Another EUSecWest NFC Trick: Ride the Subway For Free

itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."

Easy answer

[girlintraining]

I suppose the natural solution then would be to ban the app, possibly ban android phones with NFC capability, and/or threaten the security researchers with jail time. That's usually what legislators and law enforcement does... rather than, I don't know, fix the problem with the cards?

what "take advantage"?

[holophrastic]

That's not taking advantage of anything. The card's programmable, you programmed it. Congrats. That's like printing a transfer on your home printer. Same illegal it's always been.

So tell me again why these cards don't authenticate against a central reliable source? Oh yeah, we're replacing slips of paper, not brinks trucks with armed guards.

Right.

High-speed traffic is still controlled with painted lines, not concrete walls. Not everything is security-related.