• Welcome to RAIL - Back On Track Forum.
 

Article: Go cards 'doomed' over security

Started by ozbob, April 11, 2008, 12:05:54 PM

Previous topic - Next topic

ozbob

From Brisbanetimes click here!


Go cards 'doomed' over security

QuoteGo cards 'doomed' over security
Scott Casey | April 11, 2008 - 11:35AM

Queensland's new "go card" public transport ticketing system is doomed because its extreme vulnerability to hackers, a European security expert says.

Karsten Nohl, a security consultant and hacker who reverse-engineers high tech and secure systems, said Queensland's go card system was already obsolete because he - and others - had successfully cracked the card's security encryption.

"There will be a need to replace it soon so why even bother having it?" he said.

Mr Nohl said it was a simple process to clone go cards using equipment freely available on the internet.

A cloned card would act exactly the same as the original and could be used to fraudulently ride public transport.

Mr Nohl said even more frightening was the fact fraudsters don't even need to get their hands on a go card to clone it. Scanning equipment can enable them to access a card's information from a distance of five to six metres, or even more.

"It's just a question how much are you willing to spend on your equipment - you could probably bump it up much more if needed," Mr Nohl said.

Mr Nohl said the Dutch government was looking to phase out the go card - which is known within the industry as the Mifare Classic Card - because of the security concerns.

The system is also used in cities such as London, Boston and Washington. In London alone, there are 17 million active Mifare Classic Cards (known there as Oyster cards).

"The [Dutch] government ordered these things [Mifare Classic] not to be used for security applications anymore," he said.

"Now whether or not using these things for subway tickets is a security application, that is still an open question, but they are starting to replace these things with better technology."

After revealing in early March that researchers at Radboud University in Holland had also cracked the Mifare system, Dutch Minister of Interior Affairs Guusje ter Horst said in a letter to the Netherlands parliament the government would take "additional security measures to safeguard security".

The Minister said researchers at Radboud University had "developed a method by which a large number of chip-cards (was) relatively easy to crack and duplicate."

One day after the Minister's letter was made public, the Dutch manufacturer of the cards, NXP Semiconductors, said it would releasing a new, more secure card - Mifare Plus - to specifically address the security issues raised by Mr Nohl.

Yesterday, a TransLink spokesman said it was pursuing security concerns with Cubic, the Australian operator of the go card system.

"TransLink is aware of the testing academics in Europe have undertaken on the Mifare smart card," a Translink statement said.

"TransLink is currently assessing the claims made by the academics and has raised the matter with Cubic Transportation Systems and is awaiting their response.

"TransLink's go card system uses multiple layers of security and these academics have only demonstrated an ability to gain access to one of these layers.

"TransLink also has in place systems to detect and reject smart cards that may have been manipulated fraudulently."

What is a smart chip?
The smart chip inside a go card is a radio frequency identification (RFID) chip - a tiny transponder that waits for activation by a radio signal and upon receiving it, transmits a unique code.

The go card's RFID chip receives its signal from readers at bus or train entry points, transmitting its unique code and allowing the computer to identify it before accessing your account balance and approving entry onto public transport.

A fraudster would use a scanner to read a go card, copy its information and transfer it onto a blank card, which is easily bought off the internet for a few dollars.

Card readers can also be obtained for between $400 and $750.
Half baked projects, have long term consequences ...
Ozbob's Gallery Forum   Facebook  X   Mastodon  BlueSky

ozbob

Half baked projects, have long term consequences ...
Ozbob's Gallery Forum   Facebook  X   Mastodon  BlueSky

Derwan

Wow... smart cards can be copied....... just like monthly tickets!  :P
Website   |   Facebook   |  Twitter

ozbob

This article will probably turn some way from the card and at a time that there is the other issue too.  ::)

I think most folks have known (well those interested in smart cards anyway) that there are security risks, but face it, who would want to hack a transport card? Most people don't have huge sums on them anyway.

Unfortunate timing for the go card ...

:'(
Half baked projects, have long term consequences ...
Ozbob's Gallery Forum   Facebook  X   Mastodon  BlueSky

ozbob

Half baked projects, have long term consequences ...
Ozbob's Gallery Forum   Facebook  X   Mastodon  BlueSky

dwb

Lot of work for bus fare, plus I'm guessing very large penalties (ie jail).

🡱 🡳