Article: Fears on Go Card security

[ozbob]

From Sunday Mail 13 April 2008 page 40 not online

Fears on Go Card security

Fears on Go Card security

THE State Government will reward its 50,00Oth Go Card commuter this week amid allegations the electronic ticketing system is vulnerable to security fraud.

The lucky user will get $250 loaded on to their Go Card, while TransLink chiefs deal with the threat of hackers cloning the smart cards.

Premier Anna Bligh acknowledged yesterday there had been "teething issues" but said the Go Card recently passed $1 million in sales.

"We are working to iron out problems and will continue to make Go Card even better in the future," she said.

But Opposition transport spokesman Tim Nicholls said the State Government had to "come clean" on the threat.

"It is worrying that just a couple of months after the official roll-out, we are now hearing reports that there are security concerns," he said, "After spending more than five years and $130 million, you'd hope the Government has been assured the card is secure against fraud."

A security consultant testing similar ticketing systems in Europe last week claimed to have successfully cracked the card's security encryption.

Transport Minister John Mickel said contractor Cubic Transportation System had assured the State Government the ticket was safe.

Darrell Giles

[ozbob]

 

There is a more pressing problem, getting the card to work reliably on the buses and ferries.

Crikey!

[ozbob]

Media Release 13 April 2008 

SEQ:  Call for free travel on buses for Go card users, system not working!

RAIL Back On Track (http://backontrack.org) a web based community support group for rail and public transport and an advocate for public transport commuters has said that there is an issue with the go card system equipment on buses that has resulted in an incorrect time being used to calculate fares, and users being overcharged.

Despite the mutual self congratulation of Government and Translink on the imminent sale of the 50,000th go card the system is in a major crisis.  Disturbingly, card users on the buses are not being alerted to the problem with incorrect go card time on the buses (1).

Robert Dow, Spokesman for RAIL Back On Track said:

?We have received feedback the indicates there is a major issue on some of the buses with respect to the system time for the Go card on-board equipment (2).  Some of system clocks on the buses appear to be running an hour ahead.  It is possibly related to an incorrect time zone on the software.?

?The effect of this is that go card users who transfer to or from a bus with the incorrect system time are being debited with incorrect fares, and sometimes penalties. This adds to the problems bus and ferry users of the go card are experiencing with failures of the card readers.?

?RAIL Back On Track calls for free travel for Go card uses on buses until the problems with the go card equipment are resolved.?

?Failing that, to stop being hit with extra fares and penalties go card users may be better off using cash ticketing options on buses until Translink indicates the problem has been fixed.?

?The go card is working well on rail. The problems are with the mobile card devices and system on buses and ferries.?

?Problems with deterioration of go card equipment in exposed positions on railways stations and ferries, security concerns with the go card, chronic touch failures on buses and ferries, and now the failure of the system to keep correct time indicate it is not the time for celebration. Rather, all attention must be directed to fixing the go card system so that is reliable. The Government has indicated that one million dollars in ticket sales revenue for the go card has been passed.?

?How much of that revenue is unclaimed penalties?  Of the soon to be 50,000 go cards issued, how many are in active use? The answers to these questions might indicate the nature of the ongoing problems.?

?The Queensland taxpayer is funding the go card.  They are entitled to answers, a go card system that is reliable and a fair fare deal!?

Reference:

1.  http://backontrack.org/mbs/index.php?topic=743.0

2.  http://backontrack.org/mbs/index.php?topic=432.msg3053#msg3053


Contact:

Robert Dow
Administration 
admin@backontrack.org

[ozbob]

Interesting article has appeared here --> Hackers Crack London Tube's Ticketing System

I understand The Go Card uses the same MiFare Classic system as the Oyster Card ...

As far as the Go card goes I suppose there might be the (remote) possibility of a registered user being debited fares that they don't actually incur?  And it might be hard to convince TL that you didn't take the trips??? 
Could be interesting if you are recorded as so touching on at Robina and you touch off at say Gympie North 2 minutes later ... LOL

Previous articles at Brisbanetimes  New report slams go card security  16 April 2008 and

Go cards 'doomed' over security 11 April 2008

[Derwan]

As far as the Go card goes I suppose there might be the (remote) possibility of a registered user being debited fares that they don't actually incur?  And it might be hard to convince TL that you didn't take the trips??? 

As I understand it, the value is stored on the card - so your card's balance wouldn't be reduced by trips made on a copied card.  But obviously there would be a mismatch between the card and account, which (I assume) would be immediately flagged as potential fraud.

I think the biggest risk would be an online top-up making its way to the copied card if they touch-on before you.

I dare say that if any fraud was to occur, it'd be a case of people purchasing unregistered cards, copying and selling them.

[ozbob]

I think it depends on the mode of transport being used. Rail is real time, bus and ferry when the unit next updates with the system at depot.  It is just a remote possibility. Personally  don't think it is a significant threat at all for travel cards (although theoretically possible, who has the skills, the inclination for a few dollars of free travel on our super transport system  ), but cloning would be an issue for cards with security functions such as entry passes and that.

They can clone my card, I am poor ....  LOL