Another EUSecWest NFC Trick: Ride the Subway For Free

← Back to Stories (view on slashdot.org)

Another EUSecWest NFC Trick: Ride the Subway For Free

Posted by timothy on Thursday September 20, 2012 @10:11AM from the she's-got-a-ticket-to-ride dept.

itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."

135 comments

Min score:

Reason:

Sort:

More like... by Bill+Hayden · 2012-09-20 10:16 · Score: 1, Insightful

...ride in a police car for free.

--
Protect your browser with the Force Safe Search add-on
1. Re:More like... by snowraver1 · 2012-09-20 10:22 · Score: 4, Interesting
  
  How would anyone ever catch you? These systems probably don't have network access, otherwise they would just read a token and then authenticate against a server, so all you have is log files. You could detect the fraud after the fact (if you somehow collected the log files), but to actually catch someone red handed would be pretty difficult.
  
  Even if you did collect the log files, they may be useless. You would have to catch the same non-reloadable card bring used more than the maxumum number of times. To do that, you would probably have to analyse hundreds, if not thousands of .log files from different devices, unless the transactions are somehow manually collected and uploaded into a database. Even then, it would be an after-the-fact type thing.
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
2. Re:More like... by SomePgmr · 2012-09-20 10:29 · Score: 2
  
  That was my thought. Putting the balance for anything on the card itself is a terrible idea, unless you have no choice because readers won't be (reliably) connected to the larger infrastructure.
  I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.
3. Re:More like... by Razgorov+Prikazka · 2012-09-20 10:35 · Score: 3, Interesting
  
  No, not really. It happened before (2010) with the cards of those dim-witted nitwits of TransLinkSystems in the Netherlands.
  A journalist hacked a TLS-card (although admittedly it was more at the level of a script-kiddy) and traveled for free, on camera etc, even showing how to do it.
  Not quite sure what happened, but I believe the court dismissed the case because the value of the freedom of press and journalists being critical was more important than a company that isn't up-to-date (since 2007).
  <sarcastic commercial tune>
  TransLinkSystems, promising better since 2001
  </sarcastic commercial tune>
  
  Off-topic, but last week the same news-network (Powned) were voting in the elections for the new parliament wearing a burqa (and a hidden camera) and thus couldn't be properly identified. No problem for the multiculturalist doing the ID-ing, and the guy (yes a guy) voted with a fake ID of a woman and a voters-card of some other woman. Same here, probably it will be dismissed for the same reason. Good fun with those guy's.
  
  --
  rm -rf --no-preserve-root / ...and let /dev/null sort them out...
4. Re:More like... by theshowmecanuck · 2012-09-20 10:53 · Score: 1
  
  Do you have an English language link to the voting story?
  
  --
  -- I ignore anonymous replies to my comments and postings.
5. Re:More like... by Sulphur · 2012-09-20 11:31 · Score: 1
  
  How would anyone ever catch you? These systems probably don't have network access, otherwise they would just read a token and then authenticate against a server, so all you have is log files. You could detect the fraud after the fact (if you somehow collected the log files), but to actually catch someone red handed would be pretty difficult.
  Even if you did collect the log files, they may be useless. You would have to catch the same non-reloadable card bring used more than the maxumum number of times. To do that, you would probably have to analyse hundreds, if not thousands of .log files from different devices, unless the transactions are somehow manually collected and uploaded into a database. Even then, it would be an after-the-fact type thing.
  You would need a computer to do it. Oh the horror.
6. Re:More like... by Razgorov+Prikazka · 2012-09-20 11:48 · Score: 5, Informative
  
  Link to the Powned (yes it is called powned:) clip: http://youtu.be/3izaITMDAYg (in Dutch)
  
  Transcript for the non-Dutch:
  <anchor guy> Our Jojanneke showed us yesterday that even blonde women can crack the TLS-chipcard without a problem. The responsible company reacted frivolously because the hack would show up in their systems, and the authorities would be alerted. In other words, keep calm and carry on. But that was before they saw this news-item.
  <Journalist 1> I can check in and out myself, simply by typing in the time that I want to be checked in, and upload it to the card. No signs in their back-office, this is undetectable.
  <anchor guy> Yes indeed, now the TLS-card can be hacked even without TLS getting to know about it. The chance that the identity of the fraudulent traveller is to be unveiled is as good as nil. And that is what the responsible company is finally - although not enthusiastically - admitting.
  <TLS spokes woman, Anita Hilhorst (to a journalist in a studio)>...At this moment our checks with detectors and inspectors do not show those transactions in our back-office,
  <journalist in the studio> yeah, when I the conductor checks me, his machine just says that I am checked in.
  <TLS spokes woman>...Yes...
  <journalist in the studio> So then I dont have a problem and you are completely ignorant about it.
  <TLS spokes woman>...then we cant see that ehhh ehhh in the transactions in our back-office
  <journalist in the studio> So at that moment I am untraceable, and you cant do anything against me.
  <TLS spokes woman> We aren't able to see that, no.
  <anchor guy> And so definitively the TLS-card dies. Costing 3.000.000.000,- Euro, and nothing. The minister is summoned for a debate before parliament to explain what he will do about it. And here is some more ammo for the ladies and gentlemen of the opposition; the software needed is, since yesterday, downloadable from bittorrent sites. Cracking the TLS-card is now in reach for your grandmother of 82 years old.
  <Jojanneke a.k.a. Pow-janneke> The cracking of the TLS-card is now made even simpler because the software is leaked to bittorrent sites, what does that mean?
  <journalist> It means that anyone can download this, and since it is a very simple crack I am not surprised that it is put in the open.
  <Jojanneke> This thing is also needed (hold up card reader), where to buy this? In a shop?
  <journalist> Yes, it is about three tenner's, so anyone can go ahead with a TLS-card.
  <Jojanneke> But can it be bought in a store?
  <journalist> Yes, or on-line if they aren't sold out yet.
  <Jojanneke> And we dont have to check in at the station, we can do this at home?
  <journalist> yes, that is quite simple to do (shows program how-to) and because you do this at home, you are invisible to the back-office. The conductor just checks whether the card has been checked in or not, and that data is transmitted to the system at the end of the day, but by then you already left the train.
  <Jojanneke> In other words, it is so simple even my grandmother can do this?
  <journalist> Even your grandmother can do this easily
  <anchor guy> Well and if this isnt bad enough, the hackers will present a new version tomorrow that will make it even more easy with new features like making mony with that card!
  <Jojanneke> Hackers are busy to speed up the process to keep it within 15 seconds, what does this mean if the succeed in that?
  <journalist> Well then it is so fast and easy that it becomes feasible to start a 'business' with that.
  <Jojanneke> So they can recharge a lot of cards in a short while.
  <journalist> Yes, you give me a tenner, and I put a hundred euro's worth of credit on it. And I have warned about this in the past that this might happen.
  <anchor guy> If by chance you are slightly handy with computers, TransLinkSystems is looking for a fraud-manager that can monitor the security measures of the cards, stress-resistance is a pre.
  
  Sorry for any mistakes made, but you'll get the message right?
  
  --
  rm -rf --no-preserve-root / ...and let /dev/null sort them out...
7. Re:More like... by Razgorov+Prikazka · 2012-09-20 11:53 · Score: 2
  
  No, not in English, but here is the vid: http://www.youtube.com/watch?v=lvbZ3nsFf0M
  
  --
  rm -rf --no-preserve-root / ...and let /dev/null sort them out...
8. Re:More like... by MrEricSir · 2012-09-20 12:02 · Score: 1
  
  How would anyone ever catch you?
  One of the examples in the article is San Francisco's Muni, a proof-of-payment system that has fargates only at major stations. So if you run into a fare inspector who asks to see your card you're pretty much fucked.
  
  --
  There's no -1 for "I don't get it."
9. Re:More like... by Anonymous Coward · 2012-09-20 13:53 · Score: 0
  
  Carry a second legit card that you never use.
10. Re:More like... by Macman408 · 2012-09-20 14:33 · Score: 2
  
  The terminals don't necessarily have live network access, but they do get updates periodically; for example, when the bus gets back to the bus barn, they plug it in to transfer data. Thus, if you add value to your card with a credit card online, within a few days, every terminal has been updated to know that they may need to increase the value stored on your card, if a different terminal hasn't already added that value. It would be trivially possible to make this a two-way conduit, if it isn't already - save the data from the card to the terminal (eg current balance, or whether a fare was deducted), and correlate all the data. For example, if the balance ever goes up, make sure that they added value somewhere (either online or at a terminal or retail store). The hard part would be figuring out who you are from the available records (CCTV, usage records, etc.), especially if you pay cash.
  That said, they probably won't care as long as only a few people are doing it. There have been much easier ways to game the system; for example, in the SF area, you could buy a card with $2 value, then use it for a ride that costs more than $2; the card allows a balance down to -$10, so you can get up to $12 from your $2 investment. Throw away the card with the negative value, buy a new one for your next trip, and repeat. Recently, they attempted to fix this by charging $3 for the card (in addition to any value you put on it), unless you also tie it to your credit card for automatic refills. I have no idea if this actually really fixes the problem or not - but they claim that such abuse was never rampant to begin with.
11. Re:More like... by snowraver1 · 2012-09-20 15:16 · Score: 1
  
  It's not the data processing, it's the data collection. How are you going to collect the data from presumably non-networked devices in a timely enough manner that you can use that data for card authentication?
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
12. Re:More like... by snowraver1 · 2012-09-20 15:24 · Score: 1
  
  No problem at all. You have a real card that has a positive balance. The fare inspector would read the card, the card would return information (presumably UID, Balance, Time of last use, and location of last use). All this information would be valid and would appear no different.
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
13. Re:More like... by Anonymous Coward · 2012-09-20 15:25 · Score: 2, Interesting
  
  System abuse can be rampant. With the situation of The hard part would be figuring out who you are from the available records it is far easier to cancel the card and flag it as suspect. When the card is next used it doesn't work, triggers an alarm, and the card holder then gets to have a chat with an official about their card.
  Most systems don't care about the negative balance reaping. Giving a percentage credit for auto and remote payments tends to fix this problem for the most part. Then they can isolate the individual cases where it is costing them money, your $2 for a $12 ride is a good example, and determine if it is worthwhile cracking down on those.
  There is a new trick in Canberra. When you swipe your action bus prepaid card the machine makes a buzzing sound. Some kids have figured out that they can walk on the bus, hold a fried card to the reader making sure they obstruct line of sight of the driver, play the BEEP sound on their phone, and get on the bus for free. No need to swipe off.
  The system here initially allowed for 'change of mind', so what happens is that you swipe on and if you swipe off in less than 5 minutes it negates the charge. So, people were swiping on at the front and swiping off at the back door meter. Alternatively, the first person swipes on, hands their card to the next person, who swipes off 30 seconds later. Ahh, youth these days. So charming.
14. Re:More like... by snowraver1 · 2012-09-20 15:50 · Score: 1
  
  I see what you are saying, and that could definitely work. It's still after the fact though. What could you do with the data once you have it? You could flag the account, but then what? Make the bus driver confront them next time they try board a bus. Wait until a fare inspector wanders across them and then catch them? All for a $200 fine(or whatever it is)?
  
  They decided to cheap out and not have every device network enabled. That was a business decision. I would hope that the possibility of ticket fraud was discussed, and the risk of that was weighed against the cost of network enabling every ticket taker thing.
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
15. Re:More like... by Anonymous Coward · 2012-09-20 16:05 · Score: 0
  
  Except the real card won't show a departure station on it.
16. Re:More like... by citizenr · 2012-09-20 16:25 · Score: 1
  
  ask NSA for help, they would love to (if they arent collecting it already)
  
  --
  Who logs in to gdm? Not I, said the duck.
17. Re:More like... by Anonymous Coward · 2012-09-20 16:31 · Score: 1
  
  That was my thought. Putting the balance for anything on the card itself is a terrible idea, unless you have no choice because readers won't be (reliably) connected to the larger infrastructure.
  I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.
  And that's exactly the normal scenario that most of these cards work under. Buses usually don't have net access all the time, for example. It's all done in batch jobs at the end of the day.
18. Re:More like... by Macman408 · 2012-09-20 16:34 · Score: 1
  
  I think in addition to the cost of making everything live all the time (not just the hardware, but also network access for tens of thousands of devices), it's also not possible to guarantee network access. There are places in the area where, due to mountains, even a cell signal is unreliable. Additionally, the system has to work without a network anyway, in case the wireless provider or server goes down, so it'd have to be a best-effort double-check that your card balance is correct. And if you do have network access, you have the same options that you do if you can trace a violation after-the-fact to a particular person; you could deny them boarding, write a citation, take them to court...
  But yeah, fixing the problem and preventing the fraud is the obvious best solution. It still wouldn't surprise me if they don't fix it, at least not any time soon, just because it's probably not going to be a huge cost. I'd expect them more to collect data to figure out how often it's happening, and if it's a significant problem, only then will they bother to find a solution.
19. Re:More like... by Anonymous Coward · 2012-09-20 18:10 · Score: 1
  
  Of course you collect the log files, though the proper term is "concentrate". I used to do architecture design work on these systems fifteen years ago, and it was known then that autonomous device fraud was effectively an "insoluble" problem. The only way to detect such fraud is after the fact. You need to record as much of the card state in the log as possible for each transaction, including the balance, and during the reconciliation phase with the log data, flag those cards that seem to be operating incorrectly (like with an unchanging balance). Flagged cards go into the blacklist and have to be brought in by the cardholder to be "fixed". In those pre-cheap-mobile days, log collection was done by hand, weeks apart in some of the more remote stations. And that was with the owned cards, the anonymous one-off tickets were even harder to keep track of.
  
  The point of smartcard fare systems is to reduce fraud, not eliminate it, mostly by adding the log capability, making forgery easier to identify. It was up to the transit operator to decide the priority of which forgeries they want to reduce, based on the distribution of ticket type usage, which our system made easier to determine as well. We had to be careful to price our systems so that the cost would be covered by the forgery reduction.
  
  Again, that was fifteen years ago, but I can't imagine the basic situation has changed all that much.
20. Re:More like... by Nikker · 2012-09-20 19:34 · Score: 1
  
  Many transit systems have live feeds via cellular for tracking. They could even sync only the repeat riders data at the station and on the road to keep low loads on the network. For subways I really don't see the issue in sending a hardline through the tunnel to connect various platforms. The issue of a secure hash is that the hash can be stolen as easily as the card can already be read. A person could go around trolling for hashes and be able to add those to his/her own.
  
  There will always be fraud when the system cannot fundamentally implement it.
  
  --
  A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
21. Re:More like... by wonkey_monkey · 2012-09-20 20:01 · Score: 1
  
  Our Jojanneke showed us yesterday that even blonde women can crack the TLS-chipcard
  But they shouldn't worry their pretty little heads about it, because they can get a big strong man to do it for them.
  
  --
  systemd is Roko's Basilisk.
22. Re:More like... by reve_etrange · 2012-09-20 20:05 · Score: 1
  
  The system in San Francisco is called Clipper. Clipper has two classes of cards, registered and unregistered. The registered cards are associated to your name and an account in a web application (and can have monthly passes, auto-load, etc). But the unregistered cards are like cash. I think you can buy one with cash in, e.g. Walgreens.
  
  --
  .: Semper Absurda :.
23. Re:More like... by reve_etrange · 2012-09-20 20:10 · Score: 1
  
  That can't be true with the Clipper system (as it is known in the Bay Area) because balances and transfers (including between systems, e.g. BART to Muni from Daly City) work immediately. The devices are networked, but there are actually unregistered cards which are essentially equivalent to cash and can be bought with cash.
  
  --
  .: Semper Absurda :.
24. Re:More like... by reve_etrange · 2012-09-20 20:14 · Score: 1
  
  You would just show them your altered, "in-system" card. It would clear their reader because it cleared the fare gate. This would be with an unregistered Clipper card, naturally.
  
  --
  .: Semper Absurda :.
25. Re:More like... by war4peace · 2012-09-20 20:23 · Score: 1
  
  They are networked, allright. There's another reason why there's no action taken against the one-off offender: if the percentage of "pirates" is very very low (say, 1 in 10.000), it's simply not feasible to spend time and money to go after them. There's probably far more people who jump over the gates anyway.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
26. Re:More like... by Anonymous Coward · 2012-09-20 20:26 · Score: 0
  
  This! is why I stopped reading after the first sentence of that "anchor guy"
27. Re:More like... by Anonymous Coward · 2012-09-20 20:38 · Score: 0
  
  There are systems to detect these kind of frauds. It's one of the most basic checks really...so the next day, the "card" (loosely term) will be flagged as blacklisted.
  The main problem would be if you can generate the transactions in the system making it believe that there has been a "top up" and that would be much more difficult.
  People can check ITSO standards to see some examples.
28. Re:More like... by kasperd · 2012-09-21 00:24 · Score: 1
  
  These systems probably don't have network access, otherwise they would just read a token and then authenticate against a server, so all you have is log files.
  If you are doing it systematically, you are probably travelling through the same place more than once. Each device could remember the most recent transaction number for recently seen cards. If it ever see a card with transaction number repeating or going backwards, it activates whatever alarm mechanism it has.
  
  Card ID and transaction number could be two 64 bit numbers. I guess 1GB of flash storage is probably cheap compared to the price of such a device. With that you could store the 64 million cards most recently seen by the device. Maybe cut that in half due to data structures for efficient access to the data. Even if the device was used once per second, it would still be sufficient storage to cover an entire year.
  
  --
  
  Do you care about the security of your wireless mouse?
29. Re:More like... by DrXym · 2012-09-21 00:39 · Score: 1
  
  How would anyone ever catch you?
  I don't know about this system, but use of NFC does not preclude ticket inspectors. The Dublin Luas for example has NFC cards for commuters. The card holds a cash value but the value is held centrally and the card is just some dumb RFID. There are special points at each station and you wave in before you board and you wave out when you disembark and the cost of the trip is deducted from your balance. There are no ticket barriers or gates so the system is enforced quite heavily by inspectors armed with portable readers who board randomly and check if people waved in or not.
  Tampering with the card isn't going to get you anywhere because the funds are held centrally. The only way you could ride for free is if you could clone someone else's card. The Luas is naturally a target rich environment so its not inconceivable that an NFC app could be developed that harvested nearby card ids. Then the fraudster could potentially check the balances out on station machine and produce cloned cards.
  They'd still have to clone the card and however it were done would still have to pass random inspection. I suppose if a card's RFID could be disabled and if you had some kind of weird ass wallet / phone holder you could put the dummy into the wallet next to a phone and the phone would spoof a response but it would be tricky and I'm sure if the fraud became popular the inspectors would quickly wise up and start removing cards for a closer look.
30. Re:More like... by kju · 2012-09-21 05:00 · Score: 1
  
  If you do such a stunt, always carry another paid-for ticket with you. By doing so many of the possible charges like riding without a ticket can not be applied.
  Even Fraud might be off the table because the fraud would normally be that you made the machine believe that you have a valid ticket. But in that case you have a valid ticket, so likely no Fraud (depends on the country and their laws).
31. Re:More like... by Anonymous Coward · 2012-09-21 05:58 · Score: 0
  
  Just a thought... What about expiration dates on cards? In Gothenburg, Sweden, the NFC smartcards become invalid after a few years. I'm not sure why it is like this, maybe it is to prevent customer support issues caused by wornout cards or whatever, but I'm thinking it might be because if a security issue is found, it can be fixed in newer cards and over time all unsecure cards will be invalid anyway (unless the expiration date is cracked as well). This will limit the damage of any unsecurity found in the cards.
  Who knows, just a theory.
32. Re:More like... by MrEricSir · 2012-09-21 09:28 · Score: 1
  
  The balance isn't what matters here, it's whether there's a valid ticket loaded onto the card.
  Now, you could probably find a way to write that info to the card, but if you could do that, you wouldn't need this phone hack in the first place!
  
  --
  There's no -1 for "I don't get it."
33. Re:More like... by Rich0 · 2012-09-22 04:27 · Score: 1
  
  You just collect the logs, and when you see a particular card serial being used for replay attacks you put it in a blacklist file. Then the next time it is used an alarm goes off and the user gets treated like somebody who jumps over the gate.
  I'm sure you could get a few replays out of a card safely, but that would be it.
  Now, if you just went for a 50% discount by cloning a card once or twice, or cloning it a bunch of times and passing it around but ditching the clones after a few days, then chances are you wouldn't be easy to catch unless that log analysis were highly automated and updates were sent out at least daily. That isn't actually that hard to do though - if the reader had WiFi and uploaded/downloaded updates any time it drove by a depot you could blacklist a card hours after it was cloned.
34. Re:More like... by Rich0 · 2012-09-22 04:29 · Score: 1
  
  Another note - replay attacks are preventable if you store some kind of index of card last-used dates or something similar on each terminal. That requires a sizable database, but you're talking probably less than 1GB to track every card used for a year or two. If a card had a last-update date before the date in the database then it has be replayed.
Vienna by AvitarX · 2012-09-20 10:22 · Score: 1

Their system is immune to this.
They simply stamp a piece of paper with a time, and about 5-10% of the cars have fare checkers. The fine is enough that it's not worth cheating (though I've done it when a youth and out of cash, but wanting to get home. I assume a crying American child that doesn't speak German traveling alone is not worth processing).

--
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
1. Re:Vienna by Anonymous Coward · 2012-09-20 10:28 · Score: 0
  
  I don't get what you're saying. You have a chipcard that indicates you paid the fare (which you did). When home you restore the chipcard back to "full", the way it was just before you paid. The next day you take your "brand new" card with you and pay again.
  Unfortunately the cards all have unique IDs, so the logs will be correlated and suspect transactions flagged.
2. Re:Vienna by Anonymous Coward · 2012-09-20 10:38 · Score: 0
  
  here in Queensland the fine is less than a months worth of travel ($250 fine, costs $280/month to go to work for a month) and it goes to a bulk fine clearing system that gives you an interest-free eternity to pay it off. So all you have to do is not get caught for a month and you're ahead, if you do, pay it off at $1/week :D
3. Re:Vienna by camperdave · 2012-09-20 11:47 · Score: 1
  
  They should force you to clean the busses for a month. You'd never do it again.
  
  --
  When our name is on the back of your car, we're behind you all the way!
4. Re:Vienna by GumphMaster · 2012-09-20 12:35 · Score: 1
  
  You can pay the fine for every day they manage to catch you. Makes it slightly less attractive if they can catch you twice in a month.
  
  --
  Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
Easy answer by girlintraining · 2012-09-20 10:28 · Score: 5, Insightful

I suppose the natural solution then would be to ban the app, possibly ban android phones with NFC capability, and/or threaten the security researchers with jail time. That's usually what legislators and law enforcement does... rather than, I don't know, fix the problem with the cards?

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Easy answer by Anonymous Coward · 2012-09-20 10:42 · Score: 0
  
  You're right, it is natural for thieves to talk about their exploits. Let's just hope no banning of android NFC or other happens..
2. Re:Easy answer by Anonymous Coward · 2012-09-20 11:29 · Score: 0
  
  ban android phones with NFC capability
  Clearly, they need to be android, because Apple hasn't released any NFC capability yet on their phones.
3. Re:Easy answer by RyuuzakiTetsuya · 2012-09-20 11:33 · Score: 0
  
  Jesus.
  fucking.
  CHRIST.
  Prove it.
  You made this naked assertion. Prove it.
  
  --
  Non impediti ratione cogitationus.
4. Re:Easy answer by girlintraining · 2012-09-20 12:48 · Score: 0
  
  You made this naked assertion. Prove it.
  Jesus couldn't -- that's why the Jews are still waiting. I'm not sure what this has to do with NFC vulnerabilities though...
  
  --
  #fuckbeta #iamslashdot #dicemustdie
Long ago... by Anonymous Coward · 2012-09-20 10:28 · Score: 5, Informative

Back in the 80s they tried to introduce plain-clothes security officers on amsterdam trams to catch people who didn't pay for an honor-system ticket and got on anyway. The people of amsterdam had a referendum and votes that the officers had to wear unifroms, so that fare hoppers would have "a sporting chance" of running away when an inspector got on the tram.
1. Re:Long ago... by Anonymous Coward · 2012-09-20 10:32 · Score: 0, Informative
  
  Mod up parent as informative.
2. Re:Long ago... by Anonymous Coward · 2012-09-20 10:40 · Score: 0
  
  Mod up grandparent as awesome, I want to move to Amsterdam.
3. Re:Long ago... by Anonymous Coward · 2012-09-20 10:40 · Score: 0
  
  Not without a link, otherwise it's just 'Cool Story Bro'
4. Re:Long ago... by Anonymous Coward · 2012-09-20 10:41 · Score: 0
  
  That's AWESOME. What's the level of violent crime in Amsterdam anyways? It'd be hilarious if they were pulling in more revenue and paying less for law enforcement than the US and additionally dealing with less violent offenders.
5. Re:Long ago... by Anonymous Coward · 2012-09-20 11:12 · Score: 0
  
  This is slashdot. We are a citable source.
6. Re:Long ago... by Anonymous Coward · 2012-09-20 11:55 · Score: 0
  
  I don't think the vote was to let fare hoppers continue, I think it is for safety and security. It is too easy for a cop to be impersonated without a uniform and scam the system.
7. Re:Long ago... by garcia · 2012-09-20 15:21 · Score: 1
  
  Here in Minnesota MetroTransit officers come on the train regularly to check everyone's ticket/card to make sure they have a valid fare.
  Several times I observed people jump off the train once they saw the officers and they didn't even chase after them; instead, they continued to check and scan everyone else who actually had paid.
  I love paying the whopping $1.25 + tax dollars to fund this lovely operation only to be hassled by cops only to watch the douchebags run away free.
8. Re:Long ago... by Lehk228 · 2012-09-20 15:51 · Score: 2
  
  almost anyone stealing $1.25 rides is probably too hard up for cash to be worth pursuing, sending inspectors time to time keeps anyone who can afford the fare honest. how many tax dollars do you suggest spending incarcerating and feeding fare jumpers?
  
  --
  Snowden and Manning are heroes.
9. Re:Long ago... by Anonymous Coward · 2012-09-20 18:07 · Score: 0
  
  Bullets are way less that a buck.
10. Re:Long ago... by Anonymous Coward · 2012-09-20 20:15 · Score: 0
  
  Bullets are way less that a buck.
  Pffft... maybe the little ones are...
11. Re:Long ago... by Anonymous Coward · 2012-09-21 00:14 · Score: 0
  
  These guys are there to keep you honest, not people that are motivated enough to really work to evade the officers. If you wouldn't get checked, even the most straight laced people would stop paying " because nooone else is paying". Just a simple show of checking once a month is in most cases already enough to stop this from happening.
what "take advantage"? by holophrastic · 2012-09-20 10:32 · Score: 5, Insightful

That's not taking advantage of anything. The card's programmable, you programmed it. Congrats. That's like printing a transfer on your home printer. Same illegal it's always been.
So tell me again why these cards don't authenticate against a central reliable source? Oh yeah, we're replacing slips of paper, not brinks trucks with armed guards.
Right.
High-speed traffic is still controlled with painted lines, not concrete walls. Not everything is security-related.
1. Re:what "take advantage"? by zippthorne · 2012-09-20 10:40 · Score: 1
  
  But it's not exactly new tech to query a central server for each transaction wirelessly. They don't even need a cell agreement, they can have a node at each station - people only get on at the designated stops, after all.
  We're replacing slips of paper, sure, but shouldn't they be replaced with something better than slips of paper, rather than something that costs more than paper and has much greater chance for fraud?
  
  --
  Can you be Even More Awesome?!
2. Re:what "take advantage"? by Pinhedd · 2012-09-20 10:49 · Score: 1
  
  It's hard to have reliable network access to a central authority while moving on the ground. 3G/LTE services cut in and out at times even while standing still. Dropouts are amplified while on the move and connection quality is similarly degraded. To make matters worse, connection can be lost completely if the vehicle goes underground.
3. Re:what "take advantage"? by Anonymous Coward · 2012-09-20 10:56 · Score: 0
  
  It's hard to have reliable network access to a central authority while moving on the ground. 3G/LTE services cut in and out at times even while standing still. Dropouts are amplified while on the move and connection quality is similarly degraded. To make matters worse, connection can be lost completely if the vehicle goes underground.
  The way I understand DC to work, the busses operate offline, and can easily be scammed. But they record transactions and sync them later.
  Any cards found later to be out of sync get blacklisted and pop an alert if you ever use them in the metro.
4. Re:what "take advantage"? by AK+Marc · 2012-09-20 10:59 · Score: 1
  
  These are subways. They have wires and cables running to them that physically interconnect with the rest of the subway network. 3G/LTE on that would be silly. It's immobile, underground, and already wired.
  
  --
  Learn to love Alaska
5. Re:what "take advantage"? by Anonymous Coward · 2012-09-20 11:15 · Score: 1
  
  I don't live in the affected regions but unless they are retarded, the same card is also used on buses. Having a network connected node on each and every bus stop would be quite expensive.
  But having a reliable connection to a central system is not the only problem, it also need to have very low latency. Validaton must be instant. Flash the card while keep walking, don't stop moving unless there's a beep/red light/the gate doesn't open/etc. Even a second delay of "Authenticating..." for each traveller would be a BIG issue.
  Central authentication means you need network connected nodes (=more complex hardware = more expensive), you have more points that can fail (=less reliable, and a tram with disabled nodes for a couple of hours probably cost more money than quite a few freeloaders), and it will AT BEST be as fast as a decentralized system.
  And obviously, slips of paper might be more secure but have plenty of other problems. NFC just IS better in the end, despite worse secureity.
  Sometimes, security is just not the most important factor. There are no identities being stolen or privacy invaded, the transporters lose some cash but that is for sure a loss they include in the calculations when deciding what kind of tickets to use.
6. Re:what "take advantage"? by realityimpaired · 2012-09-20 11:22 · Score: 3, Informative
  
  Well, don't speak for the system being described in TFA, but I do know that my city (Ottawa, Canada) has been trying to replace the old bus pass/ticket/transfer system with an electronic system called Presto.
  With the Presto system, in theory, it communicates your card ID to a central server, debits the card, and records the last time you used it so that you can swipe it every time you get on, and it will be smart about whether it charges you (assuming you're not on a monthly pass). You can also buy extra money through an online portal, and you can set it up to automatically renew. That's how it's supposed to work, in theory.
  In practice, it's been delayed by a year due to "unforseen behaviour". Specifically, it occasionally double charges somebody when the wireless communication is spotty, sometimes it doesn't register the charge at all, and I've seen the readers on buses popping up error windows instead of the actual reader screen more often than not... presumably this error is also caused by lack of communication with the central server, if the text of the error message is anything to go by. I've also seen them pop up the Windows CE equivalent of a BSOD a couple of times, and at this point, even though they were supposed to be in full use/production by June of this year, they're turned off.
  Now, for a subway system, there's no excuse to be relying on wireless communications for the point of sale. The gates don't move, and you're running a wire to it for power anyway. But for something that does move, like, say, a bus or trolley car, they do have to rely on some kind of wireless network, and that may or may not be reliable depending on how the network is set up. They may have decided that going with something like cellular data was too expensive for the system, and have set it up to sync the logs by wifi when they get back to the shop. In a situation like that, it may make sense to have some writeable data on the card to sync with, like a floating balance.
  That being said, not having each card uniquely identifiable/trackable to catch this kind of thing is just silly... if you *are* going to have to leave some writeable data on the card, put a unique identifier in a non-programmable part of the memory, and have an automated system update the central database with your running balance at the end of the day... when the last value read by the card reader doesn't match what it should be in the database, blacklist the card have each unit pull the current blacklist as they leave the terminal for the day's route. It's not as if it would take a lot of data storage to keep a list of blacklisted serial numbers, and flash storage is cheap enough to include in every console.
7. Re:what "take advantage"? by holophrastic · 2012-09-20 12:03 · Score: 4, Insightful
  
  No, we shouldn't. There likely isn't enough fraud to warrant such measures. Besides, the system that you describe has huge maintenance costs. You can't have these things stop working during rush hour. And between the central server itself, network nodes everywhere, and wireless lag, there's expense, personnel, and it'll slow things down too. And in the end, you'll have a huge network, with so many nodes that it can be hacked directly anyway. Then you'll want to secure that.
  On top of everything though, crime isn't the responsibility of the transportation department. If people are commiting fraud, that's what police are for. Transportation doesn't want to pay for it, and I don't blame them. I wouldn't pay for it either.
8. Re:what "take advantage"? by Rinikusu · 2012-09-20 12:39 · Score: 2
  
  From what I can gather, here in LA, the fare reader just stores the information (the tap scans) and either at the end of the day, or end of the week, these logs are transferred and credited against the accounts that scanned through. I know when I put $20 on my card, it can be a week or more before I see the "balance" change even though I use it near daily. It seems fair enough for me and if someone scans through a low/zero fare card, sure, they might "get away with it" for a few rides, but they'll eventually have to pay up or try sneaking on via the back door like the other freeloaders.
  
  --
  If you were me, you'd be good lookin'. - six string samurai
9. Re:what "take advantage"? by neonmonk · 2012-09-20 14:30 · Score: 2
  
  It doesn't have to be instant. It just needs to be able to invalidate cards. Card stores amount of money it has, which the reader then sends back to the system for verification. If said cards numbers don't match, card gets banned. Message gets sent to every scanner to ring a klaxon and take a photo if said card gets swiped. I'm sure it's not too difficult to store card id numbers on all the readers.
  There's more than one way to solve this problem.
10. Re:what "take advantage"? by SocratesJedi · 2012-09-20 15:40 · Score: 1
  
  Central authentication is probably overkill. Most travelers probably embark at the same handful of stations every time. I imagine that if fare cards were set up to store metadata plus an HMAC (to prevent tampering with the payload) and stations configured to alarm if the same metadata was ever seen twice locally, at that station, that it would eliminate most fraud. Under that scheme any given card-payload could only be used once per station. (And, n.b. that the inclusion of a HMAC prevents arbitrary card payload choice, since only the station authority can issue a valid HMAC for a given metadata payload).
  
  I guess attackers could still swap known-valid metadata+payload information online to use at multiple stations, but at that point the cost of simply allowing the tiny fraction of abusers to win is probably less than the cost of building out a bunch of infrastructure.
11. Re:what "take advantage"? by brantondaveperson · 2012-09-20 16:04 · Score: 2
  
  Oyster Cards
  This is what they use in London. They work on trains and buses, and work reliably and efficiently. They seem to work in exactly the way you suggest, as not 100% bulletproof security but only good enough.
  I think the balance is stored on the card, but all transactions are sent through to a central authority, which would certainly be able to detect any fraud and disable cards found to be behaving suspiciously. Or, more likely, have the ubiquitous CCTC cameras in London identify those using fraudulent cards and presumably punish them appropriately.
12. Re:what "take advantage"? by Anonymous Coward · 2012-09-20 18:46 · Score: 0
  
  I worked on that presto system...and I will just hahahaha to it.
  But I am a bit surprised that even the readers are that unstable. These systems are old tech deployed a bit everywhere in the world ( Denmark, Netherlands, HK, NZ etc to name a few ) on the other side...it's always developed back almost from the ground up. You will be pleased to learn that it was developed in China :D
13. Re:what "take advantage"? by Nikker · 2012-09-20 20:04 · Score: 1
  
  Maybe a simple blinking LED would be all they really need.
  
  --
  A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
14. Re:what "take advantage"? by zippthorne · 2012-09-21 13:56 · Score: 1
  
  You don't even need the klaxon and camera. Just record the transaction like normal and deduct the balance from the account when the transactions are sent to the central server. Then keep a record of negative balance accounts and sync the list on each bus/train when they return to the station.
  In case someone goes negative balance and tops off the same day, sign the balance with the time each time it's updated, and accept cards with positive balances whose update time is fresher than the expiry list sync time.
  If you sync even as little as four times a day, there's only a small window of opportunity for a replay attack to work, and only so much theft of services that can occur within such a window.
  
  --
  Can you be Even More Awesome?!
Balance on the card? by Nethemas+the+Great · 2012-09-20 10:40 · Score: 4, Insightful

Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

--
Two of my imaginary friends reproduced once ... with negative results.
1. Re:Balance on the card? by swillden · 2012-09-20 11:27 · Score: 5, Interesting
  
  Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?
  There are lots of reasons that you might want to store the balance on the card. Increased reliability in the face of network outages, improved performance by eliminating the need for a network round trip and a database query, the ability to deploy in environments without network access at all, the ability to cross incompatible system boundaries... and many more.
  Further, if you do it right, there's no reason not to store the balance on the card. Smart card chips like those used in these fare cards are designed to provide a fairly high degree of security. They can perform cryptographic operations to authenticate the commands they're given, and they can make decisions about whether or not they're going to honor the commands based on authentication and on the content of the request and its context (to the degree that they're aware of context).
  But building smart card systems is hard, and making them secure adds another layer of complexity and frustration when things just don't work because the damned card keeps rejecting your -- you believe -- properly authenticated and formatted commands. It's normal for the early stages of development to disable security for ease of development and testing... and it's unfortunately pretty common for security to be left off, or at least not thoroughly validated, for deployment. And it mostly works, because contactless smart card readers are relatively rare -- they're not expensive, mind you, haven't been for many years, but they have been uncommon. Except now there's one embedded in every one of an increasing number of high-end smartphone models.
  This isn't a fundamental architectural flaw, it's either a detailed design flaw or (very likely) a straight up implementation error. Most likely caused by simple laziness and incompetence (granted that finding competent people in this area of technology isn't trivial, and self-education is a multi-year process).
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:Balance on the card? by Anonymous Coward · 2012-09-20 12:09 · Score: 0
  
  Because in the US, you run into patents as soon as you do something non-stupid involving technology. I once worked for a foreign company making access-control systems, and on entering the US market, we were immediately sued for violating a patent on storing access data remotely rather than on the card, and the company suing did not want to share its technology at any price. We had the option of compromising security on our systems like everyone else selling access control in the US except this one company, or withdrawing from the US market. We chose the latter.
3. Re:Balance on the card? by Nemyst · 2012-09-20 12:47 · Score: 1
  
  At least around here (can't say about SF or other cities, but I'm assuming it's similar), they're being incredibly slow with merely installing subterranean antennas so that cellphones can get a signal in the subway. Replacing all the card scanners (and all the cards!) currently in use with wireless or wired ones would be non-trivial for an efficient organization, so I'm assuming it's just about impossible for the average transportation authority.
  However, that doesn't mean nothing can be done about it. Just need to have proper encryption, possibly partly on the card itself. Then it just becomes a cat and mouse game between hackers and organizations, as is the case for just about anything end-users can get their hands on.
4. Re:Balance on the card? by Anonymous Coward · 2012-09-20 13:48 · Score: 0
  
  Crypto sign the authentication information?
5. Re:Balance on the card? by tlhIngan · 2012-09-20 17:12 · Score: 1
  
  Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?
  Perhaps, but you can program them to store a serial number AND a rewritable fare value. And be a "treat it like cash" thing - lose it, you lost its value.
  What you have is a central database of ID numbers and their values. When a faregate reads the card, it tries to contact the server. If it succeeds in a few seconds, great, it writes the updated value to the card and you go. If the server doesn't respond (too busy or perhaps it's down), you read the value off the card, deduct, write the new value back, and log the ID number for later reconciliation. When the server comes back, the ID numbers are then taken and values updated.
  If the user rewrites the value, the next time the faregate manages to contact the server, the proper value is rewritten back.
  User will have lots of free trips while the server is down (which can be blacklisted later) but once it comes up, the balance is made to re-agree. If they scored a few extra trips, well, good for them - but that card will be blocked if they try it and the server is contacted.
  Heck, during rush hour, the server can load shed - perhaps ignore N out of every 10 transactions, so it stays speedy and remains up, performing the transactions during the less busy times.
  So you get some free rides, but you may not know if you'll get lucky (other than when the entire system goes down and everyone's using stored balance only).
  Heck, do it right and you can incorporate transfers in at the same time - each trip bills through (in stored value mode - in server mode it'll just deduct $0), but when timestamps are reconciled, extra charges merely get credited back the next time you swipe.
6. Re:Balance on the card? by Dr_Barnowl · 2012-09-20 20:38 · Score: 1
  
  Smart card chips like those used in these fare cards are designed to provide a fairly high degree of security.
  I think that's an optimistic statement..
  
  "The security of MIFARE Classic is terrible. This is not an exaggeration; it's kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design."
  That's a quote in response to the use of Mifare Classic in the Transport for London Oyster card ; they've since upgraded to the MIFARE DESFire mode. When I was last involved in the smartcard industry you could break one in a few hours with a Pentium 4, even if you implemented it properly. These days the Classic has been broken comprehensively. Apparently the DESFire is broken too.
  The paper states these cards are MIFARE Ultralight. Unless they are the "C" model (and it doesn't sound like they are), they have zero cryptographic protection, unlike the Classic which at least has a tiny 48-bit key. It's main advantage is that it's cheap. And that may have been a valid design choice at the time ; the cost of more expensive chips was probably not worth it when reprogramming these cards required specialized equipment, but the march of progress now means that all the cool kids are getting the equipment they need to do this hack free with their smartphone, ironically because the powers that be wanted to make it easier for them to spend their money.
7. Re:Balance on the card? by Anonymous Coward · 2012-09-21 04:00 · Score: 0
  
  If we look at how TFL (London) operates with Oyster, they know the system is insecure as they're using Mifare classic. Finding out the encryption key is trivial, so changing the balance is also not a hard hack. However they have dedicated fraud teams who work off automated analysis.
  A recent documentary on the tube showed one of these teams checking up on an exploit where you don't get charged if you touch out after touching back in, so these teams defiantly exist.
  Back to the point that finding those altering their card balance will be a trivial task, enforcing against a few balance cheats is a cost far less than upgrading their systems for a more secure card. It is actually quite reasonable to take the card as vulnerable and do post analysis as with TFL they're fully equipped with cameras for security theatre.
  How this applies to our cousins is out of my knowledge, just depends on their auditing.
8. Re:Balance on the card? by swillden · 2012-09-21 08:16 · Score: 1
  
  You basically just confirmed my argument, except that the implementation error lay in the choice of chip technology. Yes, old MIFARE sucked (and everyone always knew it, even when it wasn't old), but there are lots of other options, many of them very inexpensive, and for reusable cards the price doesn't really have to be that low anyway -- so what if the card costs 75 cents, or even a dollar or two? Raise fare prices by a tiny amount, then offer small discounts for loading reusable cards, and make the consumer buy the card. It's worked in many systems around the world.
  As I said, there's nothing wrong with storing the balance on the card... you just have to do it right, which includes buying the right cards and using their capabilities -- and validating that you actually are.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Re:Where can I.. by EGSonikku · 2012-09-20 10:40 · Score: 3, Funny

http://fbi.gov/

--
- "Scientia non habet inimicum nisp ignorantem"
Lock and Key by Anonymous Coward · 2012-09-20 10:41 · Score: 0

Every key has a lock. There should be a central bookkeeping server that counts how many fares were used, or the expires timestamp. Otherwise, the smartcard isn't a key; it's a crowbar!
Re:Where can I.. by Anonymous Coward · 2012-09-20 10:45 · Score: 0

I called them up, and they seem to have no clue what UltraReset is.
same cards are used on the bus by Joe_Dragon · 2012-09-20 11:08 · Score: 1

same cards are used on the bus and the bus is not wired to network.
1. Re:same cards are used on the bus by MachDelta · 2012-09-20 12:30 · Score: 1
  
  Actually some buses are. They have a GPS receiver and some kind of wireless uplink (probably cellular), so that riders can view a (near) real-time map on their phone/tablet/laptop/etc. and see when their ride is going to arrive. It's quite handy.
2. Re:same cards are used on the bus by AK+Marc · 2012-09-20 12:42 · Score: 1
  
  I don't disagree. But those comments are off topic when discussing riding the subway for free.
  
  --
  Learn to love Alaska
3. Re:same cards are used on the bus by Anonymous Coward · 2012-09-20 16:40 · Score: 0
  
  Virtually no one is building these card systems and only planning on using them for one mode of transit. Here in Seattle it's the same card for buses, light rail, heavy rail, ferries, water taxis, and who knows what else - and it's the same idea all around the world.
  The only constant is that the name of the system, if it's implemented correctly, has to start with O and it needs to be aquatic. Orca (Puget Sound/Seattle), Oyster (London), Octopus (Hong Kong), etc. :-).
4. Re:same cards are used on the bus by vovin · 2012-09-20 20:14 · Score: 1
  
  In Hong Kong you can use the Octopus for most convenience and grocery stores as well. Room for serious abuse there. Yikes.
buses don't have a 100% live link by Joe_Dragon · 2012-09-20 11:09 · Score: 3, Informative

buses don't have a 100% live link
1. Re:buses don't have a 100% live link by Velex · 2012-09-20 11:11 · Score: 1
  
  Why does the link need to be 100% live? Wouldn't 3G do? I'm assuming a bus implies a metro area.
  
  --
  Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
2. Re:buses don't have a 100% live link by Anonymous Coward · 2012-09-20 11:12 · Score: 1
  
  In the San Fransisco Bay Area they do!
3. Re:buses don't have a 100% live link by Nethemas+the+Great · 2012-09-20 11:16 · Score: 1
  
  That's not the fault of available technology. In most metro areas that I've been in every taxi cab is capable of conducting live credit transactions. The only requirement to enable such things is a cellular link which should of course be universally available within the area in which public transportation operates.
  
  --
  Two of my imaginary friends reproduced once ... with negative results.
4. Re:buses don't have a 100% live link by Anonymous Coward · 2012-09-20 11:20 · Score: 1
  
  Hell, some buses even provide a wifi access point (served though Clear's 4G network)
5. Re:buses don't have a 100% live link by eepok · 2012-09-20 11:23 · Score: 2
  
  Expense. Taxis have live links because they're profit-generating. A trip in a taxi is charged per mile and at a major premium. Bus fare is deficit-minimizing and offers the opportunity to to travel very long distances for very little cost.
  Subways and light rail, though, can be different. Some charge per boarding while others charge per the distance between boarding and exiting.
  Also, consider what would happen if cellular service was unavailable. You'd have to create a charge-caching system and then do bulk transactions when reception is found.
  Live transactions are a bit more complex than "$1.50 from the amount on this card."
6. Re:buses don't have a 100% live link by Anonymous Coward · 2012-09-20 11:31 · Score: 0
  
  3G has worse latency (compared to a disconnected system) and not reliable enough. Also, network access makes nodes more expensive and adds several points that can fail.
  Also remember that the only entity that benefits from higher security is the entity that has to pay for the security.
7. Re:buses don't have a 100% live link by Idbar · 2012-09-20 11:37 · Score: 2
  
  So you want to replace a card with stored balance, with a whole wireless network infrastructure that would considerably increase fares.
  
  Honestly, I think a better solution is to have unique ticket identifiers (that don't follow sequences of course), carry the current balance on the card, but update the balance when the bus is near a paying station or in the parking lot (during shift change). At some point, you can actually invalidate the cards that seem fraudulent due to updates with similar values.
8. Re:buses don't have a 100% live link by Anonymous Coward · 2012-09-20 11:37 · Score: 0
  
  But those payment systems aren't really lightning fast... In my experience these always takes at least several seconds to authenticate, that's completely unacceptable for a mass transit system.
9. Re:buses don't have a 100% live link by interval1066 · 2012-09-20 12:13 · Score: 1
  
  Obviously is a network latency/congestion issue. A LOT of people ride these systems, currently, when you scan a (for example) Bart "Clipper" card the turnstile "beeps" immediately, inducing the card to update its current balance. I can't imagine the latency involved in using a network/centralized solution, but I can imagine the groans as thousands of bay area commuters wait for the turstile to beep after they wave their Clipper cards at the readers, waiting for the central office to send the current balance to the card...
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
10. Re:buses don't have a 100% live link by Barbarian · 2012-09-20 12:17 · Score: 1
  
  So store it on the card, and record it on the buses computer. Download the bus whenever it returns to the depot. Update the balance nightly from on a database. Flag cards that come back with a discrepancy at recharge time. If a card has a negative balance (i.e. tampered or spoofed), blacklist it. download the blacklist to the bus regularly.
  Wait, I should patent that. Method and apparatus for a tamper resistant NFC fare card system.
11. Re:buses don't have a 100% live link by starblazer · 2012-09-20 12:55 · Score: 2
  
  Considering hundreds of thousands of cars make it through an iPASS system in Illinois... the delay wouldn't be so bad.
  Let's put it this way, iPass reads the transponder, checks the balance, and then flashes a light notifying you of the result in less than a second. The speed limit through those lanes are normally 15 mph but can get as high as 35 and they still read perfectly. The open road tolling doesn't notify you via light but there are plenty of stations still out there that have the light.
  The system has to be designed intelligently.... it can be done!
12. Re:buses don't have a 100% live link by Anonymous Coward · 2012-09-20 13:45 · Score: 0
  
  We have e-tolls in Melbourne Australia on 100km/hr(60mph?) roads. No booths or anything. Just a loud beep when you go through.
  They also do number-plate recognition for those without an "e-tag". If you don't pay your toll (within 4 days if you don't have an eTag) you get fined.
  Obviously people can cover their numberplates, but this is easily detected by the next police car that sees you.
  (laughably however motorcyclists can use their leg to cover a number plate which of course can easily be uncovered during travel!)
13. Re:buses don't have a 100% live link by Joe_Dragon · 2012-09-20 14:43 · Score: 1
  
  Ipass is fixed in place and pre reads the transponder. Also you need to try harder it works at 70+
14. Re:buses don't have a 100% live link by Anonymous Coward · 2012-09-20 20:32 · Score: 0
  
  You've just described every transit system I am familiar with. Particularly, NYC does the updates every 6 minutes and Seattle does the updates once a day, both update blacklists for any cards with false balances at that time.
15. Re:buses don't have a 100% live link by Anonymous Coward · 2012-09-21 02:15 · Score: 0
  
  Why not just do it like this: Every morning before the busses roll out, they synchronize a complete list of every card's balance before they leave the depot. Any card swiped is checked against the bus' internal cache. If the card has more than $MIN on it, it is accepted onto the bus, and the use is recorded into the bus' cache. If the card has less than $MIN on it, it is "borderline", and the system connects to a central database via 3G or whatever, depending on the remoteness of the bus stop. This guarantees that people can get on even if they topped up their card after the last database synchronization. The $MIN value can be adjusted to make sure that people can't overdraw their cards to get free rides when it's close to empty. If $MIN is low enough, most swipes will go to the internal cache, and if $MIN is high enough you can't (efficiently) get free rides on a near-empty card.
  You could also do periodic 3G synchronization with the same system as above, or do WLAN-based synchronization at selects stops.
16. Re:buses don't have a 100% live link by sys_mast · 2012-09-21 05:22 · Score: 1
  
  You'd be surprised that some city buses do have live links. (well limits of cellular data of course) GPS reporting of location to home base and other data.
  I don't see why transactions couldn't be live, and in the case of a data link down (big tree/building) just cache the transaction and upload results when link is back up.
  It would be smart that there be enough storage to cache the entire day, so if the antenna gets broken off the bus can still run.
  The flaw would be that when there is no data there is no way to validate the account has money, but that would be the rare exception. I guess someone could plot out what pickup points had poor/no cell service, or use a cell jammer, but that's taking this to a whole new level.
  
  --
  Those who can, do.
Re:Where can I.. by Capt.DrumkenBum · 2012-09-20 11:09 · Score: 2

I called them up, and they seem to have no clue what UltraReset is.
That is strange. When I called them up, they offered to bring me a copy and show me how to install it on my phone. They changed their minds when I told them I lived in Canada.

--
If I were God, wouldn't I protect my churches from acts of me?
Not that hard, really by Taco+Cowboy · 2012-09-20 12:23 · Score: 2

I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.
Actually it's not that hard to catch those who use card with bogus amount

In a lot of cities, cctv cameras have been set up in mass transit system, in buses, trams and subway trains.

If the authority really wants to find out who are using bogus cards, they could compare the time stamp on the "embarking scan" with the time stamp on the CCTV to identify which person is using bogus cards.

Of course, catching the person only once is in itself not enough to convict the person. But, if the authority is able to proof that the same person has been using bogus card to get multiple free-rides mass transit system, they should have no difficulty to haul in that individual to the court.

Do not forget that we are living in the age of BIG BROTHER.

--
Muchas Gracias, Señor Edward Snowden !
1. Re:Not that hard, really by Anonymous Coward · 2012-09-20 12:58 · Score: 1
  
  "I found the card on the ground, prove that I didn't"
2. Re:Not that hard, really by nedlohs · 2012-09-20 13:06 · Score: 4, Funny
  
  "Here you are caught by security camera A231763 purchasing said ticket at a vending machine. And we know it is that ticket because as you can see a simple uncrop and we can see the serial number reflected in that window which is reflected in that water drop which is reflected on that man's hat."
3. Re:Not that hard, really by Anonymous Coward · 2012-09-20 14:03 · Score: 1
  
  And I'm sure they'll be willing to go through weeks or months worth of footage at every single kiosk at every single station just to be able to do that, only to find that your face was concealed or someone else bought the ticket.
4. Re:Not that hard, really by Anonymous Coward · 2012-09-20 17:12 · Score: 1
  
  jesus christ you americans watch to much tv
5. Re:Not that hard, really by Anonymous Coward · 2012-09-20 18:00 · Score: 0
  
  Once the image gas been "ENHANCE!"d several times, of course!
6. Re:Not that hard, really by reve_etrange · 2012-09-20 20:07 · Score: 1
  
  I dunno about the other cities, but we are talking about BART here. There is no way they are going to get you with their alleged CCTV system.
  
  --
  .: Semper Absurda :.
7. Re:Not that hard, really by nedlohs · 2012-09-21 02:28 · Score: 1
  
  Because the serial number of ticket wouldn't give them a near instant lookup of which machine sold it and at what time or anything.
  And of course I was also being completely serious with the uncropping and all.
8. Re:Not that hard, really by cayenne8 · 2012-09-21 02:34 · Score: 1
  
  Well, just wear one of those high powered infrared LED hats that block out your face from cctv...and voila...they can't see who it is when the search through all that video footage...
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
9. Re:Not that hard, really by Anonymous Coward · 2012-09-21 03:44 · Score: 0
  
  That's looks comfortable.
  Also, bitches must go crazy for you.
10. Re:Not that hard, really by Anonymous Coward · 2012-09-21 15:17 · Score: 0
  
  Because the serial number would be impossible to change even though you can already alter the data on the ticket.
  
  How do I know you aren't stupid enough to believe your own camera story? You certainly seem gullible enough.
11. Re:Not that hard, really by sumdumass · 2012-09-21 22:21 · Score: 1
  
  They wouldn't need to do that for several reasons. One, the card's serial number will be logged so all they would have to do is parse the logs and find the time and machine is was purchased from. Then all they need to do is pull the relevant footage from the area near the time. Of course that is assuming they keep records of what cards go into what kiosks and how much was purchased on them for their accounting so a: the cards actually end up in a machine and b: the money put into the machine doesn't end up in the pocket of whoever collects said money from the machines.
  Another reason they might not need to do that is because once they accuse you, they will raid your apartment and look through the belongings you have on you. If at any time they find equipment and or software that could reset these cards, you will be busted.
  I know a guy who moved into a home he rented on 80 some acres of wooded land. 3 days after moving in, he decided to explore the woodland a bit. He wandered down a few deer trailed and noticed a couple pot plants. He started to move towards them and out jumped a bunch of cops dresses in black and camouflage. They searched his home and found a bag of weed and a film canister with about 10 seeds in it that he picked out of a fat bud a couple days before. Despite the fact that the plants growing were at least 3-4 months old and the cops had been sitting on them for over a week trying to catch whoever was tending them (probably the old tenant who left moved out the previous month for whatever reason), the seeds in the canister was enough to bust him on cultivating marijuana charges.
  At that time (mid 90's), growing and dealing were covered by the same statutes and because they weighed the plants green with whatever dirt came out of the ground with them, he was over the federal bulk amount making it a felony worth 18 months in prison that he was charged and convicted of. His lawyer was convinced that going for a plea deal working off the fact that he had never been in trouble before was better then attempting to deny ownership of the plants based on them being older then him ever being on the property because the seeds and some potting soil that was on a back porch when he moved in was strong enough to support the connection to the cultivation charge. He was sentenced to 8 months but got released after 2 with 5 years parole/probation because of some clerical error in the recording of the verdict but had to endure 2 1/2 years of the cops pissing with him every time he turned around near them. He eventually moved to another county and was never bothered again except when reporting to his parole officer.
12. Re:Not that hard, really by nedlohs · 2012-09-22 10:35 · Score: 1
  
  The printed serial number isn't part of the modifiable data.
  Because it's an obvious reference.
Not in Philadelphia by tirerim · 2012-09-20 12:26 · Score: 2

Nice try, there's no chance this would work in Philadelphia -- they're still using tokens. (And magstripe for monthly/weekly passes, but definitely no NFC.)
and the non subway / EL system is on hole punch by Anonymous Coward · 2012-09-20 12:44 · Score: 0

and the non subway / EL system is still on the hole punch system.
on the chain gang at $0.13 A HOUR by Anonymous Coward · 2012-09-20 12:48 · Score: 0

on the chain gang at $0.13 A HOUR
Yeah, that's great, but... by Anonymous Coward · 2012-09-20 14:19 · Score: 1

The subway system designers aren't quite that stupid.
1. Every card has a non-alterable (for practical purposes) serial number.
2. The systems almost certainly log entrances/exits/charge transactions.
I don't know the details of every system world-wide, but even in here in Japan where the train pass cards are heavily encrypted and basically haven't been broken, they still perform audits.
The card is fast because all activity takes place on the card (not a remote database), but the results are still tracked and written to the remote database for auditing. Any card that repeatedly has strange transactions will be blocked by its serial number. The blacklist is sent out to the turnstiles, etc. from the central server, and they will deny use of the card.
Not to mention, you face a serious risk of jail time for saving only a small amount of money.
1. Re:Yeah, that's great, but... by Dr_Barnowl · 2012-09-20 20:49 · Score: 1
  
  These cards are MIFARE Ultralights ; they are a simple, 64-byte memory container. You don't need ANY crypto ability ; you read the data off, you write the data on.
  Log processing occurs overnight in these systems. Even if the card has a read-only identifier, they're designed to be cheap, so you just discard it after one days use.
  The technical aspects of these are not really what makes it notable enough for an information security conference. What makes it notable is that the transport authorities concerned are behind the times.
  It may have been a sensible design decision when the system was created - when the equipment required was not ubiquitous, the marginal cost of N x a-better-chip may have been greater than the amount of fraud perpetrated by a few niche technical types. Security is not about perfection, it's about making it uneconomical to break the security for the rewards of doing so.
  But now they're handing out NFC units in phones - ironically, as a means to help you spend your money more easily - the cost of breaking this is reduced to the download of an app.
Chicago by Anonymous Coward · 2012-09-20 14:35 · Score: 0

Chicago is using a touch and go system. It's definitely an RFID system.
Don't believe it would be vulnerable to this specific attack, don't have a card or NFC phone to see if it reads anything from the card.
Random Checks by Anonymous Coward · 2012-09-20 14:44 · Score: 1

Random checks! Like many cities now (strangely, this doesn't include NYC), we're using a similar system. With these smart cards, came random checks, something we never had before with those magnetic paper tickets. Subway cops will randomly ask for your card so they can check on some kind of PDA and I'm pretty sure they can easily differentiate between something that looks like a credit card and a phone.
1. Re:Random Checks by snowraver1 · 2012-09-20 15:18 · Score: 2
  
  I believe that you use the NFC chip on the phone to program the card. The story speaks of efuses that aren't being used, so that would support that the phone programs the card.
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
2. Re:Random Checks by Anonymous Coward · 2012-09-20 20:27 · Score: 0
  
  NYC syncs the system every 6 minutes (as of several years ago when I last read a security analysis of the MetroCard, they may have improved their security since then). That means that at best if you are coordinated, you can use the faked mag stripes all within the same 6 minute window at different subway stops / buses, but then the card ID will be blacklisted and you will need a new card ID. Realistically, this means that the attack simply isn't worth it at any scale large enough for the MTA care about.
NSFW!!!! by Anonymous Coward · 2012-09-20 19:30 · Score: 0

That site..... there are all sorts of females on the first page. Come on. NSFW.
OOOh, GOOD one! by SmallFurryCreature · 2012-09-20 20:23 · Score: 1

Nothing works as well at convincing the general public of the evil of BIG BROTHER then showcasing a scenario were a criminal defrauding not just the system but the general paying public (who are subsidizing the fair dodgers) with no hassle to them.
Please, next give me a tale of how the evils of drinking will cause me to life longer, score with women and advance my career!

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Sneakernet by kasperd · 2012-09-21 00:06 · Score: 1

How are you going to collect the data from presumably non-networked devices in a timely enough manner that you can use that data for card authentication?
How about a sneakernet? Each card could contain space for the accounting data plus additional space for an encrypted version of a dozen of unrelated transactions. Now just get network to a few of the devices for collection.

As you travel around the system you are unknowingly carrying encrypted transaction data from the devices with no network connection to the few devices that do have. As well as carrying receipt acknowledgements back to the devices without network connection. It won't help to wipe these off the card, because you will be wiping somebody else's transactions. Your own forged transactions will be carried back to the network by some random other person using the same device at a later time.

--

Do you care about the security of your wireless mouse?
Philadelphia is safe by snarfies · 2012-09-21 02:12 · Score: 1

...well, as safe as Philadelphia gets, anyhow.
Philadelphia's SEPTA passes are all flat-rate. A weekly transpass costs $22.00, and lets you take unlimited subway rides, as well as unlimited rides on all busses within city limits. So, there is no amount to reset.
This is the Oyster Card Hack from 2008... by RealGene · 2012-09-21 03:11 · Score: 1

..just using a phone instead of a laptop, and built-in NFC instead of an RFID reader.
http://www.pcpro.co.uk/news/207966/oyster-hackers-roam-london-for-free

--
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.