New Zealand's Hackable Transport Card Grants Free Bus Rides 96
mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free. The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system. The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. Several flaws have been known to the operator since 2009."
There are two sets of problems: their website is not adequately secured, allowing identity harvesting attacks, and the transit cards themselves are easy to forge.
Why do transit smartcards need to be hard? (Score:4, Informative)
Why is it that transit smart cards always seem to take longer to roll out than promised, cost more than promised, end up being more complex than promised and end up being less secure than they should be?
You dont even need to make the cards themselves "smart", you can make the cads just data storage devices that can store an encrypted data blob and do all the cryptography and stuff in the readers. And you can use good strong well-tested cryptography instead of inventing your own crypto.
Cards would be cheaper because they wouldn't contain much logic, just a memory chip, RFID/NFC/whatever antenna and some logic to read from and write to the memory chip. Anyone who builds a reader and reads their card out will simply get an encrypted/signed blob that they cant mess with.