After the recent publication of the news that German students have successfully cracked the first layer of protection of the OV-chipcards which can be used with a subscription to travel with public transportation in the Rotterdam area, more news surrounding this system has surfaced yesterday.
A couple of Dutch students from the university of Nijmegen has successfully copied the throw-away version of the ov-chipcard, enabling them to travel for free as a new copy can be made without too much added effort.
This news has ‘shocked’ our Tweede Kamer, and a ‘spoeddebat’ (urgent debate) is planned for the upcoming week (which by the way has been asked for last week after the first news).
About 1 million of the subscription-capable cards are currently used, whilst about 10.000 throw-away cards (dagkaarten) are in use. Impact is thus limited, as only these latter cards are vulnerable (still).
Again: the company responsible for the cards (TLS) is to blame for this, yet more info on the copying-method has to be provided fot both us and them to see how the system (and the security-features) will cope with this setback.
Edit1: Apparently, the security of the daycard is really weak as details and information are shared in plaintext between the card and the terminal; while the subscription-cards do this encrypted.
Also, more information on the ‘hack’ is available: the student has created a device called Ghost which copies all info on the card and can be used itself to open the metro-gates and travel on the credit of the original card. So far, it is unclear whether the Ghost can still be used when the mama-card has no credit left. Some indications point to this, yet reasoning from the technique it should not as the Ghost simply copies the identification of the card and can be used to travel off off the same credit as the mama-card.
Edit 2 (2008-01-16): The CPNB only ruled the Amsterdam-trial of the OV-chipcard to be illegal due to the fact the travel-data will be stored for the enormously lengthy time of 7 years! In addition to this, the Amsterdam public transportation company (GVB) planned to deliver personalized ads based on the travel-routine. Yet more info has to surface to say more about the technical implementation of the security-system, I’m still waiting for that to happen (and post about it 😉 )
I’ll be posting updates whenever more news surfaces!