[IMGCAP(1)]

Officials of Europe's largest transit fare-collection scheme, Oyster, have taken countermeasures against hackers intent on cloning cards and taking free rides on London's underground trains and buses, according to comments made to CardLine Global sister publication Cards&Payments. Oyster, like transit fare-collection schemes and building-access control systems used in hundreds of cities around the world, uses popular Mifare Classic contactless technology. "Mifare encryption has been cracked, [but] it doesn't mean Oyster has been cracked," says Peter Lewis, Oyster development manager at Transport for London. "We can spot [cloned cards] immediately." He declines to elaborate. Meanwhile, Shashi Verma, the transit authority's director of fares and ticketing, tells Cards&Payments he knows of no Oyster cards that have been cloned. That is despite reports last month that one group of researchers successfully cloned or manipulated an Oyster card and used it to pay for fares to demonstrate the hack. Western researchers first announced they had broken the encryption algorithm and keys for the low-end Mifare cards in December. Since then, two other groups have said they could break the encryption defenses within seconds. That could enable hackers to steal card details and clone cards or pose as cardholders to enter a Mifare-secure building, the reports said. Since the hacks became public, the Dutch government has halted its transit-ticketing and access-control projects using Mifare. Netherlands-based NXP Semiconductors, the owner of Mifare and largest supplier of chips using the technology, acknowledges hackers have cracked the low-end encryption on 1-kilobyte and 4K Mifare Classic cards. But the card itself is only one part of the fare-payment or building-access system, says the vendor. "All good systems integrators implement other layers of security," an NXP spokesperson tells Cards&Payments. "Every transport operator needs to have an assessment if it has Mifare Classic running. You cannot make it totally (fool)-proof, (but) you can have a certain amount of security." Meanwhile, NXP has introduced a more-secure replacement for the Mifare Classic, which NXP launched in 1995. The Mifare Plus, however, will not be available in volume until 1 Jan. Companies could go to the high-end "DESFire" card before then, but it is much more expensive than Mifare Plus. Transport for London officials say they do not believe it is necessary to swap out cards. "You cannot take the contents of (one) card and put it onto another," Verma says. "That is not to say that threshold will not be crossed."

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry