A Samizdata commenter linked to a story about a security vulnerability in Mifare Classic RFID cards. According to the wikipedia article for Mifare, which cites an article on what looks like an independent website called Mifare.net, these are Oyster cards, but there are variants of Mifare card so Oyster cards could be different.
The press release from the University of Virginia has the important details about the vulnerability, and an article by the CEO of a smart card consultancy company goes into even more detail. What it boils down to is that only a 48 bit key is used to encrypt tha data stored on the card, so with the right equipment and know-how it is possible to quickly try all the keys and find the one that unlocks a given card. Then it will be possible to read and write the data. How useful this is depends on what is stored on the card.
If the prepay balance is stored, it would be simple to modify the balance. But there may be other safeguards in place. Certainly it should be possible for TfL to spot discrepancies between journeys made and balance deposited to a card. But would-be hackers might be more sophisticated, so if Oyster cards do rely on Mifare Classic encryption the situation has changed from mathematical certainty that Oyster is secure to a battle of wits between TfL and computer hackers.
On the other hand, the effort required may outweigh the benefits of fare dodging. Things could be much worse if Oyster cards had evolved into general purpose micropayment cards. That idea was dropped last year.
Talking of rail-related smart cards. What’s with the marine wildlife connection? In London it is called Oyster. In Hong Kong it is called Octopus. And in Tokyo it’s called Suica. OK, so I don’t know what Suica means. But they promote it with a penguin.
Tube travel was supposed to be free on New Year’s Eve, something to do with NatWest sponsoring tube travel. On the way home the gates were open but I touched my Oyster card anyway because we are constantly told to ”always touch in and touch out” on posters and in P.A. announcements. I didn’t want to find a closed gate and have to pay the £4. When I got to my destination the gate announced that there was not enough credit on my card. What? Not enough credit to pay for a free fare? I was tired and no-one was around to help, so I walked through the open gate.
When I checked a few days later, it turned out I had been charged for an incomplete journey on that New Year’s Eve. £4 for a free journey seems a lot. When I challenged it at the counter, I was told that I could only be refunded £3. So that’s £1 for a free journey. I am sure that NatWest would not be happy at their money being stolen by TfL in this way.
TfL means Transport for London, by the way.
To me the real rip-off here is that you only get refunded the mere cash that you lost, or in this case not even all of that, rather than all the cash you lost plus ten quid minimum for all the bullshit involved in getting the cash back.
Rob also links to an article about what programmers can learn from the good and the disturbingly numerous bad things about the Oyster system.