Open letter to Infratil (of snapper.co.nz)

Dear Infratil,

Nice to see that you are making efforts to improve the efficiency of payments on our bus system.

However, the system you are using is based on Oyster. This system is insecure by design, as published by a Netherlands University; see for instance:

http://uk.news.yahoo.com/cwire/20080723/ttc-court-rules-university-can-publish-o-78e70a2.html

The Oyster system crashed recently in the UK, with terrible consequences.

"Hacked Oyster Card System Crashes Again" http://hardware.slashdot.org/hardware/08/07/25/1239225.shtml "Oyster system crash leaves 65,000 needing new cards" http://www.guardian.co.uk/uk/2008/jul/14/london.transport?gusrc=rss&feed=networkfront

While I have not yet read the paper in question, the essence of the issue is that the RFID cards are an "open book" - it relies on the system recognizing a previously issued token, and replacing it with another one which has a different value encoded.

Update: actually, no. RFID devices can do powered operations. Oops :-} Most of the following is a carried error.

Or - it simply has an account number encoded on the card which is read and an internal account debited.

However these systems are inherently vulnerable to fraud. If the card's information can be read by a reader, it can also be copied to another blank card. This has been seen in London with cards being "stolen" by people coming close enough to other people to read their card's contents with their portable RFID devices, and then making duplicates of these cards.

My open questions to you are:

Have you investigated the failings demonstrated by the Netherlands researchers, and if my above description of them is not accurate, can you explain for us what the issues were?
How does the card system prevent theft of cards?
What contingencies are in place should the above problems affect the Snapper system?

Now, we're not silly here, so if you want your answers to the technical questions to have credibility, they should be referenced - to a well-known book in the computer security literature (eg, _Applied Cryptography_, Schneier, which if my memory serves me correctly outlines a secure digital cash system), or a relevant published paper, that outlines the way that the system can be considered secure. If the technology behind Snapper is secure, publishing this information will not pose a security risk. Failing to answer this question will leave myself and the public forced to conclude the obvious - that like the Oyster system, basic security considerations have been skimped on in order to bring a product to market.

Personally, I think that the best idea here is to ask for the developers of the technology to fulfil their obligations under NZ's fair trading act, and deliver a system which is fit for the purpose for which it was sold.

This would involve, by my reckoning;

Implementation of a system which the cash cards implement a secure digital cash system;
- These cards would likely need a chip, so that it can hold the secrets necessary for these systems to function and not reveal those secrets during transactions as the current system does.
- This chip could have its own power, and communicate via the RFID units already installed, which would require development of the technology and deployment of altered software in the embedded systems used to read and update the cards
- As an alternative, the card could work more like a smart card, which would require a change in design of the readers, such that you would have to swipe them
- Or, they would have to be in constant radio contact with a central payment clearing system, similar to the current EFTPOS system.
The releasing of a contingency plan for the mean-time, and a plan for the new equipment to be deployed (if the solution requires it).

Cheers, Sam Vilain.