December 14, 2024

New $2B Dutch Transport Card is Insecure

The new Dutch transit card system, on which $2 billion has been spent, was recently shown by researchers to be insecure. Three attacks have been announced by separate research groups. Let’s look at what went wrong and why.

The system, known as OV-chipkaart, uses contactless smart cards, a technology that allows small digital cards to communicate by radio over short distances (i.e. centimeters or inches) with reader devices. Riders would carry either a disposable paper card or a more permanent plastic card. Riders would “charge up” a card by making a payment, and the card would keep track of the remaining balance. The card would be swiped past the turnstile on entry and exit from the transport system, where a reader device would authenticate the card and cause the card to deduct the proper fare for each ride.

The disposable and plastic cards use different technologies. The disposable card, called Mifare Ultralight, is small, light, and inexpensive. The reusable plastic card, Mifare Classic, uses more sophisticated technologies.

The first attack, published in July 2007, came from Pieter Sieckerman and Maurits van der Schee of the University of Amsterdam, who found vulnerabilities in the Ultralight system. Their main attacks manipulated Ultralight cards, for example by “rewinding” a card to a previous state so it could be re-used. These attacks looked fixable by changing the system’s software, and Sieckerman and van der Schee described the necessary fixes. But it was also evident that a cleverly constructed counterfeit Ultralight card would be able to defeat the system in a manner that would be very difficult to defense.

The fundamental security problem with the disposable Ultralight card is that it doesn’t use cryptography, so the card cannot keep any secrets from an attacker. An attacker who can read a card (e.g., by using standard equipment to emulate a card reader) can know exactly what information is stored on the card, and therefore can make another device that will behave identically to the card. Except, of course, that the attacker’s device can always return itself to the “fully funded” state. Roel Verdult of Raboud University implemented this “cloning” attack and demonstrated it on Dutch television, leading to the recent uproar.

The plastic Mifare Classic card does use cryptography: legitimate cards contain secret keys that they use to authenticate themselves to readers. So attackers cannot straightforwardly clone a card. Mifare Classic was designed to use a secret encryption algorithm.

Karsten Nohl, “Starbug,” and Henryk Plötz announced an attack that involved opening up a Mifare Classic card and capturing a high-resolution image of the circuitry, which they then used to reverse-engineer the cryptographic algorithm. They didn’t publish the algorithm, but their work shows that a real attacker could get the algorithm too.

Unmasking of the algorithm should have been no problem, had the system been engineered well. Kerckhoffs’s Principle, one of the bedrock maxims of cryptography, says that security should never rely on keeping an algorithm secret. It’s okay to have a secret key, if the key is randomly chosen and can be changed when needed, but you should never bank on an algorithm remaining secret.

Unfortunately the designers of Mifare Classic did not follow this principle. Instead, they chose to combine a secret algorithm with a relatively short 48-bit key. This is a problem because once you know the algorithm it’s possible for an attacker to search the entire 48-bit key space, and therefore to forge cards, in a matter or days or weeks. With 48 key bits, there are only about 280 trillion possible keys, which sounds like a lot to the person on the street but isn’t much of a barrier to today’s computers.

Now the Dutch authorities have a mess on their hands. About $2 billion have been invested in this project, but serious fraud seems likely if it is deployed as designed. This kind of disaster would have been less likely had the design process been more open. Secrecy was not only an engineering mistake (violating Kerckhoffs’s Principle) but also a policy mistake, as it allowed the project to get so far along before independent analysts had a chance to critique it. A more open process, like the one the U.S. government used in choosing the Advanced Encryption Standard (AES) would have been safer. Governments seem to have a hard time understanding that openness can make you more secure.

Comments

  1. Nathanael Nerode says

    FYI, my previous comment describes a scheme for preventing the transit operator from being defrauded, pretty much.

    Preventing individuals from being defrauded is much harder, since the cards can *still* be cloned (the thief just eats up your card balance rather than getting free rides). This attack can never be entirely prevented, just like counterfeit currency can’t be entirely prevented, and should be addressed by much the same mechanisms.

  2. Nathanael Nerode says

    “Actually, the real security flaw is that the card (and by extension, the cardholder) is trusted to be truthful about their balance, instead of storing account balances in a central database and the cards functioning only as ID.”

    Pretty much correct: any card which stores balances is duplicatable, at a minimum.

    As for the privacy concerns, there’s no reason that there should be one ID per person. One ID per card issued, with no tracking of most cards, is perfectly reasonable. It’s what we do for currency notes: they each have an ID number which represents that bill, not the person owning it.

  3. free public transportation for everybody ?

  4. “That’ll be thirteen counts per second, please.”

    Great — pocket change that glows in the dark. And I thought my suggestion of mercury was outlandish. 🙂

  5. @Spudz:

    Matthew Hui pints out all the old problems with commodity currency, but overlooks the obvious solution: choose a material that self-reports it’s amount and purity. Depleted uranium is a natural choice. The amount of radiation per unit time protects against shaving, base metal replacement, etc etc. It will also create a nice market for lead-lined coin purses.

    ps miss the party palace

  6. Hi Robert,
    The card is the Sony RC-S831 – summary info should be available on the Sony website.
    It’s far better security-wise compared to the old mifare Classsic card, and uses triple-DES security and a good random number generator.
    However, its silicon layer protection isn’t up to modern smart card security techniques.
    Along with the DESFire, one of the best transit cards in use today. Its major downside is that it doesn’t comply with ISO-14443.

  7. Robert Chua says

    Does anyone know about the ezlink contactless smart card system they use in Singapore for buses and trains? It sounds similar, but I wonder about the security aspects and whether it’s crackable.

  8. olesmartie evidently hasn’t heard of that newfangled thing called “wi-fi” 🙂

  9. Spudz: “So the transit card network could be engineered to be reliable. Or it could be changed to use the existing network”
    Let’s not forget that a significant part of a multi-modal transit network uses offline terminals, such as buses. This is why most transit systems using smart cards store purse balances, remaining rides and transaction details on the cards and in the terminals, as this information is required to continue a journey on another transport mode, and for calculating multi-modal, multi-operator discounts. If there is a reconciliation problem, the card can be hotlisted out of service, so that it has to be brought in for online checks with the back-end system records.
    Spudz: “…then set off an EMP bomb near their target’s headquarters to wipe out their records or at least scramble their systems enough to slow down or prevent their ever detecting the heist.”
    But what about the duplicate backup site at a separate, undisclosed physical location? It’s not quite like the movies…
    Most transit system threats usually come from within, often rogue staff. These are never discussed outside the transit organisations.

  10. Supercat suggests holograms on cards, and storing balances on cards to cover network outages with later “reconciliation” of their ledgers.

    Three problems:

    * I’m not sure how hard it is, in practise, to clone cards with security features like holograms. It may make cloning unviable except for volume producers of cloned cards; i.e. keep random riffraff out and leave organized crime with the whole card-cloning pie. I’m not sure that’s really very desirable though.

    * Network outages should be quite rare nowadays. The debit-card processing network here is very robust; these days a failure is typically remedied by just swiping the card again, or failing that by using a different card reader gadget at the supermarket. Indicating that the network doesn’t tend to fail these days but the card readers get dust in them. So the transit card network could be engineered to be reliable. Or it could be changed to use the existing network: you do a debit card swipe at the turnstile and get a receipt or ticket of some sort that functions as proof of purchase plus the turnstile turns.

    * Using the reconciliation of ledgers strategy in a system like this leaves open the possibility of a large organized heist centered on blowing up the target institution’s ability to reconcile its records after the fact. A gang could, for instance, engineer a network crash (DoS attack, say), perform numerous fraudulent transactions using forged/cloned cards or other instruments, and then set off an EMP bomb near their target’s headquarters to wipe out their records or at least scramble their systems enough to slow down or prevent their ever detecting the heist.

    Admittedly, the latter isn’t that big a risk for a transit system. It has turned up a few times as a movie plot, though. 🙂

  11. olesmartie says

    supercat: “Holograms are very cheap to mass-produce in huge quantities, and expensive to counterfeit except in really huge quantities.”
    Please correct me if I am wrong, but it took Microsoft about 18 months to perfect their “high-security Windows logo hologram. It took the Chinese less than six months to copy it. And most transit card serial numbers are inkjet printed, not stamped.
    supercat: “Working with RFid chips over long distances is difficult”.
    Did you see the web article on how to design a long-range RFID sniffer? Works out to 0.4 metre. While the loop antenna was large, it’s still possible to conceal..
    Also have you seen the many articles on how to read ePassports and obtain the personal information?

  12. Working with RFid chips over long distances is difficult, because the amount of power radiated by the chip will fall off with the square of distance, and the amount of power the receiver gets will likewise fall off with the square of distance. So the net drop off is r^4. Using a large antenna will help somewhat, but at distances which are large relative to the size of the antenna the r^4 term will remain.

    Still, what should have been done with things like passports would have been to construct them in such a way that they only work when open. This would allow the advantages of contactless reading while allowing people to avoid having their passports read without their knowledge or consent (the passport attack would require the ability to talk to the passport for a considerable length of time; if someone only opens the passport for a few seconds for a legitimate read, that would not be enough time for the attack).

  13. //Sorry, but it has been proven, many times, that visible ”security” does not work.//

    Holograms are very cheap to mass-produce in huge quantities, and expensive to counterfeit except in really huge quantities. If the transit company includes a hologram on each card and indelibly stamps it with the card’s serial number, how is one going to produce a counterfeit card that can withstand inspection by a ticketing agent?

  14. Contactless cards are just a case of the stupid, for that matter.

    I’ll agree with Spudz on this one.

    I recently signed up with Virgin Boradband and got a Broadcom 3G wireless modem. Signal is marginal in my area so the unit was operating at the lower limit of its input power — a measly -110dBm which in regular SI units equals 10 picowatts (blinking your eye once every 10 minutes would require considerably more power). I’ll point out that it was actually fully operational at this power level and this is mass-produced technology, nothing exotic or hard to get.

    The addition of an off-the-shelf microwave dish cranked up the power by 30dB (the input power is multiplied 1000 times). Put these two easily obtainable technologies together and you can read your RF device from pretty much any distance that still gives direct line of sight.

    A very complex device can detect the extra delay caused by someone talking to it at a distance, but the speed of light is not easy to measure — it adds cost to the device, and the attacker may be passively monitoring a legitimitate transaction. And for the record, yes I’m aware that good crypto will make it incredibly difficult for an attacker to steal data even when they can read both sides of the conversation. However, every time one of these products hits the market we find that the crypto isn’t all that strong, and it gets broken in about two weeks. Once again, the RF passport debacle comes to mind.

    Looks to me like RF smartcards are an answer looking for a question and/or an accident waiting to happen (depending on your point of view).

  15. Oh, what fun: “Olesmartie’s comment fails to deal with the reality is that automated systems rarely catch all the issues, which means that some human has to put eyeballs on the log files.”
    No disagreement here. In fact many back-end system do not have their auditing turned on or fully enabled.
    So we were relying, at least partially, on the cards themselves being reasonable secure.
    supercat: “If the fare cards have unique identifiers, even if they can’t be checked real-time with every transaction, it should be possible to detect a significant percentage of cloned or otherwise fraudulent cards.”
    True, but it is far too easy to clone cards. And as Oh, what fun says, and I agree, back-end systems do not always detect these cloned cards.
    Matt Falcon: “…why the hell are they storing balance on the cards?”
    With offline terminals, you have to do this Matt. OK, so there are post-paid systems out there, but I do not believe that they are successful. And remember that it is possible to clone cards, apparently now even easier to clone some types.
    supercat: “The solution to that is to put in some visible security features on the card.”
    Sorry, but it has been proven, many times, that visible ”security” does not work. A hidden secret will, theoretically, prevent card cloning, but the card security has to be better than we are seeing on some transit cards.

  16. //But on a centralized system with countless networked reader/POS systems, why the hell are they storing balance on the cards?//

    If cards hold nothing but an identifier, then the system becomes useless in case of network failure. Having a stored balance on the card avoids that problem; if card balances are reconciled with the central system whenever practical, the risk of fraud should be minimal.

    A few decades ago, banks used to offer passbook savings accounts. When money was deposited at a bank branch, they would note the deposit in the book. If the book was taken to a different branch, they would observe the deposit noted therein and allow a withdrawal. Although it probably would not have been overly difficult to forge an entry in the book, and although such a forgery would probably have succeeded in the short term (i.e. the second bank would allow a withdrawal even if the account didn’t really have the funds to cover it) someone performing such forgery would almost certainly get caught once the branches cross-checked their books.

    I see no reason the same principle shouldn’t apply here. When immediate confirmation of a card’s balance isn’t available, assume the card contains what it says. But log the account number and claimed balance, to allow for reconciliation at a later time.

  17. //The original won’t be distinguished from the clones, so cloners will just pickpocket someone else’s card, clone it a thousand times, and laugh uproariously when the police pick up the victim of their theft and charge him with fraud.//

    The solution to that is to put in some visible security features on the card. If I present at the ticket gate a card that’s been cloned dozens of times, the security agent should ask to see my card. If it’s a boring piece of white plastic, I’m busted. But if it has the proper hologram or whatever other features would mark a real card, it’s probably legit; in that case, the station should simply exchange my card and issue me a new one.

  18. Contactless cards are just a case of the stupid, for that matter.

    Meanwhile …

    “If the fare cards have unique identifiers, even if they can’t be checked real-time with every transaction, it should be possible to detect a significant percentage of cloned or otherwise fraudulent cards.

    Even if fraudulent cards work seamlessly 99% of the time, if there’s an unpredictable 1% of the time that users will end up in court, that should provide an adequate deterrent to fraud.”

    This has a serious problem: you could have your card pickpocketed on Monday and wind up in court on Friday. The original won’t be distinguished from the clones, so cloners will just pickpocket someone else’s card, clone it a thousand times, and laugh uproariously when the police pick up the victim of their theft and charge him with fraud.

  19. It’s simply stupid that they don’t just use a central system like banks and credit/debit contactless cards. How much R&D needed to go into a writeable CONTACTLESS card anyway?! I mean, a smartcard, with contacts, a chip, and a writeable balance information, used in standalone devices, is easily hacked. But on a centralized system with countless networked reader/POS systems, why the hell are they storing balance on the cards? They should be using read-only cards with a small ID/number stored in them, which the machines read and process the transaction online with. No counterfeits possible – well, except for the usual fare of ripping off someone’s card by brushing by them, but that’s still just as possible as the Visa cards used today (only with much higher value in *them*).

    It’s just a case of the stupid, IMO…

  20. If the fare cards have unique identifiers, even if they can’t be checked real-time with every transaction, it should be possible to detect a significant percentage of cloned or otherwise fraudulent cards.

    Even if fraudulent cards work seamlessly 99% of the time, if there’s an unpredictable 1% of the time that users will end up in court, that should provide an adequate deterrent to fraud.

  21. Andy Wong: “Encourage people to take public transports, thus less traffic jam”

    You can look from the other end — intentionally or not, fares serve as a deterrent to ridership levels rising to beyond what the system can support.

    I used to live in a place where the public transit I had to use to get to work was so overloaded that I often had to let 1-2 trains pass until I could (physically!) get on one. (I lived and worked at stations close before major exchanges, in both directions.)

    That train system was physically maxed out in terms of the train schedules the infrastructure could support. And rides were not free.

  22. Oh, what fun... says

    Olesmartie’s comment fails to deal with the reality is that automated systems rarely catch all the issues, which means that some human has to put eyeballs on the log files. But that costs money so log files are ignored for the most part. Here in the US I would say that 90%+ are rotated into oblivion with nary an eye ever seeing them.

    To back up to the “free” transit approach for a moment, here in the US generally there is a mandate that transit systems must make some % of their costs from the fares (40%, I think). This means that 60% of the total costs are being paid by taxpayers in any case. I don’t know what the costs of collection are, but they are not trivial. One result is that the price goes up, the ridership goes down and transit is eliminated to “save money.” But do we really save anything by the time we talk about wasted resources, time lost to traffic jams, greenhouse gasses, etc.?

    Then too, there are examples from time to time of skimming and other fraudulent behavior which means that someone has to police the system. Then corrupt cooperation between the watchers and the watchers happens as well. So, at some point is get silly to spend all the effort to ensure that every step is protected and guarded when one could just make the rides free, save a bit, and have the whole society pay for the benefits that would be reaped. We’re going to have to spend it in the long run remediating the damage done by the inefficiencies, so why not design it in up front?

    Yeah, I know, we wouldn’t get to play with all the nifty computer whiz bang stuff on someone else’s nickel, but, what the hey, we’d have more time to play, period.

    I suggest that we include this type of social thinking when we are designing technological solutions. This might leave something of the planet for our kids to enjoy.

  23. Manigen, the Oyster system does use the mifare Classic card, same as the Netherlands system. And yes, the security of this card is poor, so the Oyster system is under the same threats as the Netherlands system.
    One possible reason it hasn’t been hacked (or maybe it has, and the back-end system auditing hasn’t detected the hacks yet) is that, as with most transit systems, the effort’s not worth the return. So you obtain 24-48 hours free travel until the back-end auditing detects your bad card and hotlists it out of service? Whoopee…

  24. Re: Matthew Hui — in other words, commodity based systems are bad. Of course, everything else is worse, especially once there’s a small-object fab in every garage in fifteen years or less.

    Coin shaving and other issues can be dealt with in various ways. Weighing the coin will determine its true value, if its composition is known with certainty. If the composition is adulterated, it’s either been alloyed (expensive) or two dissimilar metals are in contact. The latter creates a voltage that might be detectable, and causes corrosion that might be identifiable.

    One wacky possibility is reasonably sturdy little capsules filled with mercury, which is useful and valuable. It’s also toxic, discouraging tampering, and can be weighed to assess whether any has been somehow removed. If any was replaced with another substance it should be easily determined. Downside: any kind of serious crash, building collapse, or other accident where there’s cash present would cause a toxic spill, so mercury seems to be a nonstarter. A valuable non-toxic liquid might not be, however.

    Another possibility is a valuable solid object whose value derives from function. Some type of computer chip, maybe, if it’s rugged enough to survive being carried about in pockets, sat on, and exposed to moisture and static electricity. If it’s normally enclosed in a capsule when being carried this is easy enough to achieve. Cash is validated by plugging it into an analyzer that runs the chip through a quick series of tests. Downside: this stuff will hyperdeflate, halving in value every year or so due to Moore’s Law. 🙂

    Still, the inevitable ability for people to eventually clone almost any small physical object within a decade or two suggests the need to return to having money be intrinsically valuable instead of “valuable by fiat”. Unless we go back to using huge stone wheels as coin, as was done a long time in the past in some places. 🙂

    Perhaps it’s a nonissue. The ability to clone small objects (including components of larger objects) may mean the end of money and also the end of any need for money, except in the form of raw materials as commodities. By the time this happens, the same technology is probably capable of analyzing hunks of potential raw materials and assessing their value. Or automation (robots mining, perhaps even mining asteroids in space) may make the commodities so cheap that everything is basically free, except maybe energy.

    Energy, of course, might become the currency, perhaps in the form of a standardized portable storage device, a hyped-up battery of sorts, whose total stored content is easy to assess without using very much energy.

    PanMan wrote: “The only reason I could imagine why they would store the balance on the card, is that it makes it possible to allow access without online connections. I wouldn’t want to have a system where I can’t access the bus when there is no GPRS connectivity.”

    Here, at least, point-of-sale card-swipe connectivity is quite stable and reliable. Even during the peak of the 2007 Christmas shopping madness I never saw one being especially balky, let alone completely unusable.

    Perhaps these things are less reliable where you are. In which case the fix is to improve the infrastructure, not store the balance on the card.

    Tel: Are you purposely trying to pick fights with me around here?

    First, I suggested replacing rf-readable with good old-fashioned contact swipe cards as much more securable by the cardholder against unwanted reading (and possibly unwanted debiting). Second, I suggested a public-key-encryption based challenge/response authentication system, which would have cards have some circuitry on board and a private key encoded in a chip somewhere. The card would receive a challenge, encode it with the private key, and transmit the encrypted challenge and the card’s public key. The reader would try to decrypt the former with the latter to recover the original challenge it had sent. If the decrypted output was identical to the challenge it had sent, the card would be validated, else it would not. This scheme does not expose the private key. The most a hostile reader can do is carry out a known-plaintext attack and learn the public key. Public-key cryptosystems are designed to make the private key extremely difficult to recover even under those conditions. Given a big enough key size in bits, and a good cryptosystem, it should not be feasible to get the private key and thereby clone the card/steal the user’s identity other than by physically stealing the card, taking it apart, and probing its remains with a logic analyzer.

    A forger stealing the balance from a “random” account also shouldn’t happen. Again, with a decent enough key size in bits, the space of key pairs will be vastly larger than the population, by dozens or even hundreds of orders of magnitude, and the odds of randomly generating a key pair whose public key actually is identical to some existing user’s is virtually nil. The system can also summon the cops if an invalid public key (not that of any accountholder) appears to the card reader, to further discourage trying to brute-force the crypto. (This pretty much requires a contact card; an RF-readable system might have one of your *other* RF-readable cards get read by the transit turnstile and set off the alarm!)

    In fact, the described swipe-card should really be designed and implemented by the banking community and replace all debit and credit cards within a few years. That would get rid of an awful lot of fraud and identity theft right there, with most of the remaining coming from either fly-by-night vendors taking money and failing to deliver the goods or ID-thieves dumpster-diving for credit card offer junk mail. In other words, the good old-fashioned kind of fraud. 😛

  25. But if you want to extend the ticketing system to cash payment, then upgrading the ticketing system to high tech will be economic as well.

    Do one job and do it well.

    The transport system should concentrate on providing transport. Other companies already provide financial services, telegraphic transfers, online payments, EFTPOS, etc. I can remember when the railways were all set to become an Internet provider (yeah have a good laugh), and it almost makes sense, because they are one of the few groups who have exclusive access to long distance land bridges connecting just about everywhere. They were already laying fibre optics for their own internal communications infrastructure. The problem should be obvious — none of them had the first idea about the ISP business.

  26. Actually, the real security flaw is that the card (and by extension, the cardholder) is trusted to be truthful about their balance, instead of storing account balances in a central database and the cards functioning only as ID.

    Assigning people with permanent ID’s that are RF readable and quite likely clonable has its own problems such as identity theft and tracking people’s movements. Same problem here as the “secure” electronic passport. Moving the balance from the card to the central account will result in the card forger stealing from the balance of some other customer rather than stealing from the overall balance.

  27. I just notice Tel’s comment above. I lived in New South Wales as well. I pretty much agree with him. It is all about system management, and those so called high tech solutions does not necessarily bring systematic benefits to the system, if different components of the system and the future extension of the system were not analyzed as a whole.

    With proper management even with some low tech methods, the magnetic paper tickets can serve well.

    The following is a bit out of topic from the security of ticketing system.

    I think there was already live example that a low cost and high efficient ticketing system was introduced in an European country (probably Belgium?), the solution was to remove all ticketing system for public transport, the benefits were obvious:
    1. No more costs to maintaining ticketing systems which were paid by the tickets.
    2. Encourage people to take public transports, thus less traffic jam which is costly to a country’s economic, and less green house gas, and less car park needed.

    But if you want to extend the ticketing system to cash payment, then upgrading the ticketing system to high tech will be economic as well.

  28. I noticed that some commentators said because the Dutch RFID public transit card is a low value system for public transport only, thus it was not worthy to implement expensive high security.

    This is clearly a dangerous attitude toward project planning and management.

    Firstly, if not high security, why bother to use IC card, continuing to use paper ticket or magnetic strip is just as good.

    Secondly, though it was reasonable to apply lower security to disposal tickets, however, it was this dangerous attitude that leaded to the flaw designs of the reusable tickets consequently.

    Thirdly, when investing such sum of money to a public system, you as a planner should think of the future, whether you can extend the system with low cost.

    For example, in Hong Kong Octopus card was developed for public transports operated by different public and private companies, because of its high speed and high security design, it was gradually used for cash and other finance transactions.

  29. The New South Wales government has recently canceled its contract with Integrated Transit Solutions Limited over a new you-beaut does-everything transport card. There’s approx $100M of taxpayer money which they hope to recover in the courts (the recovery of which will also cost taxpayers money).

    The theory is that it will be contactless and “cashless” (which presumably means you get a bill at the end of the month) and work on all types of transport.

    As far as I can see, it’s another case of a technology existing primarily for the purpose of having bells and whistles, rather than any solid justification based on need. What I’m saying is that Sydney transport already has quite a good ticket system based on thin cardboard tickets the size of a credit card with a magstripe. Each current ticket:

    * is date limited
    * is zone limited
    * is individually numbered
    * has the ticket attributes both printed and magstripe encoded
    * has some basic paper security devices to make it difficult to duplicate
    * already works on train / bus / ferry readers
    * comes in day / week / month / quarter time periods
    * can be purchased on the spot, or in advance

    Most people don’t actually buy tickets that crossover between train, bus and ferry but only because there’s a premium price on those tickets (presumably they feel they are selling you more transport) which is a sales decision, unrelated to the ticketting system itself.

    I could imagine that if you got a high value ticket (like a quarterly travelpass — which offers unlimited number of rides on any service within a three month time period) and you could duplicate it, then you might split costs between a few good friends. However, the high value tickets require you to give name and address (which is printed on the ticket) so if you travel together with those friends on identical tickets it might trigger an alarm.

    The paper tickets are also randomly checked by police on trains and busses so if the printed part of the ticket is wrong or looks tampered with then you would be in trouble too. In theory the policeman could make a phone call and check the individual ID number of that particular ticket… that never actually happens.

    The only tickets where a value counter is stored on the ticket itself are the 10-stop bus tickets where a blank ticket it the highest value and each trip is printed on the ticket as you go, plus there’s a magstripe too. It’s not a high value item for forgers to go trying to blank out old bus tickets, and the card itself is a security device because it falls apart easily. Again, police can randomly check the printing on your ticket to see that you did feed it to the machine (printing includes time and date that you got onto the bus, also bus number).

    If they have to spend money, please spend it on the busses and trains, the ticket system works, so leave it alone.

    For what it’s worth, I also believe that public transport should be free (private transport should be expensive, and support the publc system). The ticket gate problem is a fundamental limitation of Capitalism (i.e. sometimes it costs more to do the ticketing than it does to provide the service). Most economists just ignore this issue, but as high tech services get cheaper and cheaper to provide, I think we are going to see a lot of ticket gate problems turning up. Certainly the software industry and music industries are both facing the same difficulty.

  30. The london Oyster card system has been up and running for some time. I don’t know what technology they’re using, although it does sound similar to the Dutch system, but if Hugo is right and it is actually the same system then the Dutch probably aren’t as screwed as all that. Like I say, Oyster’s been up for years and you can’t just buy counterfeits on street corners or run off a quick hacked card at home. The system’s worked, at least so far…

  31. Big_Mac, that would be as intelligent as abolishing copyright.

    Unfortunately, only individuals are intelligent (as you have demonstrated). Committees aren’t.

    Committees are used to avoid any intelligent individual having to take responsibility, therefore all members try exceedingly hard to ensure they don’t exhibit any intelligence. See Groupthink.

    “What have we being doing? Ticketing? Ok. Do it again, but with a few more bells and whistles, and add another zero to the price we paid last time. Job done.”

  32. $2 Billion here… $2 Billion there! WHo cares? YOU should!!
    It is afterall YOUR hard-earned MONEY being wasted again!!!

    Just think how many people could’ve ridden for FREE… and for a long time too. PLENTY, I tell ya!! The government is the MORON here (and once again). 😛

    STOP wasting money trying to collect money (i.e. fares). Wake up and grow up! (In a civilized 21st century society!? You jest!)

    Think about it!? NO ticket issuing/checking/collecting staff. + NO fancy-pants (expensive!!) ticket machines/technology to buy, insure, service/maintain, repair, replace! + NO Fraud to worry about… EVER!!!

    One would only need have security guards/guides & cleaners!!!

    SIMPLE!

    P.S. This could be implemented in as little ONE WORKING DAY!

  33. The only reason I could imagine why they would store the balance on the card, is that it makes it possible to allow access without online connections. I wouldn’t want to have a system where I can’t access the bus when there is no GPRS connectivity.

  34. So what are the costs to clone a card and/or to generate new cards? I’d always assumed that transit-system cards were low-value enough to make them lousy targets, but obviously I seem to have been wrong. Or is it just the psychological effect?

  35. @Spudz:
    Going to a silver(or gold, or whatever commodity) standard of currency will not stop counterfeiting. You’d have coins being shaved (Why do you think quarters and dimes have ridges on the edges? To make shaving easy to detect). You’d have coins being hollowed out and refilled with some base metal. The list of things you can do to coins is very large. Not to mention the other effects of going back to a commodity based standard.

  36. olesmartie says

    The more things change, the more they stay the same… If we go back 10-18 years:
    1. The original Sony FeliCa card introduced into Hong Kong in 1997 used their own proprietary security which, although weaker than DES, was assessed to better than the Mikron card security. This was one of the reasons why Sony was chosen for Hong Kong.
    2. Following an external security assessment and discovery of more security holes in Sony’s security, Sony developed a new card using 3DES, first used in Singapore. Later the original HK cards were replaced with the new Sony cards.
    3. The original Mikron security was, and still is, a 48-bit stream cipher, which was assessed back in 1995 as being barely adequate for transit systems, and only if these systems were “closed” systems and only had low values stored on the cards.
    4. Apparently the only external cryptographic assessment done by Mikron was by Patrick Horster, who was associated with Karlsruhe university. A single external assessment was not considered adequate proof of the security, even for transit systems.
    5. There were other serious security issues with the Mikron system, such as the need to load readers with card keys in the clear. Most of these issues have now been resolved.
    6. The mifare Standard cards should NEVER be used in large multi-modal, multi-operator transit systems, especially national transit systems. There are many technical reasons behind this statement, and unfortunately most of these reasons are currently being overlooked or ignored.
    7. SLTF, now RKF, was told very clearly in the late 90s that they should never base their national transit system on the mifare Standard card. Unfortunately, they chose to ignore this advice from at least two prominent transit system providers.
    8. ITSO chose to ignore their own original design criteria (i.e. cards must be fully ISO/IEC 14443 compliant) and include the mifare Standard card in the UK national transit system, only because these cards existed, and because the Oyster system was going to use them. Bad mistake.

  37. Hugo (Dutch) says

    The linked announcement from Virginia says that the same system is also used in the Oyster card in London, so it’s not just the Dutch who are screwed.

  38. Out of curiousity (and motivated by the above comments), are there low cost authentication schemes? For example, ones that use symmetric encryption like the original Merkle one? But more efficient, of course. Is there an established literature on this? If so, any pointers would be appreciated. Thanks.

  39. Michael Donnelly says

    Spudz comment is the most appropriate. In any system like this, you have to assume that the Bad Guys will eventually be able to at least copy the contents of a card, even if they can’t do anything else with it.

    You just cannot trust the card to hold the balance. Giving them the benefit of the doubt, my guess would be that they’re willing to accept that enormous hole knowing that piracy of the cards will not be widespread. Any business venture involving selling such cards would be easily dealt with via the court system, so you’re really only faced with lost revenue from somewhat competent/motivated individuals.

    Otherwise, it’s a horrible model right from the get-go.

  40. Actually, the real security flaw is that the card (and by extension, the cardholder) is trusted to be truthful about their balance, instead of storing account balances in a central database and the cards functioning only as ID.

    The cards can always, in principle, be cloned to double your money without even breaking the encryption. Essentially, they are as prone to counterfeiting as cash, or more so, when we should be moving in the direction of digitally unforgeable stuff.

    (For cash, of course, there’s a privacy concern with replacing it entirely with direct debit/credit. But cash could be reverted to the old-fashioned form of using a commodity as currency worth its true value — e.g. silver coins worth exactly what they’d be worth melted down. These can’t be counterfeited in any meaningful sense, since the material costs of counterfeiting equals the dollar value of the funny money created and you break even. In fact, it’s no longer counterfeiting, it’s operating a legitimate business (e.g. a silver mine). Upside: foolproof, simple, and low tech. Downside: currency value fluctuates based on other uses of the commodity chosen, and production of same. Another alternative is digitally signed banknotes. The banknote’s denomination and serial number and other details are hashed and digitally signed by the treasurer. The only way to forge these is to clone them, resulting in duplicate serial numbers, so they can be forged, but duplicate bills will be detected, or to actually discover the treasurer’s private key. But distinguishing original from copies won’t be easy.)

    There is also a consumer security issue with wireless-payment cards in general:

    a) An attacker can pick your pocket just by brushing past you in a crowded street. A device in their pocket gets close enough to your card to “swipe” it … or rather, swipe your balance off it.

    b) It may be possible, depending on the range, to accidentally get debited by going close to, but not passing through, a turnstile or whatever legitimate point-of-payment exists.

    Centralizing accounts in a database and making the cards just ID removes the first of these two threats, as long as the ID card and authentication protocol is properly designed: challenge/response in which the ID card uses, but does not expose, its private key. Physically stealing the card is then needed to clone it or otherwise compromise the private key and gain access to a victim’s funds.

  41. Henryk Plötz says

    Anonymous: Octopus is Sony Felica and to the best of my knowledge these cards use DES or 3DES (at least that’s what their CC evaluation report says).

  42. Henryk Plötz says

    Moin,

    Nathan Williams: No, not really 🙂 Mifare _is_ ISO 14443A and predates basically everything. Mifare Classic dates back to 1994 when their (then proprietary) radio protocol with blazing 106 kbit/s was top of the notch and seemed extremely fast. Only later has the radio protocol sans encryption been standardized as ISO 14443 Type A.

    The “decent crypto” cards are even far newer. Though it’s true that 3DES cards are available even from the same manufacturer (NXP) as the Mifare Classic cards and could have been chosen for the system. These cards (Mifare DESfire) are actually used in the public transport system of other cities, e.g. Madrid.


    Henryk Plötz
    Grüße aus Berlin

  43. Is anyone aware of a similar study into the Octopus cards used by Hong Kong’s MTR system, which uses similar technology? If any place should have a problem with counterfeit cards it would be Hong Kong, so you’d think they would know how to deal with them…

  44. @ Nathan Williams:

    Partly true – what is being discussed at the moment, is to open up the whole OV-chipcard project to security experts, to fix the currently known flaws and also to look at possible other flaws. This does not mean that Mifare’s proprietary technology is out in the open… It would just show how the Mifare chip is being used on these cards…

  45. The wonderful irony you’re missing here, of course, is that Kerckhoff was Dutch…

  46. Nathan Williams says

    Openness would have put Mifare’s proprietary technology at a disadvantage, since there’s already an established open standard for this stuff, with decent if unexciting crypto, in ISO 14443. Mifare uses most of 14443, but their own crypto.

  47. typo: you surely meant to say

    This kind of disaster would have been _less_ likely had the design process been more open.

    [D’oh! Thanks for pointing out this error. It’s fixed now. — Ed]