Public transportation in distress

Without looking like a glossy magazine, I’m hereby declaring the new found way to pay in our public transportation dead.
Why? Because security is important.

Multiple times delayed, and without a clear introduction date the OV-chipkaart (Public Transportation ChipCard) is becoming a small fiasco.
I can safely admit to the fact it really is a good thought. By eliminating paper cards as payment method, and introducing a tamper-free card which needs no additional checking by humans to detect illegal use of the transportation several advantages will become reality.
For instance: there will be less nuisance due to homeless people using the metro/bus/train as heated and comfortable mobile housing, the revenue of the use will increase due to the fact everyone has to pay the entire fee and money is saved on loans and wages as less personnell is needed.

Theoretically, the OV-chipkaart is great! The practice turns out to be somewhat different.
Lately, a couple of German "hackers" has turned their attention to the RFID-tag that is inside every card, and is used to store the data concerning the credit you have and the possible subscription to travel daily. They discovered that the security of the chip and it’s stored data is terrible and ever since 1883 deprecated.
The key term here is: Security by obscurity.

That should give a big enough hint to see that should not be the solution to do things.
Hiding keys that unlock the encrypted data has been proven to be ineffective by A. Kerkhof back in 1883, and is mysteriously implemented in the current version of the OV-chipkaart; which leads to the inevitable conclusion the card is unsafe and not ready to be rolled out.
The question that should be asked is the following: Why is such an ineffective way of securing the system used, and what should be done to protect the data better?

4 thoughts on “Public transportation in distress”

  1. Additional info: Translink Systems BV, who have developed the system behind our OV chipkaart, claim the hackers have only penetrated the outermost layer of security of the card; yet I’m obliged to believe the claims of the hackers who say they have succeeded in tampering with all information stored in the RFID-chip and in the system through the unmodified card but with a modified reader/writer. It could all be done with about €100 of equipment and a few lines of code!
    They tell us the credit on the card can be increased and the personal data can be stolen from the card; both are severe issues which should be addressed before a public rollout of the system in the entire country.

    It being already postponed from januari 2008 to sometime in 2009 is not providing a certain future for the system.
    Please do not misunderstand my point: I’m in favor of introducing such a system: the current implementation however is awful.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.