Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze

← Back to Stories (view on slashdot.org)

Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze

Posted by timothy on Sunday December 29, 2013 @04:34AM from the but-you're-still-in-atlanta dept.

McGruber writes "Seven metro Atlanta residents are facing theft, fraud, and racketeering charges for allegedly selling counterfeit MARTA Breeze cards. Breeze cards are stored-value smart cards that passengers use as part of an automated fare collection system which the Metropolitan Atlanta Rapid Transit Authority introduced to the general public in October 2006. Breeze cards are supplied by Cubic Transportation Systems, an American company that provides automated fare collection equipment and services to the mass transit industry. At the time of this slashdot submission, the Wikipedia page for the Breeze Card (last modified on 2 August 2013 at 14:52) says: 'The Breeze Card uses the MIFARE smart-card system from Dutch company NXP Semiconductors, a spin-off from Philips. The disposable, single-use, cards are using on the MIFARE Ultralight while the multiple-use plastic cards are the MIFARE Classic cards. There have been many concerns about the security of the system, mainly caused by the poor encryption method used for the cards.'"

139 comments

Min score:

Reason:

Sort:

Inevitable... by Shuntros · 2013-12-29 04:41 · Score: 4, Interesting

Old MiFare stuff is toast, security wise. Any old fool can order some UID-writable tokens on eBay from China, grab a copy of libnfc and mfoc, then things get interesting pretty quickly.
1. Re:Inevitable... by Anonymous Coward · 2013-12-29 04:48 · Score: 0, Flamebait
  
  gotta wonder what "any old fool" thinks when he goes to such lengths to steal from his fellow citizen and public transit in general to fund China.
  / middle-age long-time slashdotter here: I used to think that fundamentally good people became geeks and engineers and fundamentally bad people became bankers and lawyers. 15+ years of reading self-serving rationalizations (of piracy, of blatant tax evasion, of all sorts of blatantly anti-social behavior) slashdot has thoroughly disabused me of the former half of that theory. The latter half is still intact though.
2. Re:Inevitable... by AdamColley · 2013-12-29 04:57 · Score: 3, Funny
  
  It's a subsidy for smart people, that's obvious -.o;
3. Re:Inevitable... by the_B0fh · 2013-12-29 05:11 · Score: 2
  
  Why do you blame OP? Shouldn't you blame the company for using really stupid and known to be flawed encryption?
4. Re:Inevitable... by Anonymous Coward · 2013-12-29 05:14 · Score: 0
  
  Your notion that hacking your local transit company to get a free ride, or just to see "if you can do it" is "fundamentally bad"? Is a leap.
  It's bad if you have a bad intent, but "China" 's benefit from the sale of a few badges is probably comparable to the loss of a very small % of fares by the agency.
  If this is "fundamentally bad" you really don't want to know what goes on.
5. Re: Inevitable... by Anonymous Coward · 2013-12-29 06:00 · Score: 0
  
  Vocation and moral intent can be loosely correlated, but (usually) only very loosely. For example, I know some small credit union 'bankers' who are very moral/'good' folks, and one lawyer who chooses his cases carefully and largely works pro-bono for those who would otherwise be walked on by the system. I do know examples of the scummy sorts of those vocations too, unfortunately. I've known good and bad techs, too.
6. Re:Inevitable... by Shuntros · 2013-12-29 06:19 · Score: 3, Insightful
  
  Well thanks Anonymous Coward (latin: buffoonus maximus), but that's a bit of a tenuous jump. I don't even use public transport, I'm just a guy who does a bit of NFC engineering for the day job and knows the difference between the wrong way to do it and the way I do it. The token security is weak, certainly, but it's easy to protect against with some very low-overhead crypto.
7. Re:Inevitable... by sjames · 2013-12-29 06:22 · Score: 1
  
  For the same reason we blame burglars even though houses still use doors that can be easiny kicked it and window that break so easily.
8. Re:Inevitable... by Shuntros · 2013-12-29 06:24 · Score: 1
  
  Honestly, what the actual fuck? Have you listened to yourself?
  
  I don't actually use public transport. I just do some NFC work for the day job and know how weak the keys are in old MiFare stuff. No wonder you posted AC with that outburst of verbal diarrhoea.
9. Re:Inevitable... by Anonymous Coward · 2013-12-29 06:30 · Score: 1
  
  is this a serious question? do you honestly need an answer to the question of "if a thief gets in a poorly defended house, who is overwhelmingly at fault?" is your moral compass so broken?
10. Re:Inevitable... by Anonymous Coward · 2013-12-29 07:33 · Score: 1
  
  It's stealing. It IS fundamentally bad. End of.
  Now, it may have some upsides (education, vuln exposure/disclosure, financial [for the their]), but fundamentally, it's bad.
11. Re:Inevitable... by bhcompy · 2013-12-29 08:25 · Score: 1
  
  Think of it from a macro point of view. You might save a few bucks, but it's remarkably difficult to get public transportation funding all across the US and ever dollar lost is just one more thing that those against public transportation will use against new and existing public transport projects in the future
12. Re:Inevitable... by Anonymous Coward · 2013-12-29 08:48 · Score: 0
  
  Geeks aren't saints - why should we be special? Criminals exists everywhere. There may be more in finance, because you can steal so much more in one go. These counterfeiters get their money selling one subway card at a time. And they are easily caught - not because of tech flaws, but because they need so many customers. All the investigator needs, is to pretend to be an interested buyer.
13. Re:Inevitable... by Anonymous Coward · 2013-12-29 09:18 · Score: 0
  
  Diarrhoea is actually a correct spelling. If you're going to pick on someone for spelling because you have nothing intelligent to say, at least find a comment with spelling mistakes before you crack open a fresh can of Internet Douchebag Juice and squirt it around.
14. Re:Inevitable... by Anonymous Coward · 2013-12-29 09:22 · Score: 0
  
  Except of course that the op is a locksmith instead of burglar.
15. Re:Inevitable... by sjames · 2013-12-29 09:47 · Score: 2
  
  A 'locksmith' who uses his skills where not authorized is a burglar.
16. Re:Inevitable... by Anonymous Coward · 2013-12-29 10:41 · Score: 0
  
  i guess the company selling the hardware, which is likely made in china, is also stealing from their fellow citizens and funding china
17. Re:Inevitable... by AmazingRuss · 2013-12-29 11:33 · Score: 1
  
  Why blame the guy that shot you in the face? Shouldn't you have been wearing a bulletproof mask?
18. Re:Inevitable... by the_B0fh · 2013-12-29 11:45 · Score: 3, Insightful
  
  There is this thing called a "reasonable man" standard. If you run a business website, you're expected to run it behind a firewall, and have other security standards in place.
  Otherwise, you end up like any one of those companies that get hacked. I had stated it incorrectly earlier - I do not mean to say criminals who hacked the system are not in the wrong. However, implementing shitting security is also wrong.
  Just like a bank should have a reasonable security system, and the bank's vault should have something better than a $5 padlock. Bank robbers are wrong, but if a bank had only a $5 padlock on it, *THEY ARE WRONG TOO!*
  WHY ARE YOU SO FORGIVING OF COMPANIES THAT IMPLEMENT SHITTY SECURITY OR PUTTING IN FAKE SECURITY?
19. Re:Inevitable... by mynamestolen · 2013-12-29 14:27 · Score: 1
  
  evil is a silly construct. Read: Howard K Bloom, The Lucifer Principle: A Scientific Expedition Into The Forces of History
  
  --
  work in progress
20. Re:Inevitable... by the_B0fh · 2013-12-29 15:03 · Score: 2
  
  Who is talking about perfect security? I'm talking about not deploying systems with *KNOWN* security problems.
  Like how WEP was known flawed and yet deployed, because of people like you. No one is talking about perfect security. But at least put some effort into making it secure, damnit. And by that, I don't mean letting your damned intern throw some shit together, but getting some seasoned professionals in the security field to work on it.
21. Re:Inevitable... by Anonymous Coward · 2013-12-29 16:08 · Score: 1
  
  So according to your logic, it's ok to steal something if the security is poor? Or to use a resource if it's security is poor?
  Can I also punch someone in the back of the head because they're weak?
22. Re:Inevitable... by pepty · 2013-12-29 16:39 · Score: 1
  
  Would you blame the company if it was safety instead of money at stake?
23. Re:Inevitable... by Anonymous Coward · 2013-12-29 18:56 · Score: 0
  
  This looks very much like the flaws discovered in the Christchurch (NZ) Metro card - same Mifare system + weak encryption + poor validation.
24. Re:Inevitable... by gl4ss · 2013-12-29 20:03 · Score: 1
  
  well.. the real problem is that it really cuts down on where you can use the card. with such shit security it's really just only going to work as a public transportation token AND you're going to need some guys going through the buses and checking peoples cards..
  HK has a public transport smartcard paying system... that is, you load cash on the card.
  and you can buy beer/mcd/whatever with that money too.
  needless to say that if the security was as shite then the system wouldn't be in use for a day..
  
  --
  world was created 5 seconds before this post as it is.
25. Re:Inevitable... by TangoMargarine · 2013-12-30 04:54 · Score: 1
  
  We're apparently surfing the fine line between "blaming the victim" and "professional incompetency."
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
26. Re:Inevitable... by the_B0fh · 2013-12-30 05:56 · Score: 1
  
  Show me a crack for AES-128.
  Thanks.
27. Re:Inevitable... by Anonymous Coward · 2013-12-30 06:21 · Score: 0
  
  Like the OP does? Oh wait, he doesn't.
28. Re: Inevitable... by Anonymous Coward · 2013-12-30 06:51 · Score: 0
  
  powwwwwwww. great point.
29. Re:Inevitable... by Anonymous Coward · 2013-12-30 06:56 · Score: 0
  
  The newest MiFare isn't a problem. But bureaucracies suck at upgrades.
30. Re:Inevitable... by DarwinSurvivor · 2014-01-05 09:19 · Score: 1
  
  is this a serious question? do you honestly need an answer to the question of "if a thief gets in a poorly defended bank, who is overwhelmingly at fault?" is your moral compass so broken?
  See how quickly the moral compass can spin when we change the nature of the "victim"? In this case we're talking about a transit company funded (at least in part) by tax payers with the losses directly impacting other users instead of some bloke who's now short a plasma TV.
why? by Lehk228 · 2013-12-29 04:44 · Score: 3, Informative

I don't understand why these systems are set up like this, operationally it's not much different from EZ-Pass which works fine with an account based system, putting the value tracking on the cards is just asking for an upgrade treadmill even if it's well designed now, 10 years from now it will be easilly cracked. compare CPU vs GPU/FPGA/ASIC hashing advances

--
Snowden and Manning are heroes.
1. Re:why? by QuietLagoon · 2013-12-29 04:49 · Score: 4, Informative
  
  E-ZPasses Get Read All Over New York (Not Just At Toll Booths)
  
  After spotting a police car with two huge boxes on its trunk — that turned out to be license-plate-reading cameras — a man in New Jersey became obsessed with the loss of privacy for vehicles on American roads. (He’s not the only one.) The man, who goes by the Internet handle “Puking Monkey,” did an analysis of the many ways his car could be tracked and stumbled upon something rather interesting: his E-ZPass, which he obtained for the purpose of paying tolls, was being used to track his car in unexpected places, far away from any toll booths.
2. Re:why? by CaptBubba · 2013-12-29 04:52 · Score: 2
  
  It allows for fallback to the stored value on the card if the data connection between the authenticating device and the home station is unreliable, as would be expected in a wide-ranging bus system when these cards were initially deployed.
  Also EZPass and the like have the additional advantage of being tied to either a registered name or an easily identifiable way to bill someone (via a photo of the license plate) in case their account is empty. You don't have that luxury when dealing with people getting on and off mass transit.
3. Re: why? by Anonymous Coward · 2013-12-29 05:22 · Score: 1
  
  Stored value also has nicer anonymity. Nothing tying it back to your identity (ie buy it with cash). Drop it in the street and you've lost your money a la cash.
4. Re: why? by Pinky's+Brain · 2013-12-29 05:38 · Score: 2
  
  The same is true for an anonymously bought card with remotely stored value.
5. Re:why? by Anonymous Coward · 2013-12-29 05:55 · Score: 0
  
  Account based systems are a privacy nightmare.
  With an account based system, you can basically track every pass user everywhere all the time.
6. Re:why? by Anonymous Coward · 2013-12-29 06:06 · Score: 0
  
  Looks like there's a real need for Faraday Cage wallets nowadays.
7. Re:why? by davidwr · 2013-12-29 06:46 · Score: 1
  
  Account based systems are a privacy nightmare.
  With an account based system, you can basically track every pass user everywhere all the time.
  That depends. If it's post-paid or renewing-prepaid account, you are correct.
  If it's a prepaid account that is purchased anonymously and not re-loaded when the money runs out or the number of pre-paid days expire, then the privacy issues are much less. All you can do then is say when the card was used. Unless you have something else to go by, such video camera coverage of one of the times it was used, you can't say who the card belongs to.
  
  --
  Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
8. Re:why? by citizenr · 2013-12-29 08:09 · Score: 1
  
  I don't understand why these systems are set up like this, operationally it's not much different from EZ-Pass which works fine with an account based system, putting the value tracking on the cards is just asking for an upgrade treadmill even if it's well designed now, 10 years from now it will be easilly cracked. compare CPU vs GPU/FPGA/ASIC hashing advances
  Because its expensive to run a lot of data over GSM links in every bus/tram in the city.
  We use same system in Poland and recently a group of people (over 900!) got charged with fraud. They werent the ones selling cards, they were the users, and only stupid ones.
  in polish http://niebezpiecznik.pl/post/900-wlascicieli-falszywych-warszawskich-kart-miejskich-bedzie-przesluchanych/
  Someone also offers Android app that charges cards using phone buildin NFC. You pay with BTC (yes, bitcoins). Its only available over TOR :)
  http://zaufanatrzeciastrona.pl/wp-content/uploads/2013/03/screen01.png
  City has NO technical way of discovering fake cards on the meters, they only stumbled on those cards because City was upgrading older VERY broken Classic cards to never less but still broken model, they did it by offering free exchange program. Some retards tried to turn in FAKE cards :D
  evul sourcecode for clonning
  https://github.com/ikarus23/MifareClassicTool
  
  --
  Who logs in to gdm? Not I, said the duck.
9. Re:why? by Rakishi · 2013-12-29 08:42 · Score: 1
  
  Because its expensive to run a lot of data over GSM links in every bus/tram in the city.
  You don't need to send a lot of data. Maybe, 1kb for each authentication event? Assuming 2 million authentications per day (a lot) that comes out to 2 gigabytes of data per day. Last I was in Poland I think that cost around 20 zloty ( $10) to get on a prepaid plan. Hell, you can have it send 100 times as much data and you'll still end up paying less than the cost of maintaining the hardware itself.
  There's a lot of reasons to not go with a GSM based approach but data cost is not one of them.
10. Re:why? by fluffy99 · 2013-12-29 08:47 · Score: 3, Informative
  
  E-ZPasses Get Read All Over New York (Not Just At Toll Booths)
  
  The plausible explanation is that they are simply using ez-pass as a means to assess traffic congestion, ie how long is it taking a car to traverse a section of highway. Of course I don't doubt that law enforcement wants access to track people, but generally cell phone tracking is more reliable and readily accessible. Wanna bet these are at the border as well?
11. Re:why? by radarskiy · 2013-12-29 09:11 · Score: 1
  
  a) It's not a lot of data per link, but it is a lot of links. That 20 zloty plan is one link. Marta has 554 buses and 38 rail stations.
  b) You have supplied no dataon the reliability of that link.
  c) Pricing in Poland is not particularly relevant to Altanta, Georgia, USA.
12. Re:why? by Anonymous Coward · 2013-12-29 09:17 · Score: 1
  
  The technology is created by a company called Cubic Transportation Systems, and it turns out there are a lot of open questions about who is behind this company.
  http://www.genuinewitty.com/2012/08/22/will-vancouvers-new-transit-passes-be-spying-on-you-and-who-has-access/
  "A story came out recently linking Cubic to Trapwire- but, Cubic came out with a denial that they were connected. But, according to research by Cryptome.org, Trapwire is headquartered at the same address as Cubic, and some of the same people are on their board of directors. So, despite their denial, these companies are closely connected. Their customers include most of the major police and national security agencies in the western world."
13. Re:why? by Bite+The+Pillow · 2013-12-29 13:09 · Score: 1
  
  Quote without relevance. When read elsewhere, they are not deducting a payment. That was the point, not putting the account on the card.
  And, it seems to be part of traffic management, so I don't see a major security issue here.
  Whatever point you had, it got missed completely.
14. Re: why? by demonlapin · 2013-12-29 14:51 · Score: 1
  
  True, but that assumes anyone will sell one of those. Do they?
15. Re:why? by ub3r+n3u7r4l1st · 2013-12-29 16:58 · Score: 1
  
  Cubic also are behind the Ventra fare system used here in Chicago, which is a one big joke.
  
  --
  New Economic Perspectives
16. Re: why? by Anonymous Coward · 2013-12-29 17:24 · Score: 0
  
  At least only your fare system is a joke. The referenced public transportation here in Atlanta may very well be the worst in the nation, if not the world.
17. Re:why? by AmiMoJo · 2013-12-29 19:35 · Score: 1
  
  If you implement the security properly it still won't be decryptable in 10 or 100 years time, unless something like quantum computing becomes a common reality in which case we have much bigger problems than people getting free rides. Processing power has nothing to do with it; even the fastest possible conventional computer is constrained by the laws of physics and couldn't break it in a useful timeframe.
  As an example the FeliCa system, developed by Sony of all people, has not been cracked. It is also one of the oldest and most widely deployed. Cracking it would allow people to buy goods and services in shops as well as travel for free. The problem is that once Sony demonstrated it could be done and work reliably everyone wanted in on the action and idiots like NXP decided to roll their own solutions.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
18. Re:why? by Anonymous Coward · 2013-12-29 19:56 · Score: 0
  
  Just put in an anti-static bag, like the one it comes in when it was shipped to your house. Done.
19. Re:why? by Anonymous Coward · 2013-12-30 09:37 · Score: 0
  
  c) Pricing in Poland is not particularly relevant to Altanta, Georgia, USA.
  It's relevant if you're as tired of Atlanta as I am, lol.
20. Re:why? by Rakishi · 2013-12-31 02:19 · Score: 1
  
  a) It's not a lot of data per link, but it is a lot of links. That 20 zloty plan is one link. Marta has 554 buses and 38 rail stations.
  Since you can't do the math apparently I'll have to. $20 per bus per month comes out to under $150k per year to have GSM data everywhere. For comparison, the Breeze Card program had a $100 million budget and Marta has a yearly budget of $400 million.
  So no it's not a lot of links or a lot of data or a lot of cost although it is sad how people can't do simple math and research anymore.
  
  b) You have supplied no dataon the reliability of that link
  What part of "There's a lot of reasons to not go with a GSM based approach but data cost is not one of them" is hard for you to read?
  
  c) Pricing in Poland is not particularly relevant to Altanta, Georgia, USA.
  Please read the whole thread in the future, I replied to someone who mentioned Poland. If you can't keep up with a simple thread of discussion then maybe slashdot is too complicated for you. And btw, the price of 1gb of data per month is $20 in the US through Verizon or ATT.
Security by ledow · 2013-12-29 04:44 · Score: 5, Informative

Like everything:
If you can buy the readers, and someone obviously sells the writers somewhere, you can clone them.
As soon as you then rely on these tokens to hold individual data themselves (with no reference to a central database), then they become valued targets for attack.
If you had these cards hold nothing more than a code number, and wired all the readers to talk home, then the system can't be "scammed" as such - people can have their cards cloned, of course, but you can spot it, you can trace them, arrest them at your convenience, and give the original account holder a new card in the meantime as soon as they report the fraud. But because everything has to talk to a central database, the cards are not so much "cash" as a stolen "credit card" - traceable, and stoppable.
Then, it doesn't matter if you do use something as common as MiFare (a school I used to work in used Mifare entry systems - they weren't expensive or hard to get hold of at all and I used to program my Oyster - London Tube travel - card to open the door for me in the morning if I'd forgotten my ID card). As soon as the readers are that commonplace, the writers will be available even if that means people are building their own and making fake "cards" the size of a Raspberry Pi with some RF circuitry to pretend to be a card. The next step is just a matter of shrinking the device.
MiFare is long-cracked. You can buy the cards for pence each and the readers (direct to USB, etc.) for a pittance. The next step up is no harder than going from magstripe readers and cards up to magstripe writers with the correct magstripe "level" to read/write the banking data on an old magstripe credit card.
Don't put "value" into a chip that can be cloned. Put the value into a central, monitored, system, and provide people only with a codenumber to access it. That codenumber can be cloned still, sure, but then you can watch out for it, notice it, blacklist it, catch people red-handed. And they can't go spending "free money" offline from your system.
This is my biggest bugbear with London's Oyster system. It's just a number for the most part, but they try to store "value" on the cards and let you buy newspapers with them. Now you have an offline, valued, unmonitored, commodity on an easy-to-clone chip.
1. Re:Security by jonbryce · 2013-12-29 05:50 · Score: 2
  
  Oyster is mostly online. There is an offline backup, because if you use it on a bus, the bus may not have a network signal at your bus stop. If you do manage to hack an Oyster card, it will work for one day, but when the reconciliation is done overnight, your card will be blacklisted and it won't work the following day, even in offline mode.
2. Re:Security by nogginthenog · 2013-12-29 06:08 · Score: 1
  
  Oyster is far from perfect. The online system tells me "There are no season tickets on this Oyster card". Yet there is a monthly travelcard loaded on it that expires sometime next month (not sure when, thanks TFL!).
3. Re:Security by ledow · 2013-12-29 06:25 · Score: 2
  
  Not true - it's a lot more "offline" than you think.
  That's why you have to nominate a station to "collect" your top-up - basically they preload to that station in the morning and then you card gets an instruction that you have X pounds more on it now. The card knows how much you have and works when the system is out (done it many times). That's how the vendor purchases work too - they rely on the card to have an up-to-date record of how much PAYG credit they have.
  But, that said, when it is networked - as pointed out - it all gets noticed quite quickly. This is my point - network and keep online as much as possible and don't rely on the CARD to tell you how much money the user has. Use a number on the card to refer to a central database and take a loss on "system down" times rather than "use can clone any card" times (and then keep things up as much as possible).
4. Re:Security by Shuntros · 2013-12-29 09:06 · Score: 1
  
  The main issue is that Oyster does do some level of cleverness. I only ever skimmed the paper so don't recall the details. The main issue in most use cases is that the spec says the token UID should be read-only. When you can buy tokens from China which completely disregard this and let you write sector 0 it's game over immediately for huge swathes of RFID installations which rely on UID alone.
  
  My work ID does door access, printing, loads of stuff. Spoof the UID onto a blank token, remove the chip/antenna, place inside rear cover of watch. Super convenient, but alarmingly easy.
  
  And you know that "tap and go" stuff your credit card has, distinct to the chip & pin functionality, for low-value purchases like a Double Whopper with cheese? Don't even get me started on that...
5. Re:Security by thegarbz · 2013-12-29 09:35 · Score: 1
  
  Don't put "value" into a chip that can be cloned. Put the value into a central, monitored, system, and provide people only with a codenumber to access it. That codenumber can be cloned still, sure, but then you can watch out for it, notice it, blacklist it, catch people red-handed. And they can't go spending "free money" offline from your system.
  There's a problem with central database hookups, what happens when the link fails, what's the maintenance cost of a central database and all the links? In Brisbane they've all but given up on manual ticketing systems. I imagine the cost of a handful of people taking free rides is less than the cost of maintaining a central system, and less than the cost of what would happen when the system went down, or any kind of local database gets corrupted.
  Yes there's ways around the value on the card problem, but are they really economical?
6. Re:Security by ledow · 2013-12-29 10:03 · Score: 2
  
  Our Mifare card access system used to read data off of the latest PayWave-type phones. To our systems it was just a random long number but it uses the same frequencies, protocols, etc. as everything else RFID to power itself/send it.
  Caused havoc with our systems when people started buying Galaxy S3's and holding them in their hands while they swiped their entry cards. We wondered what the hell was going on for a long time.
7. Re:Security by xelah · 2013-12-29 11:19 · Score: 1
  
  The writers are already commonplace: they're exactly the same as the readers, and an NFC phone can do it. But, you'll need an encryption key to do it (or you'll need to break the authentication or extract the key). These things are not just dumb storage devices, you have to authentication to them to read or write more than the card's unique ID (and you'd have to be a fool to rely just on that to identify a card). The old cards (MiFare Classic cards) are clonable because the encryption was weak. DESFire EV1s, like new Oyster cards, use 3DES or AES.
8. Re:Security by AmiMoJo · 2013-12-29 19:54 · Score: 1
  
  You can't just read it, it's not a memory card. It is a microcontroller you talk to. Transactions require a cryptographic handshake. The only thing you can read is the current value and a transaction history, and you can't write anything.
  The microcontroller has physical protection to stop you removing the top with acid and reading the memory directly. If you try it commits suicide and wipes itself. So far no-one has managed to read one.
  The flaw here is the cryptographic handshake. Cloning is still impossible.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
9. Re:Security by ledow · 2013-12-30 00:51 · Score: 1
  
  See other posts - you can buy writeable tokens for next-to-nothing from China, and you can figure out the keys inside any such device using utilities available on Google Code and a bog-standard reader.
10. Re:Security by IamTheRealMike · 2013-12-30 01:45 · Score: 1
  
  Oyster cards upgraded past the broken old MiFARE Classic chips some time ago, I believe. NXP make several generations of cards of which the Classic is the oldest and most broken. The more modern/expensive cards, not so trivial to crack.
11. Re:Security by xelah · 2013-12-30 05:13 · Score: 1
  
  You don't need to buy a writable token from China when you can buy a real Oyster card more easily, and you don't then need to worry about it not looking genuine....unless, of course, you're expecting to get through a great many of them by them getting blocked every day (in which case, watch out for those CCTV cameras if you draw attention to yourself). Or you could use a phone to talk to the reader instead of a card. But if they've done it properly then the key will be different for each card, based on a secret TfL knows and on the UID, so even if you can clone one you might find it a good deal harder to forge one from scratch. If there's a utility on Google Code that will extract the key from a MiFare DESFire EV1 then you should link to it. I think a lot of people here would be interested to know it exists.
12. Re:Security by ledow · 2013-12-30 06:01 · Score: 1
  
  If you bought your Oyster card pre-2010, it's not a DESFire one. But it still works. Still holds credit. Hasn't been recalled. Hasn't been disabled. I have at least two that we use for visitors from my girlfriend's country, we used them last week. Saying "DESFire cards" are secure is no good if DESFire isn't a requirement of the transport system in question. My Oyster card goes back at least 7-8 years, I believe, and that's because I lost the one I used to use when I was in Uni.
  Additionally, NXP are supposed to have been phasing out the original DESFire cards since 2010 - they have been proven insecure - but they just keep revising them (hence your "EV1"). Again, no recall, no disabling of older versions (at least three at the moment?), so saying that the cards are secure is worthless if even 10% of people aren't using them. And guess who those 10% will be? The ones who've been using public transport for longest and most likely have season tickets, more credit, etc.
  Hell, DES itself is hardly the epitome of secure any more - which is why newer DESFire cards are actually AES inside.
  What you say may be true. But if you can just clone any of the last several years of cards that are NOT as secure as AES, then it's all a waste of time.
13. Re:Security by Fat+Boy+unslim · 2014-01-07 22:01 · Score: 1
  
  Oyster has switched to DesFire cards which have MiFare emulation but better security.
  
  --
  Java programmers do it with .class
Another card scam... by QuietLagoon · 2013-12-29 04:46 · Score: 3, Interesting

Police Warn of Gift Card Scam
.
Fare cards, gift cards, credit and debit cards used at Target, etc.,.etc,. etc...
When are we going to make our erzatz money secure?
1. Re:Another card scam... by Anonymous Coward · 2013-12-29 05:26 · Score: 0
  
  ersatz
  FTFY
2. Re:Another card scam... by Anonymous Coward · 2013-12-29 06:30 · Score: 0
  
  Never, because thats the whole point of ersatz money. All these cards are designed to improve convenience and efficiency at the expense of security.
  Why do we have paper currency? Coin based currency is obviously more secure and harder to counterfeit.
3. Re:Another card scam... by QuietLagoon · 2013-12-29 06:54 · Score: 1
  
  thx.
4. Re:Another card scam... by phantomfive · 2013-12-29 06:55 · Score: 1
  
  When are we going to make our erzatz money secure?
  When it becomes cheaper to pay for security than for damages. Same thing with banking websites.
  
  --
  "First they came for the slanderers and i said nothing."
Any Detail, At All? by Anonymous Coward · 2013-12-29 04:50 · Score: 0

So it's a breeze to crack Breeze card encryption? Yuk yuk yuk, you're hilarious.
What about any detail at all about this? What "weak" encryption do they use? How was it broken? What was the value of the fraud? Can these cards be used for anything else, or cashed out, or does this fraud require very extensive MARTA ridership?
Seven people have been charged with fairly serious crimes, but I can't see the value of the fraud being more than a few hundred or few thousand dollars. It's like counterfeiting $1 bills, what's the point?
1. Re:Any Detail, At All? by McGruber · 2013-12-29 05:18 · Score: 4, Informative
  
  What about any detail at all about this? What "weak" encryption do they use? How was it broken? What was the value of the fraud? Can these cards be used for anything else, or cashed out, or does this fraud require very extensive MARTA ridership?
  Seven people have been charged with fairly serious crimes, but I can't see the value of the fraud being more than a few hundred or few thousand dollars. It's like counterfeiting $1 bills, what's the point?
  It appears that MARTA is just discovering the extend of the fraud, based upon the information in this article by the NBC affiliate in Atlanta: Atlanta Channel 11 TV News: 7 arrested for MARTA Breeze Card fraudl
  Some detail:
  
  MARTA says the thieves spent $1 to buy the Breeze card, then reprogrammed the data on it to turn it into a 30-day pass. They then sold it to riders for $40, a deep discount of the real price of $96. That meant the thieves got to pocket $39, and the buyers got a cheap ride.
  and
  
  MARTA police chief Wanda Dunham says the cards were sold at MARTA stations and on Craigslist. But it was a suspicious buyer who purchased one at an area mall that contacted police. "He knew that wasn't the right fare so he called us, asked us to check into it," said Dunham.
  As they investigated, the agency's Revenue Department noticed in November, a large number of cards were sold at its Chamblee and Lenox stations for only a dollar. Police started reviewing surveillance video to create a list of suspects.
  MARTA won't say how many counterfeit cards the group sold, but says during the arrests it confiscated 400 fraudulent cards. Had the thieves sold them, their $400 initial investment, would have earned them $16,000.
  MARTA says it's never had something like this happen before, but security expert Gregory Evans says MARTA needs to act fast, if wants to keep it from happening again. He says the hackers likely got away with their scheme using a simple card writer that costs just a few hundred dollars. "The crazy part, the scary part about this? MARTA would have never known if some had not gone back and told them what was happening. That's it," said Evans. Evans says the data on the card could be encrypted and an alert built into their software system. "If I go to use this card somewhere and all the sudden there's $100 on this card, their system should have caught that and said hold up," Evans said.
2. Re:Any Detail, At All? by noh8rz10 · 2013-12-29 07:09 · Score: 2
  
  Seven people have been charged with fairly serious crimes, but I can't see the value of the fraud being more than a few hundred or few thousand dollars. It's like counterfeiting $1 bills, what's the point?
  I spent $3,000 on Metrolink tickets last year in Los Angeles. I know many people who pay more. there is serious money in mass transit.
3. Re:Any Detail, At All? by Anonymous Coward · 2013-12-29 07:23 · Score: 0
  
  Stupid greedy hacker.
  If an individual did this on his own, just to get free transit rides for himself, he probably would never have gotten caught. Try to sell the scam to everyone though, and obviously he will be detected.
  Greed gets the stupid criminals into trouble. Maybe not every time, but damn well often enough.
4. Re: Any Detail, At All? by Anonymous Coward · 2013-12-29 15:20 · Score: 0
  
  MARTA says it's never had something like this happen before.
  How would they know?
It's very different... by Anonymous Coward · 2013-12-29 04:53 · Score: 0

It's very different to EZ-Pass. All EZ-Pass needs to do is identify you. You don't get your current balance, nor do you get denied access to the road/bridge if your EZ-Pass isn't in credit/isn't active/etc.
EZ-Pass works because they have a backup mechanism, being video/photographs of license plates so they know who to charge if they can't charge through EZ-Pass - obviously that doesn't work for public transport.
re MARTA by Anonymous Coward · 2013-12-29 04:58 · Score: 1

Like most of the other government run entities in Atlanta, Marta is run by inept management and awards bids to cronies and
relatives. I am not surprised the system was outdated and ineffective.
you don't have an 100% live data link with systems by Joe_Dragon · 2013-12-29 05:03 · Score: 1

you don't have an 100% live data link with systems like this (lot's of metro systems have both bus and rail and there can be cell dead zones that have areas with no data link) and you don't really have a away to bill later if there is some kind of read error.
Except you don't have a 100% link to your db by Anonymous Coward · 2013-12-29 05:16 · Score: 0

Your somewhat lengthy description misses the key point that these things have to be usable in places where there is no data connection to a centralized database (e.g. on a bus), and so, they MUST contain value which can be locally (with no reference to a central database) validated and decremented.
I suppose you could do what credit card companies do for small transactions ($50).. always allow, but record the transactions, and go back later to reconcile. If someone "overdrew" their account, you could go after them after the fact. But then, you need to have a "tie" between a specific card and a specific person, which raises all sorts of privacy issues.
You also need to be sensitive to the aspect of "acceptable losses". In some cases, it is cheaper to let some fraud happen than it is to implement a more complex, expensive, and failure prone system to grind those losses down to zero. This is something the credit card companies have to a finely researched science. This is the primary reason why chip&pin isn't being used in the US. The fraud losses aren't quite high enough to justify the cost of replacing all the cards and readers.
There have been a number of studies over the years that show that "honor system" fare collection actually works pretty well, with random manual checks by transit police. Yes, there are people who cheat (but then, there are people who hop the turnstiles, too), but *most* people pay their fare. And you save all the costs of fare collection boxes, terminals, readers, etc.
Mind you, the companies who sell such boxes make the claim (not necessarily substantiated by data) that their costs are paid for in increased revenue, and are happy to whip up the political troops about "fraud waste and abuse".
1. Re:Except you don't have a 100% link to your db by davidwr · 2013-12-29 06:49 · Score: 2
  
  always allow, but record the transactions, and go back later to reconcile.
  In other words, treat it like we used to treat credit cards back before instant verification.
  Anyone else remember signing a multi-part credit card form and having the clerk run it through the "ker-chunker"?
  
  --
  Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
2. Re:Except you don't have a 100% link to your db by noh8rz10 · 2013-12-29 07:06 · Score: 1
  
  There have been a number of studies over the years that show that "honor system" fare collection actually works pretty well, with random manual checks by transit police. Yes, there are people who cheat (but then, there are people who hop the turnstiles, too), but *most* people pay their fare.
  It's actually called "proof of payment". You buy a ticket or a pass in the station, and have it available for inspection. if you don't have the ticket, they fine you.
  I assure you there's nothing "honor" about it. You're required to have a ticket, and pay a penalty if you don't have one.
3. Re:Except you don't have a 100% link to your db by rotorbudd · 2013-12-29 07:12 · Score: 1
  
  "honor system"
  Don't live in ATL do you?
  
  --
  A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
4. Re:Except you don't have a 100% link to your db by Anonymous Coward · 2013-12-29 09:05 · Score: 0
  
  Except it's typically cheaper to pay the occasional penalties instead of tickets.
5. Re:Except you don't have a 100% link to your db by Anonymous Coward · 2013-12-29 13:25 · Score: 0
  
  In my jurisdiction, being caught without a ticket is a criminal matter. Like a speeding ticket, you won't get hauled to jail on the first offense, but if you do habitually, you can bet you will have a court date and real charges to deal with.
6. Re:Except you don't have a 100% link to your db by Anonymous Coward · 2013-12-30 21:18 · Score: 0
  
  In your jurisdiction maybe, but not everywhere. Yet it tends to work in those not-your-jurisdiction places just as well. How is it possible if "honor" is not involved?
Does it really need to be secure? by JoeyRox · 2013-12-29 05:18 · Score: 2

Naturally if they're going to spend the money on a secure system it might as well fulfill that goal. But do these metro metering devices really need to be all that secure? I checked MARTA's fare schedule and their most expensive ticket is $5 round-trip. Doesn't seem like enough incentive for the average joe to cheat it, esp. when you consider how transit authorities use a few high-profile prosecutions to discourage people from even buying second-hand tickets let alone hacking their own. In my view the system only need be marginally more secure than the honor system.
1. Re:Does it really need to be secure? by BringsApples · 2013-12-29 05:36 · Score: 2
  
  In my view the system only need be marginally more secure than the honor system.
  I couldn't agree more. And since there is an extreme lack of honor these days, I feel that the next step, rather than spend so much money to secure the transaction(s), is to simply utilize credit/debit cards. If that doesn't work, fuck it, shut the MARTA down; "Sorry folks, the people in this area are to wicked to have nice things."
  
  --
  Politics; n. : A religion whereby man is god.
2. Re:Does it really need to be secure? by Anonymous Coward · 2013-12-29 05:51 · Score: 0
  
  It is not the single trip, it is the monthly fee. A lot of city people buy a monthly pass which could be several hundred $$ a mo. If they can get a fake one for $50 or $0 then they are saving all that money for other things.
3. Re:Does it really need to be secure? by Pembers · 2013-12-29 05:58 · Score: 2
  
  Apparently they also do passes that are good for 30 days, which cost $96 (see the comment a few places above). The scam was to buy lots of $1 tickets and reprogram them into 30-day ones.
  
  --
  Just another wannabe fantasy novelist...
4. Re:Does it really need to be secure? by booyabazooka · 2013-12-29 10:58 · Score: 0
  
  Marta sucks. If you're using Atlanta's public transit, it's probably because you can't afford a car. To a minimum-wage earner, it's not hard to imagine that $5 a day is worth cheating.
5. Re:Does it really need to be secure? by Anonymous Coward · 2013-12-29 12:32 · Score: 0
  
  I take MARTA frequently and make north of $130k. But ok.
6. Re:Does it really need to be secure? by Anonymous Coward · 2013-12-29 16:29 · Score: 1
  
  They were saving $56 every 30 days buying counterfeit cards. Less than $2 per day. Where did you get $5 from? Lots of people who ride MARTA have cars. You not only save on gas and save on parking, you also don't have to deal with the traffic. Additional benefits, you can read or whatever on MARTA, not while driving. Additional benefit, you can be drunk on MARTA. You can go to happy hour after work, no worries. Additional benefits, less pollution and less dependent on foreign oil. MARTA is pretty good especially for getting to the airport. How do you get to the airport?
The world need more people like this by Gunboat_Diplomat · 2013-12-29 05:36 · Score: 1

Bit of a tangent, but this story got me thinking about this: http://shamonica.com/2012/05/wizard-spotting-wizards-on-the-bus/
Subway tokens should be cash-like by davidwr · 2013-12-29 06:42 · Score: 1

If I am not going to use cash, I'd prefer to use a token that is cash-like:
* is transferable like cash
* can't be tied back to me
* isn't widely counterfeited, so I'm not subsidizing freeloaders
* is convenient to use
Except may be for the counterfeiting part, subway tokens and prepaid fair passes generally meet this requirement.
I don't have any inherent objection to something that operates like a prepaid debit card, as long as I can purchase it anonymously without any additional fees beyond the fair itself. Just don't be surprised if I buy a new card every few weeks instead of reloading the existing one.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
MAX-VALUE and EXP DATE hardcoding by davidwr · 2013-12-29 06:52 · Score: 1

And this is why stored-value cards should have MAX_VALUE and EXPIRATION_DATE hard-coded into them.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:MAX-VALUE and EXP DATE hardcoding by Anonymous Coward · 2013-12-29 16:12 · Score: 1
  
  That doesn't help anything. Blank cards cost $1. You are supposed to add fares to them. The cards need to hold up to at least a 30 day pass. Max value would be a 30 day pass. That's what they were selling. They weren't selling $1000 credit or anything. Just a 30 day pass. Expiration dates are several years in the future. People want to keep their card and reload it as often as necessary. You would have to keep buying new fake cards every 30 days, to maintain the discount, so the expiration date is also irrelevant.
Quick question by Okian+Warrior · 2013-12-29 07:18 · Score: 5, Interesting

Out of curiosity, how much revenue comes in from fares, and how much expense goes out in fare maintenance?
A lot of metro systems charge fares in addition to getting public support from taxes. Has anyone thought to tally the costs of the fare system compared to the income? Things like cost of the machines, maintenance of the machines, maintenance of the turnstiles, accounting, law enforcement &c... all these things add up.
Even if the fares bring in revenue, it's probably minor. Most of the cost goes into collecting the fares, so most of that value is wasted.
The economy would get a boost if that money were freed up to be spent by consumers, and doing so would help the people who need it the most (ie - poor people).
This whole thing seems like a fabricated problem - a system that forces people to spend money just for the sake of spending it. Then spend more money reimplementing the system when the original system is found to have flaws, then spend countless hours and resources in enforcement and prosecution.
Just get rid of it. Let the money go into the economy.
1. Re:Quick question by Anonymous Coward · 2013-12-29 07:42 · Score: 0
  
  Out of curiosity, how much revenue comes in from fares, and how much expense goes out in fare maintenance?
  A lot of metro systems charge fares in addition to getting public support from taxes. Has anyone thought to tally the costs of the fare system compared to the income? Things like cost of the machines, maintenance of the machines, maintenance of the turnstiles, accounting, law enforcement &c... all these things add up.
  Even if the fares bring in revenue, it's probably minor. Most of the cost goes into collecting the fares, so most of that value is wasted.
  The economy would get a boost if that money were freed up to be spent by consumers, and doing so would help the people who need it the most (ie - poor people).
  This whole thing seems like a fabricated problem - a system that forces people to spend money just for the sake of spending it. Then spend more money reimplementing the system when the original system is found to have flaws, then spend countless hours and resources in enforcement and prosecution.
  Just get rid of it. Let the money go into the economy.
  You mean like how years ago some wise-acre calculated that it was cheaper to buy everyone in Washington DC a new compact car every three years than it was to fund METRO?
2. Re:Quick question by radarskiy · 2013-12-29 09:21 · Score: 1
  
  While I am receptive to the concept that sometimes it is not worth it to collect the money (that why transit systems are moving to face cards, so that they don't have to handle change), fares also provide some demand management. Even if you are not applying demand-based fares, charging a non-zero amount the far end of the demand curve which would happily fill and overflow all capacity and will let you find when/where you really need to add new capacity.
3. Re:Quick question by swb · 2013-12-29 09:46 · Score: 2
  
  That's a great question. From what I've read about the Minneapolis light rail system, fares cover about a third of the operating cost. I'm not sure what the fare collection costs are (machines, enforcement, etc) but its hard to see them being more than 10% of the fare revenue, especially when you consider that a lot of the collection costs are upfront (buying, installing machines, etc) and basically one-time costs.
  You do wonder what would happen if they just made riding it free. It might mean more ridership which would enhance some of the secondary economic value of the system which seems to be a major selling point (reduced traffic, development on the line, etc).
4. Re:Quick question by Okian+Warrior · 2013-12-29 09:51 · Score: 1
  
  While I am receptive to the concept that sometimes it is not worth it to collect the money (that why transit systems are moving to face cards, so that they don't have to handle change), fares also provide some demand management. Even if you are not applying demand-based fares, charging a non-zero amount the far end of the demand curve which would happily fill and overflow all capacity and will let you find when/where you really need to add new capacity.
  Wow. Elliptical much?
  Put it in terms of value. Does demand management have any value? Could demand be managed by another method, such as historical prediction, or simply by having people press a button to "call" trains to stations?
  You can't make a case for options unless the value (or utility) of each option is known. Just referring to an amorphous ill-defined term "demand management" doesn't cut it.
  Does demand management have any value? And if it does, is demand management by fares the best way?
5. Re:Quick question by Okian+Warrior · 2013-12-29 10:27 · Score: 1
  
  I'm not sure what the fare collection costs are (machines, enforcement, etc) but its hard to see them being more than 10% of the fare revenue, especially when you consider that a lot of the collection costs are upfront (buying, installing machines, etc) and basically one-time costs.
  I can't find a detailed budget for Minneapolis, but fare costs for other cities are always over 85% (for cities I've looked at to date) and can be higher than 100% in some cases. BTW, fares account for only 15% of the Minneapolis light rail revenue (source).
  There are a lot of hidden costs, such as personnel to collect the coins/tokens/strips, empty and reload the machines, personnel to do maintenance, and such. Personnel are very expensive to maintain - did you include the pensions?
  I don't know what the expenses are either, but I'm sure it's over 85%.
  Factor in the invisible savings (decreased traffic, higher local economy through increased usage, decreased pollution, less need for other infrastructure such as parking) and it looks like a clear win.
6. Re:Quick question by bsa3 · 2013-12-29 11:32 · Score: 2
  
  There are indeed reasonable number of fare-free systems. But you neglect the core purpose of public transit as it is seen by most US governments—i.e. distributing cash. Even if a system has 10% farebox recovery, they still get to buy the equipment and employ people to collect the money. Sure, they could go to proof-of-payment (or drop fares entirely), and further reduce costs by putting the Buy America Act and Davis-Bacon out of their misery, but that would reduce the opportunity for graft.
7. Re:Quick question by Anonymous Coward · 2013-12-29 12:33 · Score: 0
  
  MARTA receives zero public funding, so everything it does depends on the revenue from fares.
8. Re:Quick question by pepty · 2013-12-29 17:08 · Score: 1
  
  I can't find a detailed budget for Minneapolis, but fare costs for other cities are always over 85% (for cities I've looked at to date) and can be higher than 100% in some cases. BTW, fares account for only 15% of the Minneapolis light rail revenue (source).
  The difference is explained in that article: fares only account for 15% of the total cost for Minneapolis light rail, not 15% of the total revenue. Most cities only talk about fares collected vs operating expenses; they don't include capital expenditures and debt service, which together can be larger than operating expenses.
9. Re:Quick question by Anonymous Coward · 2013-12-30 02:55 · Score: 0
  
  MARTA receives very little tax revenue. Most of its revenue comes from the fares received. And then they can only spend 50% on operating costs and the 50% has to be saved for infrastructure enhancements. But the cost of adding stops is incredible. Add in the fact that the suburban counties that have no public transit refuse to allow MARTA to come into it because it allows "poor" people to get in and out very quickly. There isn't many places for it to go. MARTA has an incredible amount of capitol, they just by law can't spend it and operate at a loss every year because of this.
  The state won't assist MARTA but it tie's its hands on how to operate. The original plan was to be free and open to all, but the leaders didn't want it to be a place for the "poor" (at the time this could also read Black). The whole MARTA system is governed by rich white people who would destroy it if possible.
10. Re:Quick question by plover · 2013-12-31 04:16 · Score: 1
  
  In that article the politician was saying that fares are 30% of the revenue used to offset operating expenses, but that excludes any mention of servicing the mortgage on the capital investments, which he argues doubles the actual cost of a ride, meaning fares provide only 15% of the cost of the ride. (I think it's a poor argument, by the way, because it completely ignores the benefits produced by a functioning mass transit system, but that's a giant political debate that we don't need to have here.)
  The grandparent was asking "what percentage of the fares goes into collecting the fares?" I assume he's asking questions about the technology, such as installing card validators, issuing cards, having transit police perform random checks, maintenance on the readers, servicing the cash in the ticket machines, etc. For Metro Transit, non-fuel and non-payroll operating expenses are about 85% meaning that the operating cost of everything else (utilities and other is 8.4% and central support is 6%) is 14.4%. No matter what, it's less than the amount of the fares. (I'm excluding transit police labor as they are needed for rider safety instead of just fare collection; even so, they're only about 1% of the labor.)
  So how does all this fit in with MiFare cards? Cards with better security would cost more - perhaps double the cost per card, and possibly an upgraded price for the turnstile software would be needed, too. But these criminals were caught with the current system, and after making only a few tens of thousands of dollars. The cost of reissuing new cards could easily go to a million dollars. So far, the cost of fighting fraudulent cards isn't worth the difference in price. Of course, if the criminals were making millions, and if they were never getting caught, then it would be worth the money to replace the cards. Just maybe not today.
  
  --
  John
3 questions by jonwil · 2013-12-29 09:32 · Score: 1

1.Why are these things so weak and easily broken
2.Why don't the companies that make them invest a bit more money in making them harder to break (instead of on lawyers to sue people who break them)
and 3.If the companies that make them wont fix them, why isn't someone else offering systems with stronger encryption?
1. Re:3 questions by Velex · 2013-12-29 11:56 · Score: 1
  
  I'd really like to know the answer to #3.
  Off the top of my head, I don't understand why they don't have a private key known only to the bus/station equipment that does the reading/writing of the amount on the card and some kind of incrementing or rotating ID to prevent replay attacks/card cloning? Each bus could have an ID and a counter, then each morning distribute to a system on each bus the bus/counter combinations that have already been used maybe say in the past 3 or so months depending on how much data that would be and how much storage would be available on the bus. Make sure to design in some key rotation of the private key as well. Sure, it's not perfect and probably has attack vectors I'd need a second set of eyes to catch, but it's better than this and doesn't require any wireless anything except maybe at the station (or a USB thumb drive would work just fine to get the lists to the busses in the morning). Why isn't there a market for a more secure system?
  Is there really something about a solution along those lines that would cost an order of magnitude more than the existing equipment or at least more than these flawed systems cost bus operators both in lost revenue and paying the lawyers?
  BUT, I guess implementing a system that would require some serious effort on the part of a criminal to circumvent doesn't play as easily into the American narrative of poor folks and their lack of virtue and lives of petty crime. I also don't have any family in government or backroom connections that would get me the contract, either. Maybe that's sadly the answer to #3.
  That leads us to an answer to #2 and sort of to #1 as well: it's more satisfying to Americans to create a flawed system and catch people in the act of exploiting that system than it is to just implement a system that's too difficult to circumvent.
  
  --
  Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
2. Re:3 questions by Velex · 2013-12-29 11:57 · Score: 1
  
  Whoops, should be secret key, not private key!
  
  --
  Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
3. Re:3 questions by plover · 2013-12-31 04:56 · Score: 1
  
  The thing that comes to the top of my mind is customer throughput and system speed. Public key cryptography works on really big numbers, and RFID technology doesn't exactly operate at blazing megabit speeds. Long ago we tried a smart card (contact) system that took 1500 milliseconds to exchange an RSA encrypted message with the reader at 9600 baud. The four cryptographic exchanges the vendor had the device performing took a total of six seconds, and none of our customers liked it. For a transit system to be effective, a crowd of people needs quick throughput, and even waiting two seconds each for card to authorize might be a deal breaker.
  So you really have two choices: great security that is slow and expensive, or good enough security that's fast and cheap, but you need a few more layers of it.
  The practical answer is to buy cards that are fast, cheap, and hard to clone (not impossible, just hard), and impose severe penalties for anyone using a cloned card. Put in fraud detection software and systems. Audit the riders occasionally (using police that you already have for safety reasons.) Run cameras (which they have for robberies anyway.) And make sure that fraudsters are prosecuted in the public square as a warning to others. This news article is actually a deliberate part of the security of their system.
  It's not that "it's more satisfying", it's simply more practical. (Other than the DEA and others "fighting the war on drugs", I've never met anyone in the criminal justice system who wants more laws for people to break so they can catch more bad guys - there are already more than enough real bad guys to go around.)
  
  --
  John
Re:you don't have an 100% live data link with syst by Anonymous Coward · 2013-12-29 09:48 · Score: 0

As someone who reads without having to sound out every word for possible homophones, it's really frustrating when the wrong word is used.
NYC born, recently moved to Atlanta by Deemus · 2013-12-29 10:40 · Score: 2

MARTA - Moving Africans Rapidly Through Atlanta (or so the locals call the system).
It's probably wrong to, but I applaud the hackers. It's really only the poor folks in Atlanta that use the system (everyone else drives) and every little bit they can save helps.
1. Re:NYC born, recently moved to Atlanta by BenoitRen · 2013-12-29 12:35 · Score: 1
  
  I find the abbreviation, MARTA, cute. Reminds me of a certain video game character.
2. Re:NYC born, recently moved to Atlanta by Anonymous Coward · 2013-12-29 15:06 · Score: 0
  
  Hmmm. I've lived in Atlanta for well over a decade and never heard it called that. I guess it shows the type of people you hang out with.
  Also, I use MARTA daily and seem to be making six figures. The only non-random times MARTA is downright unpleasant is after the Peachtree road race when hundreds of sweaty smelly joggers are riding or before/after Braves/Falcons games.
  The Breeze system sucks. The old token and monthly pass system was much more reliable and convenient.
3. Re:NYC born, recently moved to Atlanta by Anonymous Coward · 2013-12-29 16:56 · Score: 0
  
  In fact more people are taking public transit in the USA, and indirectly contribute to the population increase of the urban area, because people don't want the cost and hassle of owning a car.
4. Re:NYC born, recently moved to Atlanta by pepty · 2013-12-29 17:12 · Score: 1
  
  There's a little train in the Wild Animal Park north of San Diego, it was accidentally named WGASA by an employee:
  Snopes:
  
  Some years ago, the famous San Diego Zoo opened a second, larger branch called the San Diego Wild Animal Park. The Park is built around an enormous open-field enclosure where the animals roam free. To see the animals, visitors ride on a monorail called the Wgasa Bush Line which circles the enclosure. Here's the true story of how the Wgasa Bush Line got its name. They wanted to give the monorail a jazzy, African sounding name. So they sent out a memo to a bunch of zoo staffers saying, "What shall we call the monorail at the Wild Animal Park?" One of the memos came back with "WGASA" written on the bottom. The planners loved it and the rest is history. What the planners didn't know was that the zoo staffer had not intended to suggest a name. He was using an acronym which was popular at the time. It stood for "Who Gives A Shit Anyhow?"
5. Re:NYC born, recently moved to Atlanta by 0xdeadbeef · 2013-12-30 06:02 · Score: 1
  
  It's funny how Northerners are the most racist people in the South these days.
6. Re:NYC born, recently moved to Atlanta by Anonymous Coward · 2013-12-30 06:54 · Score: 0
  
  I bet the suburban workers traveling into ATL daily using MARTA would be offended. MARTA is almost always cheaper than paying for parking in midtown or downtown, avoids traffic and for many people, it avoids weather in-the-city too.
  I worked in the AT&T building - at the North Ave station. Everyone who could, used MARTA to get to work. The company subsidized the cards too.
  Using MARTA for events at the GA-Dome and other venues is smart too. They alter the train schedule to help. It really is amazing.
  I live in an area of town not served by MARTA and taking the "express bus" would almost triple my commute, plus it runs just 6 times a day, so the ability to stay a little late at work would be completely lost without taxi fair (about $50 from work to park-n-ride). Driving to a MARTA station takes about as long as driving into mid-town, so that really isn't an option.
  MARTA made sense for short airport trips before they started charging for daily parking. No I just drive to off-airport parking and get reimbursed by the company for parking expenses as part of my travel. Last month, that was $150 for a trip overseas.
  It is only when MARTA is comparable to driving that I use it. Did lots of comparisons - even made a spreadsheet to see the different costs. Ended up carpooling about 3x weekly with someone a few neighborhoods away for about 5 months before retirement. We both had flexible schedules, but were almost always on-time for each other.
Re:you don't have an 100% live data link with syst by Anonymous Coward · 2013-12-29 12:45 · Score: 0

It's is not, it isn't ain't, and it's it's, not its, if you mean it is.
If you don't, it's its. Then too, it's hers. It isn't her's.
It isn't our's either. It's ours, and likewise yours and theirs.
-Oxford University Press, Edpress News
See how easy that was?
Comment removed by account_deleted · 2013-12-29 13:15 · Score: 1

Comment removed based on user account deletion
not public works, political cover by Anonymous Coward · 2013-12-29 13:27 · Score: 0

It's not to distribute cash.. It's to provide political cover to respond to TEA types... Gol durnit, I demand that the illegal alien riding the subway pay a fare and not suck off my 'murican taxes. I think highly of our soldiers (but haven't actually served) and we need to protect murica against freeloaders. Gol durned socialists and communists.. Keep your effen hands off my Medicare and Social Security.
55% from fares by Anonymous Coward · 2013-12-29 17:59 · Score: 0

MARTA receives 55% of its revenue from fares. (http://www.itsmarta.com/uploadedfiles/About_MARTA/Reports/AR-FY12-Full12-31FINAL.pdf, see second-to-last page)
21% of revenue comes from sales taxes; 15% comes from the US Federal government, and the rest comes from advertising, leasing or interest income, or debt. (MARTA receives no funding from the state of Georgia)
One problem specific to MARTA is the fact that many riders live outside the MARTA sales tax region (Fulton and Dekalb counties) and thus any money put "back into the economy" would not necessarily benefit the transit system. Riders from the broader region (Cobb, Clatyon, Gwinnett counties) pay nothing into the MARTA system except fares.
How is this okay, but BitCoin is OMG Bad? by sirlark · 2013-12-29 21:57 · Score: 1

Storing value on a or other physical token that is clonable and/or manipulable basically means you can create 'value' out of nothing. This is government sanctioned. Created value isn't taxed, can be used a anonymously as cash, and can be used to transfer money (real or fake) without the governments knowledge. Granted, I don't see your local drug dealer accepting cloned MiFare cards... actually, chances are local organised crime already distributes them, so they are already part of the same economy, so if they can be sold, they could be accepted. But bitcoins are bad? I don't get it.
1. Re:How is this okay, but BitCoin is OMG Bad? by DarwinSurvivor · 2014-01-05 09:51 · Score: 1
  
  Bitcoins are not "generated" currency. While bitcoins themselves may be generated through the algorithm, that does not cause a generation of total bitcoin value in the system. When new bitcoins get generated, a slight drop (or lessening of the increase) of the value of any given bitcoin occurs. If a billion bitcoins suddenly got generated (due to a bug, etc), bitcoins value would plummit. This is very similar to other countries who suddenly decide to print a bunch of money. When this happens, other countries devaluate the exchange of that currency and the only real effect felt is the devaluation of the value of overyone else's money that happens to be in the same currency (unless of course the printing/generating is done in secret, but that just delays the crash).
Target? anyone by Anonymous Coward · 2013-12-30 03:03 · Score: 0

Love it, this is the style of card they want to change you to, instead of a magnet strip, too a RFID, which is crackable, and by near field. Aluminum foil anyone?
Another Coward by Anonymous Coward · 2013-12-30 12:47 · Score: 0

It does tell you your balance is low so I don't think it's entirely static
Get real by terrywirth5 · 2013-12-30 13:01 · Score: 1

Did you expect these crackers to be proactive against hackers? I think not. They invest far more in being proactive against "blackers." I have been to Atlanta scores of times and it is a joke of a metropolis. Nothing of worth is going on down there and oh yeah, you better own a car.