Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another EUSecWest NFC Trick: Ride the Subway For Free

Posted by timothy on from the she's-got-a-ticket-to-ride dept.

itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."

28 of 135 comments (clear)

  1. Re:More like... by snowraver1 · · Score: 4, Interesting

    How would anyone ever catch you? These systems probably don't have network access, otherwise they would just read a token and then authenticate against a server, so all you have is log files. You could detect the fraud after the fact (if you somehow collected the log files), but to actually catch someone red handed would be pretty difficult.

    Even if you did collect the log files, they may be useless. You would have to catch the same non-reloadable card bring used more than the maxumum number of times. To do that, you would probably have to analyse hundreds, if not thousands of .log files from different devices, unless the transactions are somehow manually collected and uploaded into a database. Even then, it would be an after-the-fact type thing.

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  2. Easy answer by girlintraining · · Score: 5, Insightful

    I suppose the natural solution then would be to ban the app, possibly ban android phones with NFC capability, and/or threaten the security researchers with jail time. That's usually what legislators and law enforcement does... rather than, I don't know, fix the problem with the cards?

    --
    #fuckbeta #iamslashdot #dicemustdie
  3. Long ago... by Anonymous Coward · · Score: 5, Informative

    Back in the 80s they tried to introduce plain-clothes security officers on amsterdam trams to catch people who didn't pay for an honor-system ticket and got on anyway. The people of amsterdam had a referendum and votes that the officers had to wear unifroms, so that fare hoppers would have "a sporting chance" of running away when an inspector got on the tram.

    1. Re:Long ago... by Lehk228 · · Score: 2

      almost anyone stealing $1.25 rides is probably too hard up for cash to be worth pursuing, sending inspectors time to time keeps anyone who can afford the fare honest. how many tax dollars do you suggest spending incarcerating and feeding fare jumpers?

      --
      Snowden and Manning are heroes.
  4. Re:More like... by SomePgmr · · Score: 2

    That was my thought. Putting the balance for anything on the card itself is a terrible idea, unless you have no choice because readers won't be (reliably) connected to the larger infrastructure.

    I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.

  5. what "take advantage"? by holophrastic · · Score: 5, Insightful

    That's not taking advantage of anything. The card's programmable, you programmed it. Congrats. That's like printing a transfer on your home printer. Same illegal it's always been.

    So tell me again why these cards don't authenticate against a central reliable source? Oh yeah, we're replacing slips of paper, not brinks trucks with armed guards.

    Right.

    High-speed traffic is still controlled with painted lines, not concrete walls. Not everything is security-related.

    1. Re:what "take advantage"? by realityimpaired · · Score: 3, Informative

      Well, don't speak for the system being described in TFA, but I do know that my city (Ottawa, Canada) has been trying to replace the old bus pass/ticket/transfer system with an electronic system called Presto.

      With the Presto system, in theory, it communicates your card ID to a central server, debits the card, and records the last time you used it so that you can swipe it every time you get on, and it will be smart about whether it charges you (assuming you're not on a monthly pass). You can also buy extra money through an online portal, and you can set it up to automatically renew. That's how it's supposed to work, in theory.

      In practice, it's been delayed by a year due to "unforseen behaviour". Specifically, it occasionally double charges somebody when the wireless communication is spotty, sometimes it doesn't register the charge at all, and I've seen the readers on buses popping up error windows instead of the actual reader screen more often than not... presumably this error is also caused by lack of communication with the central server, if the text of the error message is anything to go by. I've also seen them pop up the Windows CE equivalent of a BSOD a couple of times, and at this point, even though they were supposed to be in full use/production by June of this year, they're turned off.

      Now, for a subway system, there's no excuse to be relying on wireless communications for the point of sale. The gates don't move, and you're running a wire to it for power anyway. But for something that does move, like, say, a bus or trolley car, they do have to rely on some kind of wireless network, and that may or may not be reliable depending on how the network is set up. They may have decided that going with something like cellular data was too expensive for the system, and have set it up to sync the logs by wifi when they get back to the shop. In a situation like that, it may make sense to have some writeable data on the card to sync with, like a floating balance.

      That being said, not having each card uniquely identifiable/trackable to catch this kind of thing is just silly... if you *are* going to have to leave some writeable data on the card, put a unique identifier in a non-programmable part of the memory, and have an automated system update the central database with your running balance at the end of the day... when the last value read by the card reader doesn't match what it should be in the database, blacklist the card have each unit pull the current blacklist as they leave the terminal for the day's route. It's not as if it would take a lot of data storage to keep a list of blacklisted serial numbers, and flash storage is cheap enough to include in every console.

    2. Re:what "take advantage"? by holophrastic · · Score: 4, Insightful

      No, we shouldn't. There likely isn't enough fraud to warrant such measures. Besides, the system that you describe has huge maintenance costs. You can't have these things stop working during rush hour. And between the central server itself, network nodes everywhere, and wireless lag, there's expense, personnel, and it'll slow things down too. And in the end, you'll have a huge network, with so many nodes that it can be hacked directly anyway. Then you'll want to secure that.

      On top of everything though, crime isn't the responsibility of the transportation department. If people are commiting fraud, that's what police are for. Transportation doesn't want to pay for it, and I don't blame them. I wouldn't pay for it either.

    3. Re:what "take advantage"? by Rinikusu · · Score: 2

      From what I can gather, here in LA, the fare reader just stores the information (the tap scans) and either at the end of the day, or end of the week, these logs are transferred and credited against the accounts that scanned through. I know when I put $20 on my card, it can be a week or more before I see the "balance" change even though I use it near daily. It seems fair enough for me and if someone scans through a low/zero fare card, sure, they might "get away with it" for a few rides, but they'll eventually have to pay up or try sneaking on via the back door like the other freeloaders.

      --
      If you were me, you'd be good lookin'. - six string samurai
    4. Re:what "take advantage"? by neonmonk · · Score: 2

      It doesn't have to be instant. It just needs to be able to invalidate cards. Card stores amount of money it has, which the reader then sends back to the system for verification. If said cards numbers don't match, card gets banned. Message gets sent to every scanner to ring a klaxon and take a photo if said card gets swiped. I'm sure it's not too difficult to store card id numbers on all the readers.

      There's more than one way to solve this problem.

    5. Re:what "take advantage"? by brantondaveperson · · Score: 2

      Oyster Cards

      This is what they use in London. They work on trains and buses, and work reliably and efficiently. They seem to work in exactly the way you suggest, as not 100% bulletproof security but only good enough.

      I think the balance is stored on the card, but all transactions are sent through to a central authority, which would certainly be able to detect any fraud and disable cards found to be behaving suspiciously. Or, more likely, have the ubiquitous CCTC cameras in London identify those using fraudulent cards and presumably punish them appropriately.

  6. Re:More like... by Razgorov+Prikazka · · Score: 3, Interesting

    No, not really. It happened before (2010) with the cards of those dim-witted nitwits of TransLinkSystems in the Netherlands.
    A journalist hacked a TLS-card (although admittedly it was more at the level of a script-kiddy) and traveled for free, on camera etc, even showing how to do it.
    Not quite sure what happened, but I believe the court dismissed the case because the value of the freedom of press and journalists being critical was more important than a company that isn't up-to-date (since 2007).
    <sarcastic commercial tune>
    TransLinkSystems, promising better since 2001
    </sarcastic commercial tune>

    Off-topic, but last week the same news-network (Powned) were voting in the elections for the new parliament wearing a burqa (and a hidden camera) and thus couldn't be properly identified. No problem for the multiculturalist doing the ID-ing, and the guy (yes a guy) voted with a fake ID of a woman and a voters-card of some other woman. Same here, probably it will be dismissed for the same reason. Good fun with those guy's.

    --
    rm -rf --no-preserve-root / ...and let /dev/null sort them out...
  7. Balance on the card? by Nethemas+the+Great · · Score: 4, Insightful

    Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

    --
    Two of my imaginary friends reproduced once ... with negative results.
    1. Re:Balance on the card? by swillden · · Score: 5, Interesting

      Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

      There are lots of reasons that you might want to store the balance on the card. Increased reliability in the face of network outages, improved performance by eliminating the need for a network round trip and a database query, the ability to deploy in environments without network access at all, the ability to cross incompatible system boundaries... and many more.

      Further, if you do it right, there's no reason not to store the balance on the card. Smart card chips like those used in these fare cards are designed to provide a fairly high degree of security. They can perform cryptographic operations to authenticate the commands they're given, and they can make decisions about whether or not they're going to honor the commands based on authentication and on the content of the request and its context (to the degree that they're aware of context).

      But building smart card systems is hard, and making them secure adds another layer of complexity and frustration when things just don't work because the damned card keeps rejecting your -- you believe -- properly authenticated and formatted commands. It's normal for the early stages of development to disable security for ease of development and testing... and it's unfortunately pretty common for security to be left off, or at least not thoroughly validated, for deployment. And it mostly works, because contactless smart card readers are relatively rare -- they're not expensive, mind you, haven't been for many years, but they have been uncommon. Except now there's one embedded in every one of an increasing number of high-end smartphone models.

      This isn't a fundamental architectural flaw, it's either a detailed design flaw or (very likely) a straight up implementation error. Most likely caused by simple laziness and incompetence (granted that finding competent people in this area of technology isn't trivial, and self-education is a multi-year process).

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. Re:Where can I.. by EGSonikku · · Score: 3, Funny

    http://fbi.gov/

    --
    - "Scientia non habet inimicum nisp ignorantem"
  9. buses don't have a 100% live link by Joe_Dragon · · Score: 3, Informative

    buses don't have a 100% live link

    1. Re:buses don't have a 100% live link by eepok · · Score: 2

      Expense. Taxis have live links because they're profit-generating. A trip in a taxi is charged per mile and at a major premium. Bus fare is deficit-minimizing and offers the opportunity to to travel very long distances for very little cost.

      Subways and light rail, though, can be different. Some charge per boarding while others charge per the distance between boarding and exiting.

      Also, consider what would happen if cellular service was unavailable. You'd have to create a charge-caching system and then do bulk transactions when reception is found.

      Live transactions are a bit more complex than "$1.50 from the amount on this card."

    2. Re:buses don't have a 100% live link by Idbar · · Score: 2

      So you want to replace a card with stored balance, with a whole wireless network infrastructure that would considerably increase fares.

      Honestly, I think a better solution is to have unique ticket identifiers (that don't follow sequences of course), carry the current balance on the card, but update the balance when the bus is near a paying station or in the parking lot (during shift change). At some point, you can actually invalidate the cards that seem fraudulent due to updates with similar values.

    3. Re:buses don't have a 100% live link by starblazer · · Score: 2

      Considering hundreds of thousands of cars make it through an iPASS system in Illinois... the delay wouldn't be so bad.

      Let's put it this way, iPass reads the transponder, checks the balance, and then flashes a light notifying you of the result in less than a second. The speed limit through those lanes are normally 15 mph but can get as high as 35 and they still read perfectly. The open road tolling doesn't notify you via light but there are plenty of stations still out there that have the light.

      The system has to be designed intelligently.... it can be done!

  10. Re:Where can I.. by Capt.DrumkenBum · · Score: 2

    I called them up, and they seem to have no clue what UltraReset is.

    That is strange. When I called them up, they offered to bring me a copy and show me how to install it on my phone. They changed their minds when I told them I lived in Canada.

    --
    If I were God, wouldn't I protect my churches from acts of me?
  11. Re:More like... by Razgorov+Prikazka · · Score: 5, Informative

    Link to the Powned (yes it is called powned:) clip: http://youtu.be/3izaITMDAYg (in Dutch)

    Transcript for the non-Dutch:
    <anchor guy> Our Jojanneke showed us yesterday that even blonde women can crack the TLS-chipcard without a problem. The responsible company reacted frivolously because the hack would show up in their systems, and the authorities would be alerted. In other words, keep calm and carry on. But that was before they saw this news-item.
    <Journalist 1> I can check in and out myself, simply by typing in the time that I want to be checked in, and upload it to the card. No signs in their back-office, this is undetectable.
    <anchor guy> Yes indeed, now the TLS-card can be hacked even without TLS getting to know about it. The chance that the identity of the fraudulent traveller is to be unveiled is as good as nil. And that is what the responsible company is finally - although not enthusiastically - admitting.
    <TLS spokes woman, Anita Hilhorst (to a journalist in a studio)>...At this moment our checks with detectors and inspectors do not show those transactions in our back-office,
    <journalist in the studio> yeah, when I the conductor checks me, his machine just says that I am checked in.
    <TLS spokes woman>...Yes...
    <journalist in the studio> So then I dont have a problem and you are completely ignorant about it.
    <TLS spokes woman>...then we cant see that ehhh ehhh in the transactions in our back-office
    <journalist in the studio> So at that moment I am untraceable, and you cant do anything against me.
    <TLS spokes woman> We aren't able to see that, no.
    <anchor guy> And so definitively the TLS-card dies. Costing 3.000.000.000,- Euro, and nothing. The minister is summoned for a debate before parliament to explain what he will do about it. And here is some more ammo for the ladies and gentlemen of the opposition; the software needed is, since yesterday, downloadable from bittorrent sites. Cracking the TLS-card is now in reach for your grandmother of 82 years old.
    <Jojanneke a.k.a. Pow-janneke> The cracking of the TLS-card is now made even simpler because the software is leaked to bittorrent sites, what does that mean?
    <journalist> It means that anyone can download this, and since it is a very simple crack I am not surprised that it is put in the open.
    <Jojanneke> This thing is also needed (hold up card reader), where to buy this? In a shop?
    <journalist> Yes, it is about three tenner's, so anyone can go ahead with a TLS-card.
    <Jojanneke> But can it be bought in a store?
    <journalist> Yes, or on-line if they aren't sold out yet.
    <Jojanneke> And we dont have to check in at the station, we can do this at home?
    <journalist> yes, that is quite simple to do (shows program how-to) and because you do this at home, you are invisible to the back-office. The conductor just checks whether the card has been checked in or not, and that data is transmitted to the system at the end of the day, but by then you already left the train.
    <Jojanneke> In other words, it is so simple even my grandmother can do this?
    <journalist> Even your grandmother can do this easily
    <anchor guy> Well and if this isnt bad enough, the hackers will present a new version tomorrow that will make it even more easy with new features like making mony with that card!
    <Jojanneke> Hackers are busy to speed up the process to keep it within 15 seconds, what does this mean if the succeed in that?
    <journalist> Well then it is so fast and easy that it becomes feasible to start a 'business' with that.
    <Jojanneke> So they can recharge a lot of cards in a short while.
    <journalist> Yes, you give me a tenner, and I put a hundred euro's worth of credit on it. And I have warned about this in the past that this might happen.
    <anchor guy> If by chance you are slightly handy with computers, TransLinkSystems is looking for a fraud-manager that can monitor the security measures of the cards, stress-resistance is a pre.

    Sorry for any mistakes made, but you'll get the message right?

    --
    rm -rf --no-preserve-root / ...and let /dev/null sort them out...
  12. Re:More like... by Razgorov+Prikazka · · Score: 2

    No, not in English, but here is the vid: http://www.youtube.com/watch?v=lvbZ3nsFf0M

    --
    rm -rf --no-preserve-root / ...and let /dev/null sort them out...
  13. Not that hard, really by Taco+Cowboy · · Score: 2

    I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.

    Actually it's not that hard to catch those who use card with bogus amount
     
    In a lot of cities, cctv cameras have been set up in mass transit system, in buses, trams and subway trains.
     
    If the authority really wants to find out who are using bogus cards, they could compare the time stamp on the "embarking scan" with the time stamp on the CCTV to identify which person is using bogus cards.
     
    Of course, catching the person only once is in itself not enough to convict the person. But, if the authority is able to proof that the same person has been using bogus card to get multiple free-rides mass transit system, they should have no difficulty to haul in that individual to the court.
     
    Do not forget that we are living in the age of BIG BROTHER.

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Not that hard, really by nedlohs · · Score: 4, Funny

      "Here you are caught by security camera A231763 purchasing said ticket at a vending machine. And we know it is that ticket because as you can see a simple uncrop and we can see the serial number reflected in that window which is reflected in that water drop which is reflected on that man's hat."

  14. Not in Philadelphia by tirerim · · Score: 2

    Nice try, there's no chance this would work in Philadelphia -- they're still using tokens. (And magstripe for monthly/weekly passes, but definitely no NFC.)

  15. Re:More like... by Macman408 · · Score: 2

    The terminals don't necessarily have live network access, but they do get updates periodically; for example, when the bus gets back to the bus barn, they plug it in to transfer data. Thus, if you add value to your card with a credit card online, within a few days, every terminal has been updated to know that they may need to increase the value stored on your card, if a different terminal hasn't already added that value. It would be trivially possible to make this a two-way conduit, if it isn't already - save the data from the card to the terminal (eg current balance, or whether a fare was deducted), and correlate all the data. For example, if the balance ever goes up, make sure that they added value somewhere (either online or at a terminal or retail store). The hard part would be figuring out who you are from the available records (CCTV, usage records, etc.), especially if you pay cash.

    That said, they probably won't care as long as only a few people are doing it. There have been much easier ways to game the system; for example, in the SF area, you could buy a card with $2 value, then use it for a ride that costs more than $2; the card allows a balance down to -$10, so you can get up to $12 from your $2 investment. Throw away the card with the negative value, buy a new one for your next trip, and repeat. Recently, they attempted to fix this by charging $3 for the card (in addition to any value you put on it), unless you also tie it to your credit card for automatic refills. I have no idea if this actually really fixes the problem or not - but they claim that such abuse was never rampant to begin with.

  16. Re:Random Checks by snowraver1 · · Score: 2

    I believe that you use the NFC chip on the phone to program the card. The story speaks of efuses that aren't being used, so that would support that the phone programs the card.

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  17. Re:More like... by Anonymous Coward · · Score: 2, Interesting

    System abuse can be rampant. With the situation of The hard part would be figuring out who you are from the available records it is far easier to cancel the card and flag it as suspect. When the card is next used it doesn't work, triggers an alarm, and the card holder then gets to have a chat with an official about their card.

    Most systems don't care about the negative balance reaping. Giving a percentage credit for auto and remote payments tends to fix this problem for the most part. Then they can isolate the individual cases where it is costing them money, your $2 for a $12 ride is a good example, and determine if it is worthwhile cracking down on those.

    There is a new trick in Canberra. When you swipe your action bus prepaid card the machine makes a buzzing sound. Some kids have figured out that they can walk on the bus, hold a fried card to the reader making sure they obstruct line of sight of the driver, play the BEEP sound on their phone, and get on the bus for free. No need to swipe off.

    The system here initially allowed for 'change of mind', so what happens is that you swipe on and if you swipe off in less than 5 minutes it negates the charge. So, people were swiping on at the front and swiping off at the back door meter. Alternatively, the first person swipes on, hands their card to the next person, who swipes off 30 seconds later. Ahh, youth these days. So charming.