Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another EUSecWest NFC Trick: Ride the Subway For Free

Posted by timothy on from the she's-got-a-ticket-to-ride dept.

itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."

5 of 135 comments (clear)

  1. More like... by Bill+Hayden · · Score: 1, Insightful

    ...ride in a police car for free.

    --
    Protect your browser with the Force Safe Search add-on
  2. Easy answer by girlintraining · · Score: 5, Insightful

    I suppose the natural solution then would be to ban the app, possibly ban android phones with NFC capability, and/or threaten the security researchers with jail time. That's usually what legislators and law enforcement does... rather than, I don't know, fix the problem with the cards?

    --
    #fuckbeta #iamslashdot #dicemustdie
  3. what "take advantage"? by holophrastic · · Score: 5, Insightful

    That's not taking advantage of anything. The card's programmable, you programmed it. Congrats. That's like printing a transfer on your home printer. Same illegal it's always been.

    So tell me again why these cards don't authenticate against a central reliable source? Oh yeah, we're replacing slips of paper, not brinks trucks with armed guards.

    Right.

    High-speed traffic is still controlled with painted lines, not concrete walls. Not everything is security-related.

    1. Re:what "take advantage"? by holophrastic · · Score: 4, Insightful

      No, we shouldn't. There likely isn't enough fraud to warrant such measures. Besides, the system that you describe has huge maintenance costs. You can't have these things stop working during rush hour. And between the central server itself, network nodes everywhere, and wireless lag, there's expense, personnel, and it'll slow things down too. And in the end, you'll have a huge network, with so many nodes that it can be hacked directly anyway. Then you'll want to secure that.

      On top of everything though, crime isn't the responsibility of the transportation department. If people are commiting fraud, that's what police are for. Transportation doesn't want to pay for it, and I don't blame them. I wouldn't pay for it either.

  4. Balance on the card? by Nethemas+the+Great · · Score: 4, Insightful

    Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

    --
    Two of my imaginary friends reproduced once ... with negative results.