Skip to content

Management

Technology

Toolbox

Training


Books


White Papers


Topic Pages

Webcast

Resource Centre


ComputerworldUK CommunIT

Want to join the UK’s fastest growing dedicated IT community? Enter here to browse the UK’s top usergroups, societies and associations.

Mobile Applications & RFID technology > mobile & wireless > news

March 07, 2008

Questions raised about Oyster card security

Its RFID chip is cracked by researchers

By Network World and Computerworld UK staff

Smartcards with encrypted RFID chips, including London’s Oyster fare card, might not be as secure as previously thought.

Advert

New research at the University of Virginia is causing a major stir in Boston, because it raises question over the smart "CharlieCards" used by commuters on the city’s 'T' metro system.

However, London's Oyster card uses similar RFID technology – the Mifare Classic made by Philips spinoff NXP Semiconductors.

Work by University of Virginia graduate student Karsen Nohl and colleagues raises the spectre that thieves with just US$1,000 (£500) worth of equipment might be able to cracking smartcard encryption. They could then make fake cards to do everything from swipe fares to gain access to high-security areas.

More that a billion Mifare Classic chips have been sold around the world. Security experts have long known that such chips, which generally cost less than a dollar, were crackable, but didn't realise it could be so economically feasible.

Nohl and his team were able to listen to data broadcast by the chips using readily available RFID readers. They then dissected the layers of the chip via custom optical-recognition software to deduce the algorithm and encryption keys.

NXP has countered that only a portion of the cryptographic algorithm has been obtained by the researchers. However, the researchers have not disclosed their method fully, in an effort to keep those with bad intentions from copying them.

A video of the researchers' presentation called "Mifare: Little Security, Despite Obscurity," is available on Nohl's website.

There, Nohl humorously reassures that he and his colleagues have not found a way to crack credit-card security. "Please note that we have not compromised the security of credit cards, as some of the articles suggest,” he writes.

"From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise."

Transport for London told Computerworld UK that Oyster has additional security systems in place. A spokesperson said: "The security of the Oyster system has never been breached and Londoners can have total confidence in the security of their Oyster cards.

"We run daily tests for clone cards or rogue devices and none have been discovered. All Oyster information is fully encrypted and we have adopted extra security measures on top of that available on the source chips.”

Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!

« prev article | more mobile & wireless news | next article »

Advert

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add 'Questions raised about Oyster card security - Mobile Applications & RFID - ComputerworldUK' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?

Advert

WHITE PAPERS

  • Seven Ways ITIL Can Help You in an Economic Downturn
    Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound.
  • Business Continuity - Are you always open for business?
    Business continuity is not an end in itself, but the key to improving performance. Oracle solutions for midsize organisations contribute by providing a secure, easily accessible, and always available information infrastructure thats's also simple and cost-effective to manage. This Oracle Business Brief explains how.
  • Unlock the Hidden IT Opportunities in Troubled Economic Times
    Learn how with the right approach, processes, and technology, you can provide higher-quality services for a lower cost, while also helping your business to position itself for growth when the economy rebounds.
  • Make Compliance Work For You
    Learn how to make compliance work for you, rather than the other way around, with this whitepaper form Oracle.
  • Security and Trust: The Backbone of Doing Business over the Internet
    When shopping online, consumers are concerned about identity theft and are therefore wary of providing untrusted sources with their personal information, especially their credit card details. Find out how to gain the trust of online customers.
*