Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Another EUSecWest NFC Trick: Ride the Subway For Free

timothy posted more than 2 years ago | from the she's-got-a-ticket-to-ride dept.

Security 135

itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."

Sorry! There are no comments related to the filter you selected.

More like... (1, Insightful)

Bill Hayden (649193) | more than 2 years ago | (#41405407)

...ride in a police car for free.

Re:More like... (4, Interesting)

snowraver1 (1052510) | more than 2 years ago | (#41405457)

How would anyone ever catch you? These systems probably don't have network access, otherwise they would just read a token and then authenticate against a server, so all you have is log files. You could detect the fraud after the fact (if you somehow collected the log files), but to actually catch someone red handed would be pretty difficult.

Even if you did collect the log files, they may be useless. You would have to catch the same non-reloadable card bring used more than the maxumum number of times. To do that, you would probably have to analyse hundreds, if not thousands of .log files from different devices, unless the transactions are somehow manually collected and uploaded into a database. Even then, it would be an after-the-fact type thing.

Re:More like... (2)

SomePgmr (2021234) | more than 2 years ago | (#41405535)

That was my thought. Putting the balance for anything on the card itself is a terrible idea, unless you have no choice because readers won't be (reliably) connected to the larger infrastructure.

I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.

Not that hard, really (2)

Taco Cowboy (5327) | more than 2 years ago | (#41406501)

I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.

Actually it's not that hard to catch those who use card with bogus amount
 
In a lot of cities, cctv cameras have been set up in mass transit system, in buses, trams and subway trains.
 
If the authority really wants to find out who are using bogus cards, they could compare the time stamp on the "embarking scan" with the time stamp on the CCTV to identify which person is using bogus cards.
 
Of course, catching the person only once is in itself not enough to convict the person. But, if the authority is able to proof that the same person has been using bogus card to get multiple free-rides mass transit system, they should have no difficulty to haul in that individual to the court.
 
Do not forget that we are living in the age of BIG BROTHER.

Re:Not that hard, really (1)

Anonymous Coward | more than 2 years ago | (#41406677)

"I found the card on the ground, prove that I didn't"

Re:Not that hard, really (4, Funny)

nedlohs (1335013) | more than 2 years ago | (#41406729)

"Here you are caught by security camera A231763 purchasing said ticket at a vending machine. And we know it is that ticket because as you can see a simple uncrop and we can see the serial number reflected in that window which is reflected in that water drop which is reflected on that man's hat."

Re:Not that hard, really (1)

Anonymous Coward | more than 2 years ago | (#41406971)

And I'm sure they'll be willing to go through weeks or months worth of footage at every single kiosk at every single station just to be able to do that, only to find that your face was concealed or someone else bought the ticket.

Re:Not that hard, really (1)

Anonymous Coward | more than 2 years ago | (#41407857)

jesus christ you americans watch to much tv

Re:Not that hard, really (0)

Anonymous Coward | more than 2 years ago | (#41408069)

Once the image gas been "ENHANCE!"d several times, of course!

Re:More like... (1)

Anonymous Coward | more than 2 years ago | (#41407687)

That was my thought. Putting the balance for anything on the card itself is a terrible idea, unless you have no choice because readers won't be (reliably) connected to the larger infrastructure.

I suppose later reconciling could catch someone doing this, but I have to imagine it'd be really hard to enforce effectively.

And that's exactly the normal scenario that most of these cards work under. Buses usually don't have net access all the time, for example. It's all done in batch jobs at the end of the day.

Re:More like... (1)

Sulphur (1548251) | more than 2 years ago | (#41406067)

How would anyone ever catch you? These systems probably don't have network access, otherwise they would just read a token and then authenticate against a server, so all you have is log files. You could detect the fraud after the fact (if you somehow collected the log files), but to actually catch someone red handed would be pretty difficult.

Even if you did collect the log files, they may be useless. You would have to catch the same non-reloadable card bring used more than the maxumum number of times. To do that, you would probably have to analyse hundreds, if not thousands of .log files from different devices, unless the transactions are somehow manually collected and uploaded into a database. Even then, it would be an after-the-fact type thing.

You would need a computer to do it. Oh the horror.

Re:More like... (1)

snowraver1 (1052510) | more than 2 years ago | (#41407389)

It's not the data processing, it's the data collection. How are you going to collect the data from presumably non-networked devices in a timely enough manner that you can use that data for card authentication?

Re:More like... (1)

citizenr (871508) | more than 2 years ago | (#41407655)

ask NSA for help, they would love to (if they arent collecting it already)

Re:More like... (1)

MrEricSir (398214) | more than 2 years ago | (#41406351)

How would anyone ever catch you?

One of the examples in the article is San Francisco's Muni, a proof-of-payment system that has fargates only at major stations. So if you run into a fare inspector who asks to see your card you're pretty much fucked.

Re:More like... (0)

Anonymous Coward | more than 2 years ago | (#41406929)

Carry a second legit card that you never use.

Re:More like... (1)

snowraver1 (1052510) | more than 2 years ago | (#41407427)

No problem at all. You have a real card that has a positive balance. The fare inspector would read the card, the card would return information (presumably UID, Balance, Time of last use, and location of last use). All this information would be valid and would appear no different.

Re:More like... (0)

Anonymous Coward | more than 2 years ago | (#41407575)

Except the real card won't show a departure station on it.

Re:More like... (2)

Macman408 (1308925) | more than 2 years ago | (#41407211)

The terminals don't necessarily have live network access, but they do get updates periodically; for example, when the bus gets back to the bus barn, they plug it in to transfer data. Thus, if you add value to your card with a credit card online, within a few days, every terminal has been updated to know that they may need to increase the value stored on your card, if a different terminal hasn't already added that value. It would be trivially possible to make this a two-way conduit, if it isn't already - save the data from the card to the terminal (eg current balance, or whether a fare was deducted), and correlate all the data. For example, if the balance ever goes up, make sure that they added value somewhere (either online or at a terminal or retail store). The hard part would be figuring out who you are from the available records (CCTV, usage records, etc.), especially if you pay cash.

That said, they probably won't care as long as only a few people are doing it. There have been much easier ways to game the system; for example, in the SF area, you could buy a card with $2 value, then use it for a ride that costs more than $2; the card allows a balance down to -$10, so you can get up to $12 from your $2 investment. Throw away the card with the negative value, buy a new one for your next trip, and repeat. Recently, they attempted to fix this by charging $3 for the card (in addition to any value you put on it), unless you also tie it to your credit card for automatic refills. I have no idea if this actually really fixes the problem or not - but they claim that such abuse was never rampant to begin with.

Re:More like... (2, Interesting)

Anonymous Coward | more than 2 years ago | (#41407435)

System abuse can be rampant. With the situation of The hard part would be figuring out who you are from the available records it is far easier to cancel the card and flag it as suspect. When the card is next used it doesn't work, triggers an alarm, and the card holder then gets to have a chat with an official about their card.

Most systems don't care about the negative balance reaping. Giving a percentage credit for auto and remote payments tends to fix this problem for the most part. Then they can isolate the individual cases where it is costing them money, your $2 for a $12 ride is a good example, and determine if it is worthwhile cracking down on those.

There is a new trick in Canberra. When you swipe your action bus prepaid card the machine makes a buzzing sound. Some kids have figured out that they can walk on the bus, hold a fried card to the reader making sure they obstruct line of sight of the driver, play the BEEP sound on their phone, and get on the bus for free. No need to swipe off.

The system here initially allowed for 'change of mind', so what happens is that you swipe on and if you swipe off in less than 5 minutes it negates the charge. So, people were swiping on at the front and swiping off at the back door meter. Alternatively, the first person swipes on, hands their card to the next person, who swipes off 30 seconds later. Ahh, youth these days. So charming.

Re:More like... (1)

snowraver1 (1052510) | more than 2 years ago | (#41407513)

I see what you are saying, and that could definitely work. It's still after the fact though. What could you do with the data once you have it? You could flag the account, but then what? Make the bus driver confront them next time they try board a bus. Wait until a fare inspector wanders across them and then catch them? All for a $200 fine(or whatever it is)?

They decided to cheap out and not have every device network enabled. That was a business decision. I would hope that the possibility of ticket fraud was discussed, and the risk of that was weighed against the cost of network enabling every ticket taker thing.

Re:More like... (1)

Macman408 (1308925) | more than 2 years ago | (#41407697)

I think in addition to the cost of making everything live all the time (not just the hardware, but also network access for tens of thousands of devices), it's also not possible to guarantee network access. There are places in the area where, due to mountains, even a cell signal is unreliable. Additionally, the system has to work without a network anyway, in case the wireless provider or server goes down, so it'd have to be a best-effort double-check that your card balance is correct. And if you do have network access, you have the same options that you do if you can trace a violation after-the-fact to a particular person; you could deny them boarding, write a citation, take them to court...

But yeah, fixing the problem and preventing the fraud is the obvious best solution. It still wouldn't surprise me if they don't fix it, at least not any time soon, just because it's probably not going to be a huge cost. I'd expect them more to collect data to figure out how often it's happening, and if it's a significant problem, only then will they bother to find a solution.

Re:More like... (1)

Nikker (749551) | more than 2 years ago | (#41408399)

Many transit systems have live feeds via cellular for tracking. They could even sync only the repeat riders data at the station and on the road to keep low loads on the network. For subways I really don't see the issue in sending a hardline through the tunnel to connect various platforms. The issue of a secure hash is that the hash can be stolen as easily as the card can already be read. A person could go around trolling for hashes and be able to add those to his/her own.

There will always be fraud when the system cannot fundamentally implement it.

Random Checks (1)

Anonymous Coward | more than 2 years ago | (#41407255)

Random checks! Like many cities now (strangely, this doesn't include NYC), we're using a similar system. With these smart cards, came random checks, something we never had before with those magnetic paper tickets. Subway cops will randomly ask for your card so they can check on some kind of PDA and I'm pretty sure they can easily differentiate between something that looks like a credit card and a phone.

Re:Random Checks (2)

snowraver1 (1052510) | more than 2 years ago | (#41407401)

I believe that you use the NFC chip on the phone to program the card. The story speaks of efuses that aren't being used, so that would support that the phone programs the card.

Re:More like... (1)

Anonymous Coward | more than 2 years ago | (#41408105)

Of course you collect the log files, though the proper term is "concentrate". I used to do architecture design work on these systems fifteen years ago, and it was known then that autonomous device fraud was effectively an "insoluble" problem. The only way to detect such fraud is after the fact. You need to record as much of the card state in the log as possible for each transaction, including the balance, and during the reconciliation phase with the log data, flag those cards that seem to be operating incorrectly (like with an unchanging balance). Flagged cards go into the blacklist and have to be brought in by the cardholder to be "fixed". In those pre-cheap-mobile days, log collection was done by hand, weeks apart in some of the more remote stations. And that was with the owned cards, the anonymous one-off tickets were even harder to keep track of.

The point of smartcard fare systems is to reduce fraud, not eliminate it, mostly by adding the log capability, making forgery easier to identify. It was up to the transit operator to decide the priority of which forgeries they want to reduce, based on the distribution of ticket type usage, which our system made easier to determine as well. We had to be careful to price our systems so that the cost would be covered by the forgery reduction.

Again, that was fifteen years ago, but I can't imagine the basic situation has changed all that much.

Re:More like... (1)

reve_etrange (2377702) | more than 2 years ago | (#41408493)

The system in San Francisco is called Clipper. Clipper has two classes of cards, registered and unregistered. The registered cards are associated to your name and an account in a web application (and can have monthly passes, auto-load, etc). But the unregistered cards are like cash. I think you can buy one with cash in, e.g. Walgreens.

Re:More like... (3, Interesting)

Razgorov Prikazka (1699498) | more than 2 years ago | (#41405585)

No, not really. It happened before (2010) with the cards of those dim-witted nitwits of TransLinkSystems in the Netherlands.
A journalist hacked a TLS-card (although admittedly it was more at the level of a script-kiddy) and traveled for free, on camera etc, even showing how to do it.
Not quite sure what happened, but I believe the court dismissed the case because the value of the freedom of press and journalists being critical was more important than a company that isn't up-to-date (since 2007).
<sarcastic commercial tune>
TransLinkSystems, promising better since 2001
</sarcastic commercial tune>

Off-topic, but last week the same news-network (Powned) were voting in the elections for the new parliament wearing a burqa (and a hidden camera) and thus couldn't be properly identified. No problem for the multiculturalist doing the ID-ing, and the guy (yes a guy) voted with a fake ID of a woman and a voters-card of some other woman. Same here, probably it will be dismissed for the same reason. Good fun with those guy's.

Re:More like... (1)

theshowmecanuck (703852) | more than 2 years ago | (#41405725)

Do you have an English language link to the voting story?

Re:More like... (2)

Razgorov Prikazka (1699498) | more than 2 years ago | (#41406249)

No, not in English, but here is the vid: http://www.youtube.com/watch?v=lvbZ3nsFf0M

Re:More like... (5, Informative)

Razgorov Prikazka (1699498) | more than 2 years ago | (#41406215)

Link to the Powned (yes it is called powned:) clip: http://youtu.be/3izaITMDAYg (in Dutch)

Transcript for the non-Dutch:
<anchor guy> Our Jojanneke showed us yesterday that even blonde women can crack the TLS-chipcard without a problem. The responsible company reacted frivolously because the hack would show up in their systems, and the authorities would be alerted. In other words, keep calm and carry on. But that was before they saw this news-item.
<Journalist 1> I can check in and out myself, simply by typing in the time that I want to be checked in, and upload it to the card. No signs in their back-office, this is undetectable.
<anchor guy> Yes indeed, now the TLS-card can be hacked even without TLS getting to know about it. The chance that the identity of the fraudulent traveller is to be unveiled is as good as nil. And that is what the responsible company is finally - although not enthusiastically - admitting.
<TLS spokes woman, Anita Hilhorst (to a journalist in a studio)>...At this moment our checks with detectors and inspectors do not show those transactions in our back-office,
<journalist in the studio> yeah, when I the conductor checks me, his machine just says that I am checked in.
<TLS spokes woman>...Yes...
<journalist in the studio> So then I dont have a problem and you are completely ignorant about it.
<TLS spokes woman>...then we cant see that ehhh ehhh in the transactions in our back-office
<journalist in the studio> So at that moment I am untraceable, and you cant do anything against me.
<TLS spokes woman> We aren't able to see that, no.
<anchor guy> And so definitively the TLS-card dies. Costing 3.000.000.000,- Euro, and nothing. The minister is summoned for a debate before parliament to explain what he will do about it. And here is some more ammo for the ladies and gentlemen of the opposition; the software needed is, since yesterday, downloadable from bittorrent sites. Cracking the TLS-card is now in reach for your grandmother of 82 years old.
<Jojanneke a.k.a. Pow-janneke> The cracking of the TLS-card is now made even simpler because the software is leaked to bittorrent sites, what does that mean?
<journalist> It means that anyone can download this, and since it is a very simple crack I am not surprised that it is put in the open.
<Jojanneke> This thing is also needed (hold up card reader), where to buy this? In a shop?
<journalist> Yes, it is about three tenner's, so anyone can go ahead with a TLS-card.
<Jojanneke> But can it be bought in a store?
<journalist> Yes, or on-line if they aren't sold out yet.
<Jojanneke> And we dont have to check in at the station, we can do this at home?
<journalist> yes, that is quite simple to do (shows program how-to) and because you do this at home, you are invisible to the back-office. The conductor just checks whether the card has been checked in or not, and that data is transmitted to the system at the end of the day, but by then you already left the train.
<Jojanneke> In other words, it is so simple even my grandmother can do this?
<journalist> Even your grandmother can do this easily
<anchor guy> Well and if this isnt bad enough, the hackers will present a new version tomorrow that will make it even more easy with new features like making mony with that card!
<Jojanneke> Hackers are busy to speed up the process to keep it within 15 seconds, what does this mean if the succeed in that?
<journalist> Well then it is so fast and easy that it becomes feasible to start a 'business' with that.
<Jojanneke> So they can recharge a lot of cards in a short while.
<journalist> Yes, you give me a tenner, and I put a hundred euro's worth of credit on it. And I have warned about this in the past that this might happen.
<anchor guy> If by chance you are slightly handy with computers, TransLinkSystems is looking for a fraud-manager that can monitor the security measures of the cards, stress-resistance is a pre.

Sorry for any mistakes made, but you'll get the message right?

Re:More like... (1)

wonkey_monkey (2592601) | more than 2 years ago | (#41408469)

Our Jojanneke showed us yesterday that even blonde women can crack the TLS-chipcard

But they shouldn't worry their pretty little heads about it, because they can get a big strong man to do it for them.

Vienna (1)

AvitarX (172628) | more than 2 years ago | (#41405453)

Their system is immune to this.

They simply stamp a piece of paper with a time, and about 5-10% of the cars have fare checkers. The fine is enough that it's not worth cheating (though I've done it when a youth and out of cash, but wanting to get home. I assume a crying American child that doesn't speak German traveling alone is not worth processing).

Re:Vienna (0)

Anonymous Coward | more than 2 years ago | (#41405531)

I don't get what you're saying. You have a chipcard that indicates you paid the fare (which you did). When home you restore the chipcard back to "full", the way it was just before you paid. The next day you take your "brand new" card with you and pay again.

Unfortunately the cards all have unique IDs, so the logs will be correlated and suspect transactions flagged.

Re:Vienna (0)

Anonymous Coward | more than 2 years ago | (#41405623)

here in Queensland the fine is less than a months worth of travel ($250 fine, costs $280/month to go to work for a month) and it goes to a bulk fine clearing system that gives you an interest-free eternity to pay it off. So all you have to do is not get caught for a month and you're ahead, if you do, pay it off at $1/week :D

Re:Vienna (1)

camperdave (969942) | more than 2 years ago | (#41406203)

They should force you to clean the busses for a month. You'd never do it again.

on the chain gang at $0.13 A HOUR (0)

Anonymous Coward | more than 2 years ago | (#41406633)

on the chain gang at $0.13 A HOUR

Re:Vienna (1)

GumphMaster (772693) | more than 2 years ago | (#41406553)

You can pay the fine for every day they manage to catch you. Makes it slightly less attractive if they can catch you twice in a month.

Easy answer (5, Insightful)

girlintraining (1395911) | more than 2 years ago | (#41405523)

I suppose the natural solution then would be to ban the app, possibly ban android phones with NFC capability, and/or threaten the security researchers with jail time. That's usually what legislators and law enforcement does... rather than, I don't know, fix the problem with the cards?

Re:Easy answer (0)

Anonymous Coward | more than 2 years ago | (#41405661)

You're right, it is natural for thieves to talk about their exploits. Let's just hope no banning of android NFC or other happens..

Re:Easy answer (0)

Anonymous Coward | more than 2 years ago | (#41406047)

ban android phones with NFC capability

Clearly, they need to be android, because Apple hasn't released any NFC capability yet on their phones.

Re:Easy answer (0)

RyuuzakiTetsuya (195424) | more than 2 years ago | (#41406083)

Jesus.
fucking.
CHRIST.

Prove it.

You made this naked assertion. Prove it.

Re:Easy answer (0)

girlintraining (1395911) | more than 2 years ago | (#41406637)

You made this naked assertion. Prove it.

Jesus couldn't -- that's why the Jews are still waiting. I'm not sure what this has to do with NFC vulnerabilities though...

Long ago... (5, Informative)

Anonymous Coward | more than 2 years ago | (#41405525)

Back in the 80s they tried to introduce plain-clothes security officers on amsterdam trams to catch people who didn't pay for an honor-system ticket and got on anyway. The people of amsterdam had a referendum and votes that the officers had to wear unifroms, so that fare hoppers would have "a sporting chance" of running away when an inspector got on the tram.

Re:Long ago... (0, Informative)

Anonymous Coward | more than 2 years ago | (#41405559)

Mod up parent as informative.

Re:Long ago... (0)

Anonymous Coward | more than 2 years ago | (#41405637)

Mod up grandparent as awesome, I want to move to Amsterdam.

Re:Long ago... (0)

Anonymous Coward | more than 2 years ago | (#41405643)

Not without a link, otherwise it's just 'Cool Story Bro'

Re:Long ago... (0)

Anonymous Coward | more than 2 years ago | (#41405867)

This is slashdot. We are a citable source.

Re:Long ago... (0)

Anonymous Coward | more than 2 years ago | (#41405647)

That's AWESOME. What's the level of violent crime in Amsterdam anyways? It'd be hilarious if they were pulling in more revenue and paying less for law enforcement than the US and additionally dealing with less violent offenders.

Re:Long ago... (0)

Anonymous Coward | more than 2 years ago | (#41406271)

I don't think the vote was to let fare hoppers continue, I think it is for safety and security. It is too easy for a cop to be impersonated without a uniform and scam the system.

Re:Long ago... (1)

garcia (6573) | more than 2 years ago | (#41407407)

Here in Minnesota MetroTransit officers come on the train regularly to check everyone's ticket/card to make sure they have a valid fare.

Several times I observed people jump off the train once they saw the officers and they didn't even chase after them; instead, they continued to check and scan everyone else who actually had paid.

I love paying the whopping $1.25 + tax dollars to fund this lovely operation only to be hassled by cops only to watch the douchebags run away free.

Re:Long ago... (2)

Lehk228 (705449) | more than 2 years ago | (#41407515)

almost anyone stealing $1.25 rides is probably too hard up for cash to be worth pursuing, sending inspectors time to time keeps anyone who can afford the fare honest. how many tax dollars do you suggest spending incarcerating and feeding fare jumpers?

Re:Long ago... (0)

Anonymous Coward | more than 2 years ago | (#41408089)

Bullets are way less that a buck.

Where can I.. (-1)

Anonymous Coward | more than 2 years ago | (#41405533)

get a copy of UltraReset?

Re:Where can I.. (3, Funny)

EGSonikku (519478) | more than 2 years ago | (#41405641)

http://fbi.gov/ [fbi.gov]

Re:Where can I.. (0)

Anonymous Coward | more than 2 years ago | (#41405681)

I called them up, and they seem to have no clue what UltraReset is.

Re:Where can I.. (2)

Capt.DrumkenBum (1173011) | more than 2 years ago | (#41405839)

I called them up, and they seem to have no clue what UltraReset is.

That is strange. When I called them up, they offered to bring me a copy and show me how to install it on my phone. They changed their minds when I told them I lived in Canada.

NSFW!!!! (0)

Anonymous Coward | more than 2 years ago | (#41408375)

That site..... there are all sorts of females on the first page. Come on. NSFW.

what "take advantage"? (5, Insightful)

holophrastic (221104) | more than 2 years ago | (#41405567)

That's not taking advantage of anything. The card's programmable, you programmed it. Congrats. That's like printing a transfer on your home printer. Same illegal it's always been.

So tell me again why these cards don't authenticate against a central reliable source? Oh yeah, we're replacing slips of paper, not brinks trucks with armed guards.

Right.

High-speed traffic is still controlled with painted lines, not concrete walls. Not everything is security-related.

Re:what "take advantage"? (1)

zippthorne (748122) | more than 2 years ago | (#41405645)

But it's not exactly new tech to query a central server for each transaction wirelessly. They don't even need a cell agreement, they can have a node at each station - people only get on at the designated stops, after all.

We're replacing slips of paper, sure, but shouldn't they be replaced with something better than slips of paper, rather than something that costs more than paper and has much greater chance for fraud?

Re:what "take advantage"? (1)

Anonymous Coward | more than 2 years ago | (#41405893)

I don't live in the affected regions but unless they are retarded, the same card is also used on buses. Having a network connected node on each and every bus stop would be quite expensive.

But having a reliable connection to a central system is not the only problem, it also need to have very low latency. Validaton must be instant. Flash the card while keep walking, don't stop moving unless there's a beep/red light/the gate doesn't open/etc. Even a second delay of "Authenticating..." for each traveller would be a BIG issue.

Central authentication means you need network connected nodes (=more complex hardware = more expensive), you have more points that can fail (=less reliable, and a tram with disabled nodes for a couple of hours probably cost more money than quite a few freeloaders), and it will AT BEST be as fast as a decentralized system.

And obviously, slips of paper might be more secure but have plenty of other problems. NFC just IS better in the end, despite worse secureity.

Sometimes, security is just not the most important factor. There are no identities being stolen or privacy invaded, the transporters lose some cash but that is for sure a loss they include in the calculations when deciding what kind of tickets to use.

Re:what "take advantage"? (2)

neonmonk (467567) | more than 2 years ago | (#41407189)

It doesn't have to be instant. It just needs to be able to invalidate cards. Card stores amount of money it has, which the reader then sends back to the system for verification. If said cards numbers don't match, card gets banned. Message gets sent to every scanner to ring a klaxon and take a photo if said card gets swiped. I'm sure it's not too difficult to store card id numbers on all the readers.

There's more than one way to solve this problem.

Re:what "take advantage"? (3, Informative)

realityimpaired (1668397) | more than 2 years ago | (#41405959)

Well, don't speak for the system being described in TFA, but I do know that my city (Ottawa, Canada) has been trying to replace the old bus pass/ticket/transfer system with an electronic system called Presto.

With the Presto system, in theory, it communicates your card ID to a central server, debits the card, and records the last time you used it so that you can swipe it every time you get on, and it will be smart about whether it charges you (assuming you're not on a monthly pass). You can also buy extra money through an online portal, and you can set it up to automatically renew. That's how it's supposed to work, in theory.

In practice, it's been delayed by a year due to "unforseen behaviour". Specifically, it occasionally double charges somebody when the wireless communication is spotty, sometimes it doesn't register the charge at all, and I've seen the readers on buses popping up error windows instead of the actual reader screen more often than not... presumably this error is also caused by lack of communication with the central server, if the text of the error message is anything to go by. I've also seen them pop up the Windows CE equivalent of a BSOD a couple of times, and at this point, even though they were supposed to be in full use/production by June of this year, they're turned off.

Now, for a subway system, there's no excuse to be relying on wireless communications for the point of sale. The gates don't move, and you're running a wire to it for power anyway. But for something that does move, like, say, a bus or trolley car, they do have to rely on some kind of wireless network, and that may or may not be reliable depending on how the network is set up. They may have decided that going with something like cellular data was too expensive for the system, and have set it up to sync the logs by wifi when they get back to the shop. In a situation like that, it may make sense to have some writeable data on the card to sync with, like a floating balance.

That being said, not having each card uniquely identifiable/trackable to catch this kind of thing is just silly... if you *are* going to have to leave some writeable data on the card, put a unique identifier in a non-programmable part of the memory, and have an automated system update the central database with your running balance at the end of the day... when the last value read by the card reader doesn't match what it should be in the database, blacklist the card have each unit pull the current blacklist as they leave the terminal for the day's route. It's not as if it would take a lot of data storage to keep a list of blacklisted serial numbers, and flash storage is cheap enough to include in every console.

Re:what "take advantage"? (2)

brantondaveperson (1023687) | more than 2 years ago | (#41407567)

Oyster Cards [tfl.gov.uk]

This is what they use in London. They work on trains and buses, and work reliably and efficiently. They seem to work in exactly the way you suggest, as not 100% bulletproof security but only good enough.

I think the balance is stored on the card, but all transactions are sent through to a central authority, which would certainly be able to detect any fraud and disable cards found to be behaving suspiciously. Or, more likely, have the ubiquitous CCTC cameras in London identify those using fraudulent cards and presumably punish them appropriately.

Re:what "take advantage"? (0)

Anonymous Coward | more than 2 years ago | (#41408225)

I worked on that presto system...and I will just hahahaha to it.
But I am a bit surprised that even the readers are that unstable. These systems are old tech deployed a bit everywhere in the world ( Denmark, Netherlands, HK, NZ etc to name a few ) on the other side...it's always developed back almost from the ground up. You will be pleased to learn that it was developed in China :D

Re:what "take advantage"? (4, Insightful)

holophrastic (221104) | more than 2 years ago | (#41406355)

No, we shouldn't. There likely isn't enough fraud to warrant such measures. Besides, the system that you describe has huge maintenance costs. You can't have these things stop working during rush hour. And between the central server itself, network nodes everywhere, and wireless lag, there's expense, personnel, and it'll slow things down too. And in the end, you'll have a huge network, with so many nodes that it can be hacked directly anyway. Then you'll want to secure that.

On top of everything though, crime isn't the responsibility of the transportation department. If people are commiting fraud, that's what police are for. Transportation doesn't want to pay for it, and I don't blame them. I wouldn't pay for it either.

Re:what "take advantage"? (2)

Rinikusu (28164) | more than 2 years ago | (#41406579)

From what I can gather, here in LA, the fare reader just stores the information (the tap scans) and either at the end of the day, or end of the week, these logs are transferred and credited against the accounts that scanned through. I know when I put $20 on my card, it can be a week or more before I see the "balance" change even though I use it near daily. It seems fair enough for me and if someone scans through a low/zero fare card, sure, they might "get away with it" for a few rides, but they'll eventually have to pay up or try sneaking on via the back door like the other freeloaders.

Re:what "take advantage"? (1)

SocratesJedi (986460) | more than 2 years ago | (#41407473)

Central authentication is probably overkill. Most travelers probably embark at the same handful of stations every time. I imagine that if fare cards were set up to store metadata plus an HMAC (to prevent tampering with the payload) and stations configured to alarm if the same metadata was ever seen twice locally, at that station, that it would eliminate most fraud. Under that scheme any given card-payload could only be used once per station. (And, n.b. that the inclusion of a HMAC prevents arbitrary card payload choice, since only the station authority can issue a valid HMAC for a given metadata payload).

I guess attackers could still swap known-valid metadata+payload information online to use at multiple stations, but at that point the cost of simply allowing the tiny fraction of abusers to win is probably less than the cost of building out a bunch of infrastructure.

Lock and Key (0)

Anonymous Coward | more than 2 years ago | (#41405649)

Every key has a lock. There should be a central bookkeeping server that counts how many fares were used, or the expires timestamp. Otherwise, the smartcard isn't a key; it's a crowbar!

Re:what "take advantage"? (1)

Pinhedd (1661735) | more than 2 years ago | (#41405699)

It's hard to have reliable network access to a central authority while moving on the ground. 3G/LTE services cut in and out at times even while standing still. Dropouts are amplified while on the move and connection quality is similarly degraded. To make matters worse, connection can be lost completely if the vehicle goes underground.

Re:what "take advantage"? (0)

Anonymous Coward | more than 2 years ago | (#41405741)

It's hard to have reliable network access to a central authority while moving on the ground. 3G/LTE services cut in and out at times even while standing still. Dropouts are amplified while on the move and connection quality is similarly degraded. To make matters worse, connection can be lost completely if the vehicle goes underground.

The way I understand DC to work, the busses operate offline, and can easily be scammed. But they record transactions and sync them later.

Any cards found later to be out of sync get blacklisted and pop an alert if you ever use them in the metro.

Re:what "take advantage"? (1)

AK Marc (707885) | more than 2 years ago | (#41405761)

These are subways. They have wires and cables running to them that physically interconnect with the rest of the subway network. 3G/LTE on that would be silly. It's immobile, underground, and already wired.

same cards are used on the bus (1)

Joe_Dragon (2206452) | more than 2 years ago | (#41405817)

same cards are used on the bus and the bus is not wired to network.

Re:same cards are used on the bus (1)

MachDelta (704883) | more than 2 years ago | (#41406537)

Actually some buses are. They have a GPS receiver and some kind of wireless uplink (probably cellular), so that riders can view a (near) real-time map on their phone/tablet/laptop/etc. and see when their ride is going to arrive. It's quite handy.

Re:same cards are used on the bus (1)

AK Marc (707885) | more than 2 years ago | (#41406601)

I don't disagree. But those comments are off topic when discussing riding the subway for free.

Re:same cards are used on the bus (0)

Anonymous Coward | more than 2 years ago | (#41407721)

Virtually no one is building these card systems and only planning on using them for one mode of transit. Here in Seattle it's the same card for buses, light rail, heavy rail, ferries, water taxis, and who knows what else - and it's the same idea all around the world.

The only constant is that the name of the system, if it's implemented correctly, has to start with O and it needs to be aquatic. Orca (Puget Sound/Seattle), Oyster (London), Octopus (Hong Kong), etc. :-).

Re:what "take advantage"? (1)

Nikker (749551) | more than 2 years ago | (#41408487)

Maybe a simple blinking LED would be all they really need.

Balance on the card? (4, Insightful)

Nethemas the Great (909900) | more than 2 years ago | (#41405631)

Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

buses don't have a 100% live link (3, Informative)

Joe_Dragon (2206452) | more than 2 years ago | (#41405831)

buses don't have a 100% live link

Re:buses don't have a 100% live link (1)

Velex (120469) | more than 2 years ago | (#41405859)

Why does the link need to be 100% live? Wouldn't 3G do? I'm assuming a bus implies a metro area.

Re:buses don't have a 100% live link (2)

eepok (545733) | more than 2 years ago | (#41405981)

Expense. Taxis have live links because they're profit-generating. A trip in a taxi is charged per mile and at a major premium. Bus fare is deficit-minimizing and offers the opportunity to to travel very long distances for very little cost.

Subways and light rail, though, can be different. Some charge per boarding while others charge per the distance between boarding and exiting.

Also, consider what would happen if cellular service was unavailable. You'd have to create a charge-caching system and then do bulk transactions when reception is found.

Live transactions are a bit more complex than "$1.50 from the amount on this card."

Re:buses don't have a 100% live link (0)

Anonymous Coward | more than 2 years ago | (#41406065)

3G has worse latency (compared to a disconnected system) and not reliable enough. Also, network access makes nodes more expensive and adds several points that can fail.

Also remember that the only entity that benefits from higher security is the entity that has to pay for the security.

Re:buses don't have a 100% live link (2)

Idbar (1034346) | more than 2 years ago | (#41406125)

So you want to replace a card with stored balance, with a whole wireless network infrastructure that would considerably increase fares.

Honestly, I think a better solution is to have unique ticket identifiers (that don't follow sequences of course), carry the current balance on the card, but update the balance when the bus is near a paying station or in the parking lot (during shift change). At some point, you can actually invalidate the cards that seem fraudulent due to updates with similar values.

Re:buses don't have a 100% live link (1)

Anonymous Coward | more than 2 years ago | (#41405871)

In the San Fransisco Bay Area they do!

Re:buses don't have a 100% live link (1)

Anonymous Coward | more than 2 years ago | (#41405947)

Hell, some buses even provide a wifi access point (served though Clear's 4G network)

Re:buses don't have a 100% live link (1)

interval1066 (668936) | more than 2 years ago | (#41406421)

Obviously is a network latency/congestion issue. A LOT of people ride these systems, currently, when you scan a (for example) Bart "Clipper" card the turnstile "beeps" immediately, inducing the card to update its current balance. I can't imagine the latency involved in using a network/centralized solution, but I can imagine the groans as thousands of bay area commuters wait for the turstile to beep after they wave their Clipper cards at the readers, waiting for the central office to send the current balance to the card...

Re:buses don't have a 100% live link (2)

starblazer (49187) | more than 2 years ago | (#41406669)

Considering hundreds of thousands of cars make it through an iPASS system in Illinois... the delay wouldn't be so bad.

Let's put it this way, iPass reads the transponder, checks the balance, and then flashes a light notifying you of the result in less than a second. The speed limit through those lanes are normally 15 mph but can get as high as 35 and they still read perfectly. The open road tolling doesn't notify you via light but there are plenty of stations still out there that have the light.

The system has to be designed intelligently.... it can be done!

Re:buses don't have a 100% live link (0)

Anonymous Coward | more than 2 years ago | (#41406901)

We have e-tolls in Melbourne Australia on 100km/hr(60mph?) roads. No booths or anything. Just a loud beep when you go through.
They also do number-plate recognition for those without an "e-tag". If you don't pay your toll (within 4 days if you don't have an eTag) you get fined.

Obviously people can cover their numberplates, but this is easily detected by the next police car that sees you.

(laughably however motorcyclists can use their leg to cover a number plate which of course can easily be uncovered during travel!)

Re:buses don't have a 100% live link (1)

Joe_Dragon (2206452) | more than 2 years ago | (#41407249)

Ipass is fixed in place and pre reads the transponder. Also you need to try harder it works at 70+

Re:buses don't have a 100% live link (1)

Nethemas the Great (909900) | more than 2 years ago | (#41405919)

That's not the fault of available technology. In most metro areas that I've been in every taxi cab is capable of conducting live credit transactions. The only requirement to enable such things is a cellular link which should of course be universally available within the area in which public transportation operates.

Re:buses don't have a 100% live link (0)

Anonymous Coward | more than 2 years ago | (#41406129)

But those payment systems aren't really lightning fast... In my experience these always takes at least several seconds to authenticate, that's completely unacceptable for a mass transit system.

Re:buses don't have a 100% live link (1)

Barbarian (9467) | more than 2 years ago | (#41406457)

So store it on the card, and record it on the buses computer. Download the bus whenever it returns to the depot. Update the balance nightly from on a database. Flag cards that come back with a discrepancy at recharge time. If a card has a negative balance (i.e. tampered or spoofed), blacklist it. download the blacklist to the bus regularly.

Wait, I should patent that. Method and apparatus for a tamper resistant NFC fare card system.

Re:Balance on the card? (5, Interesting)

swillden (191260) | more than 2 years ago | (#41406021)

Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

There are lots of reasons that you might want to store the balance on the card. Increased reliability in the face of network outages, improved performance by eliminating the need for a network round trip and a database query, the ability to deploy in environments without network access at all, the ability to cross incompatible system boundaries... and many more.

Further, if you do it right, there's no reason not to store the balance on the card. Smart card chips like those used in these fare cards are designed to provide a fairly high degree of security. They can perform cryptographic operations to authenticate the commands they're given, and they can make decisions about whether or not they're going to honor the commands based on authentication and on the content of the request and its context (to the degree that they're aware of context).

But building smart card systems is hard, and making them secure adds another layer of complexity and frustration when things just don't work because the damned card keeps rejecting your -- you believe -- properly authenticated and formatted commands. It's normal for the early stages of development to disable security for ease of development and testing... and it's unfortunately pretty common for security to be left off, or at least not thoroughly validated, for deployment. And it mostly works, because contactless smart card readers are relatively rare -- they're not expensive, mind you, haven't been for many years, but they have been uncommon. Except now there's one embedded in every one of an increasing number of high-end smartphone models.

This isn't a fundamental architectural flaw, it's either a detailed design flaw or (very likely) a straight up implementation error. Most likely caused by simple laziness and incompetence (granted that finding competent people in this area of technology isn't trivial, and self-education is a multi-year process).

Re:Balance on the card? (0)

Anonymous Coward | more than 2 years ago | (#41406385)

Because in the US, you run into patents as soon as you do something non-stupid involving technology. I once worked for a foreign company making access-control systems, and on entering the US market, we were immediately sued for violating a patent on storing access data remotely rather than on the card, and the company suing did not want to share its technology at any price. We had the option of compromising security on our systems like everyone else selling access control in the US except this one company, or withdrawing from the US market. We chose the latter.

Re:Balance on the card? (0)

Anonymous Coward | more than 2 years ago | (#41406911)

Crypto sign the authentication information?

Re:Balance on the card? (1)

Nemyst (1383049) | more than 2 years ago | (#41406629)

At least around here (can't say about SF or other cities, but I'm assuming it's similar), they're being incredibly slow with merely installing subterranean antennas so that cellphones can get a signal in the subway. Replacing all the card scanners (and all the cards!) currently in use with wireless or wired ones would be non-trivial for an efficient organization, so I'm assuming it's just about impossible for the average transportation authority.

However, that doesn't mean nothing can be done about it. Just need to have proper encryption, possibly partly on the card itself. Then it just becomes a cat and mouse game between hackers and organizations, as is the case for just about anything end-users can get their hands on.

Re:Balance on the card? (1)

tlhIngan (30335) | more than 2 years ago | (#41407855)

Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

Perhaps, but you can program them to store a serial number AND a rewritable fare value. And be a "treat it like cash" thing - lose it, you lost its value.

What you have is a central database of ID numbers and their values. When a faregate reads the card, it tries to contact the server. If it succeeds in a few seconds, great, it writes the updated value to the card and you go. If the server doesn't respond (too busy or perhaps it's down), you read the value off the card, deduct, write the new value back, and log the ID number for later reconciliation. When the server comes back, the ID numbers are then taken and values updated.

If the user rewrites the value, the next time the faregate manages to contact the server, the proper value is rewritten back.

User will have lots of free trips while the server is down (which can be blacklisted later) but once it comes up, the balance is made to re-agree. If they scored a few extra trips, well, good for them - but that card will be blocked if they try it and the server is contacted.

Heck, during rush hour, the server can load shed - perhaps ignore N out of every 10 transactions, so it stays speedy and remains up, performing the transactions during the less busy times.

So you get some free rides, but you may not know if you'll get lucky (other than when the entire system goes down and everyone's using stored balance only).

Heck, do it right and you can incorporate transfers in at the same time - each trip bills through (in stored value mode - in server mode it'll just deduct $0), but when timestamps are reconciled, extra charges merely get credited back the next time you swipe.

Not in Philadelphia (2)

tirerim (1108567) | more than 2 years ago | (#41406511)

Nice try, there's no chance this would work in Philadelphia -- they're still using tokens. (And magstripe for monthly/weekly passes, but definitely no NFC.)

and the non subway / EL system is on hole punch (0)

Anonymous Coward | more than 2 years ago | (#41406615)

and the non subway / EL system is still on the hole punch system.

Yeah, that's great, but... (1)

Anonymous Coward | more than 2 years ago | (#41407097)

The subway system designers aren't quite that stupid.

1. Every card has a non-alterable (for practical purposes) serial number.
2. The systems almost certainly log entrances/exits/charge transactions.

I don't know the details of every system world-wide, but even in here in Japan where the train pass cards are heavily encrypted and basically haven't been broken, they still perform audits.

The card is fast because all activity takes place on the card (not a remote database), but the results are still tracked and written to the remote database for auditing. Any card that repeatedly has strange transactions will be blocked by its serial number. The blacklist is sent out to the turnstiles, etc. from the central server, and they will deny use of the card.

Not to mention, you face a serious risk of jail time for saving only a small amount of money.

Chicago (0)

Anonymous Coward | more than 2 years ago | (#41407221)

Chicago is using a touch and go system. It's definitely an RFID system.

Don't believe it would be vulnerable to this specific attack, don't have a card or NFC phone to see if it reads anything from the card.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?