We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Questions raised about Oyster card security

Questions raised about Oyster card security

Its RFID chip is cracked by researchers

Article comments

Smartcards with encrypted RFID chips, including London’s Oyster fare card, might not be as secure as previously thought.

New research at the University of Virginia is causing a major stir in Boston, because it raises question over the smart "CharlieCards" used by commuters on the city’s 'T' metro system.

However, London's Oyster card uses similar RFID technology – the Mifare Classic made by Philips spinoff NXP Semiconductors.

Work by University of Virginia graduate student Karsen Nohl and colleagues raises the spectre that thieves with just US$1,000 (£500) worth of equipment might be able to cracking smartcard encryption. They could then make fake cards to do everything from swipe fares to gain access to high-security areas.

More that a billion Mifare Classic chips have been sold around the world. Security experts have long known that such chips, which generally cost less than a dollar, were crackable, but didn't realise it could be so economically feasible.

Nohl and his team were able to listen to data broadcast by the chips using readily available RFID readers. They then dissected the layers of the chip via custom optical-recognition software to deduce the algorithm and encryption keys.

NXP has countered that only a portion of the cryptographic algorithm has been obtained by the researchers. However, the researchers have not disclosed their method fully, in an effort to keep those with bad intentions from copying them.

A video of the researchers' presentation called "Mifare: Little Security, Despite Obscurity," is available on Nohl's website.

There, Nohl humorously reassures that he and his colleagues have not found a way to crack credit-card security. "Please note that we have not compromised the security of credit cards, as some of the articles suggest,” he writes.

"From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise."

Transport for London told Computerworld UK that Oyster has additional security systems in place. A spokesperson said: "The security of the Oyster system has never been breached and Londoners can have total confidence in the security of their Oyster cards.

"We run daily tests for clone cards or rogue devices and none have been discovered. All Oyster information is fully encrypted and we have adopted extra security measures on top of that available on the source chips.”

Share:

Comments

Advertisement
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *