Security fears raised over London Oyster card

New fears have been raised about the security of London's contactless Oyster travel card after Dutch scientists managed to use a cloned card to travel around on the city's underground for free.

  0 Be the first to comment

Security fears raised over London Oyster card

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

According to press reports the researchers from Radboud University used a commercial laptop to reverse the algorithmic code of NXP's Mifare Classic RFID chip, which is used for millions of smart cards around the world.

They then cloned a swipe card and accessed a Dutch public building before moving onto London and carrying out the same process with an Oyster card and travelling on the underground for the day before restoring its balance.

The team are also thought to have managed to carry out a denial of service attack on a tube gate.

Transport for London says it runs daily tests for cloned and fraudulent cards and insists that any fraudulent cards would be stopped within 24 hours of being discovered.

Researchers from the University revealed in March they had discovered a serious security flaw in Mifare Classic chips relating to an encryption algorithm. They say there is a "relatively easy" method to retrieve cryptographic keys, which does not rely on expensive equipment.

The researchers informed the Dutch government of their findings in March because "national security issues might be at stake".

The Dutch authorities have postponed plans for a transport payment system similar to the Oyster card until the issue is fixed and are replacing all 120,000 swipe cards used by civil servants to enter government building and has posted armed guards outside the offices.

The latest concerns over the security of RFID technology follow a demonstration by security expert Adam Laurie at the Black Hat 2008 conference earlier this year.

At the conference Laurie used his new EMV Chip And PIN credit card reading script, called ChAP.py, to pull the name, account number and expiration date from an audience member's RFID enabled American Express card - without removing the plastic from the victims wallet.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Related Company

Keywords

Comments: (0)

[New Report] Managing Fraud Risks with Synthetic Data: A Practical Approach for Businesses ServicesFinextra Promoted[New Report] Managing Fraud Risks with Synthetic Data: A Practical Approach for Businesses Services Industry