Article: New report slams go card security

[ozbob]

From Brisbanetimes click here!

New report slams go card security

New report slams go card security
Scott Casey | April 16, 2008 - 5:00AM

A new study by UK academics has given further weight to fears that the security system used by Queensland's new public transport go cards is fatally flawed.

Earlier this year, it was revealed that US security consultant Karsten Nohl - and others - had successfully cracked the security encryption of the Mifare Classic Card.

Mifare Classic operates in Queensland as the go card, but also in London (as the Oyster card), Boston and Washington.

Mr Nohl told brisbanetimes.com.au last week the go card system was doomed because now that the security encryption had been cracked, fraudsters could illegally copy and use other people's go cards.

Yesterday, the Information Security Group of the Royal Holloway University of London released a report that proved the cryptography used in go cards - CRYPTO1 - had been breached.

It comes after a similar analysis by Dutch company TNO of the country's public transport system, Chipkaart, which uses the same technology as go cards.

Mr Nohl said he could now crack the Mifare Classic Card's security encryption in just 12 seconds.

"Those that were thinking there was a little bit of security left will now realise that isn't the case," Mr Nohl said.

In a statement last week, Queensland Transport said it was pursuing security concerns with Cubic, the Australian operator of the go card system.

"Cubic has provided advice that the go card ticketing system is not at risk from the most recent claims raised regarding the Mifare Classic smart card," the statement said.

A Queensland Transport spokesman said it was Cubic's responsibility to provide a ticketing system "fit for purpose", including appropriate security systems.

"TransLink has received further advice from Cubic in March 2008 regarding the need for an ongoing security review due to technology advances as a normal and prudent approach to managing a smart card ticketing system," the spokesman said.

"TransLink has commenced and will continue assessing its responses to ensure system security remains paramount."

However, Mr Nohl said he believed operators would be confident of the system's security until faced with an actual attack on its integrity.

"I'm sure they are very confident of it [the system] until someone comes around and cracks it," he said.

"The Mifare system was marketed as having advanced levels of protection, proved security and that's what people thought they had a few months ago and now our research has shown them quite the opposite."

A spokesman from Transport for London, quoted in Thisislondon.co.uk, said representatives were confident they could spot cloned Oyster cards and backed the security systems in place.

"All Oyster information is fully encrypted and we have adopted extra security measures on top of that available on the source chips," the spokesman said.

[ozbob]

Personally I am not that concerned with the security issue.  Far more important is a system that actually works!

Who really is going to go to the trouble to hack a go card just to 'climb Mount Everest' essentially?

[Derwan]

Encryption is fundamentally software-based.  The system can be reprogrammed with new encryption.  It would probably mean introducing new cards with the new encryption programmed in as well.  There wouldn't need to be an immediate need to "upgrade your card".  The two methods could co-exist until the older cards were eventually phased out.

The balance and trip information is stored on the card.  If there was a mismatch between the balance on the card and the balance on the cardholder's account (i.e. which would happen if a registered card was copied and used), it would be easily detected as possible fraud.  If the transaction history for a registered card revealed two consecutive touch-on's - again it could be flagged.   These are simple ways in which possible fraud can be detected and when they occur the true cardholder could be immediately contacted - before any online top-ups make their way to the copied card.

If you have an unregistered card, only the current details would be copied.  TransLink probably still records details for unregistered cards so could detect when there is a case of possible fraud - but they have no one to notify.  The unregistered cardholder may not at risk because their card's balance won't reflect transactions from the copied card - and they can only top up their card at machines so there is no risk of money making it to the wrong card.

Any black market would have to be based on using unregistered cards.  These would likely be purchased with cash from a Go Card reseller for the specific purpose of copying and selling.  If a single card number was flagged as potentially having a number of copies, it could be immediately cancelled (thus cancelling all the copies).  If an genuine unregistered cardholder's card was copied for this purpose, they would lose out in this situation.

At the end of the day, it is always better to register your card and monitor transactions.  It is far more likely that the system will screw up than for your card to be copied and used by someone else, but at least you'll be able to detect either case!