Another EUSecWest NFC Trick: Ride the Subway For Free 135
itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."
Re:More like... (Score:5, Interesting)
Even if you did collect the log files, they may be useless. You would have to catch the same non-reloadable card bring used more than the maxumum number of times. To do that, you would probably have to analyse hundreds, if not thousands of
Re:More like... (Score:3, Interesting)
A journalist hacked a TLS-card (although admittedly it was more at the level of a script-kiddy) and traveled for free, on camera etc, even showing how to do it.
Not quite sure what happened, but I believe the court dismissed the case because the value of the freedom of press and journalists being critical was more important than a company that isn't up-to-date (since 2007).
<sarcastic commercial tune>
TransLinkSystems, promising better since 2001
</sarcastic commercial tune>
Off-topic, but last week the same news-network (Powned) were voting in the elections for the new parliament wearing a burqa (and a hidden camera) and thus couldn't be properly identified. No problem for the multiculturalist doing the ID-ing, and the guy (yes a guy) voted with a fake ID of a woman and a voters-card of some other woman. Same here, probably it will be dismissed for the same reason. Good fun with those guy's.
Re:Balance on the card? (Score:5, Interesting)
Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?
There are lots of reasons that you might want to store the balance on the card. Increased reliability in the face of network outages, improved performance by eliminating the need for a network round trip and a database query, the ability to deploy in environments without network access at all, the ability to cross incompatible system boundaries... and many more.
Further, if you do it right, there's no reason not to store the balance on the card. Smart card chips like those used in these fare cards are designed to provide a fairly high degree of security. They can perform cryptographic operations to authenticate the commands they're given, and they can make decisions about whether or not they're going to honor the commands based on authentication and on the content of the request and its context (to the degree that they're aware of context).
But building smart card systems is hard, and making them secure adds another layer of complexity and frustration when things just don't work because the damned card keeps rejecting your -- you believe -- properly authenticated and formatted commands. It's normal for the early stages of development to disable security for ease of development and testing... and it's unfortunately pretty common for security to be left off, or at least not thoroughly validated, for deployment. And it mostly works, because contactless smart card readers are relatively rare -- they're not expensive, mind you, haven't been for many years, but they have been uncommon. Except now there's one embedded in every one of an increasing number of high-end smartphone models.
This isn't a fundamental architectural flaw, it's either a detailed design flaw or (very likely) a straight up implementation error. Most likely caused by simple laziness and incompetence (granted that finding competent people in this area of technology isn't trivial, and self-education is a multi-year process).
Re:More like... (Score:2, Interesting)
System abuse can be rampant. With the situation of The hard part would be figuring out who you are from the available records it is far easier to cancel the card and flag it as suspect. When the card is next used it doesn't work, triggers an alarm, and the card holder then gets to have a chat with an official about their card.
Most systems don't care about the negative balance reaping. Giving a percentage credit for auto and remote payments tends to fix this problem for the most part. Then they can isolate the individual cases where it is costing them money, your $2 for a $12 ride is a good example, and determine if it is worthwhile cracking down on those.
There is a new trick in Canberra. When you swipe your action bus prepaid card the machine makes a buzzing sound. Some kids have figured out that they can walk on the bus, hold a fried card to the reader making sure they obstruct line of sight of the driver, play the BEEP sound on their phone, and get on the bus for free. No need to swipe off.
The system here initially allowed for 'change of mind', so what happens is that you swipe on and if you swipe off in less than 5 minutes it negates the charge. So, people were swiping on at the front and swiping off at the back door meter. Alternatively, the first person swipes on, hands their card to the next person, who swipes off 30 seconds later. Ahh, youth these days. So charming.