch between the card and database I would expect.

As for the chap who hand funds transferred out of his card incorrectly there would be very swift restitution I would expect, other wise a loss of faith in the system altogether.

[ozbob]

Some feedback received, thanks.

Here some comments and links which speak for them self :

Using a smart card for mass transit presents a risk for privacy, because such a system enables the mass transit operator (and the authorities) to track the movement of individuals. In Finland, the Data Protection Ombudsman prohibited the transport operator YTV from collecting such information, in spite of YTV's argument that the owner of the card has the right to get a list of journeys paid with the card.

http://www.gss.co.uk/news/article/4966/MiFare_RFID_crack_more_extensive_than_previously_thought/

http://www.computerworld.com/s/article/9069558/How_they_hacked_it_The_MiFare_RFID_crack_explained?taxonomyId=17&pageNumber=2

Excerpt:
At 24C3, Nohl warned against the increasing ubiquity of RFID tags. "We need some level of authentication, some security that has yet to be added to many of these applications," he said. He pointed to the increasing use of RFID tags in public transit systems, car keys, passports, and even World Cup tickets -- and the potential worrying privacy implications of large-scale RFID tagging of products by big retailers such as Wal-Mart Stores Inc.
The gist? If you rely on MiFare Classic security for anything, you may want to start moving to a different system.

Is it really worth to push the Go Card? But again, stupidity isn't a privilege of uneducated people.

[Jon Bryant]

If people are worried about privacy from you GoCard then they had better not have a mobile phone, a bank account, a tax file number, and an array of other actively monitored transactions.  Using privacy to attack the GoCard is a bit rich. 

[Derwan]

I'm with Jonno.  These "privacy advocates" have no idea how technology such as this can make the service better - as we'll have actual trip data as opposed to guesswork and once-a-quarter surveys.

Sure - the government is interested in what YOU are doing, not the hundreds of thousands of other users.  Come on - are these people for real?

Even if people have concerns, they shouldn't be complaining about or relating it to the Go Card.  If worried about privacy, they don't have to register the card.

[stephenk]

I'm with Jonno.  These "privacy advocates" have no idea how technology such as this can make the service better - as we'll have actual trip data as opposed to guesswork and once-a-quarter surveys.

Sure - the government is interested in what YOU are doing, not the hundreds of thousands of other users.  Come on - are these people for real?

Even if people have concerns, they shouldn't be complaining about or relating it to the Go Card.  If worried about privacy, they don't have to register the card.

Whilst I agree, Oyster card journey history has been successfully used against people in courts in the UK. So people having affairs, should probably not use the Go Card to travel to their mistress!

[Derwan]

Whilst I agree, Oyster card journey history has been successfully used against people in courts in the UK. So people having affairs, should probably not use the Go Card to travel to their mistress!

Bah ha ha ha.  Or - don't use the Go Card if you're a criminal travelling to the site of your crime!

On the flip-side, it could actually SAVE someone who was falsely accused of a crime.

[Golliwog]

I don't really see the police using go card data to find criminals or witnesses as a problem. As the article states, they don't have unfettered access, they have to ask for it from Translink, just like they would ask for drivers license details or the like. Before the go card they still would have wanted to talk to the people on the bus but would have had no reliable way of knowing who was on it.

[ButFli]

There was a murder around the corner from my house. A few days later I got a call from a Police Officer asking me if I had seen anything suspect happening when at caught the bus on X date. The bus stop is very close the crime scene and he was calling every registered Go Card user who had caught the bus from there at around the right time. He couldn't tell me where I got off the bus though so I assume the amount of info the Police can get is very limited.

[p858snake]

There was a murder around the corner from my house. A few days later I got a call from a Police Officer asking me if I had seen anything suspect happening when at caught the bus on X date. The bus stop is very close the crime scene and he was calling every registered Go Card user who had caught the bus from there at around the right time. He couldn't tell me where I got off the bus though so I assume the amount of info the Police can get is very limited.

It's not restricted, it's just what Translink handed over.