Forgot your password?
Security Handhelds Transportation

Another EUSecWest NFC Trick: Ride the Subway For Free 135

Posted by timothy
from the she's-got-a-ticket-to-ride dept.
itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."
This discussion has been archived. No new comments can be posted.

Another EUSecWest NFC Trick: Ride the Subway For Free

Comments Filter:
  • More like... (Score:2, Insightful)

    by Bill Hayden (649193) on Thursday September 20, 2012 @06:16PM (#41405407) Homepage
    ...ride in a police car for free.
  • Easy answer (Score:5, Insightful)

    by girlintraining (1395911) on Thursday September 20, 2012 @06:28PM (#41405523)

    I suppose the natural solution then would be to ban the app, possibly ban android phones with NFC capability, and/or threaten the security researchers with jail time. That's usually what legislators and law enforcement does... rather than, I don't know, fix the problem with the cards?

  • by holophrastic (221104) on Thursday September 20, 2012 @06:32PM (#41405567)

    That's not taking advantage of anything. The card's programmable, you programmed it. Congrats. That's like printing a transfer on your home printer. Same illegal it's always been.

    So tell me again why these cards don't authenticate against a central reliable source? Oh yeah, we're replacing slips of paper, not brinks trucks with armed guards.


    High-speed traffic is still controlled with painted lines, not concrete walls. Not everything is security-related.

  • by Nethemas the Great (909900) on Thursday September 20, 2012 @06:40PM (#41405631)
    Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?
  • by holophrastic (221104) on Thursday September 20, 2012 @08:03PM (#41406355)

    No, we shouldn't. There likely isn't enough fraud to warrant such measures. Besides, the system that you describe has huge maintenance costs. You can't have these things stop working during rush hour. And between the central server itself, network nodes everywhere, and wireless lag, there's expense, personnel, and it'll slow things down too. And in the end, you'll have a huge network, with so many nodes that it can be hacked directly anyway. Then you'll want to secure that.

    On top of everything though, crime isn't the responsibility of the transportation department. If people are commiting fraud, that's what police are for. Transportation doesn't want to pay for it, and I don't blame them. I wouldn't pay for it either.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson