In 2008, Boston’s transit authority sued to stop MIT hackers from presenting at the Defcon hacker conference on how to get free subway rides. Today, four teens picked up where they left off.
Reading the article it seems they made two mistakes. The first was to make the card authoritive instead of having a account data to ensure the information matched. The second was to use a proprietary checksum algorithm instead of using an open secure signature method.
I’d put money on the information they’re holding back being details on the checksum algorithm.
It wouldn’t need an account. The card can have all the data (in case it is used in an offline situation) but also have a unique serial number.
So when an official ticket machine charges the card, it also logs the balance/tickets on the card with that ID in a central database too. Yes, it needs to be “online” within their own network. But, I’d be concerned if a large city transit didn’t have their own network already.
Whenever it is used, provided the ticket reader has a connection it would be verified against the stored record. If the connection is offline then it uses the local stored information.
I do wonder in a transit system like this what the advantage to an offline system is. If someone works out your “CRC32 except I xored the result with 1337” algorithm, then you’re boned and a lot of kit is “offline” and thus cannot easily be upgraded too.
Reading the article it seems they made two mistakes. The first was to make the card authoritive instead of having a account data to ensure the information matched. The second was to use a proprietary checksum algorithm instead of using an open secure signature method.
I’d put money on the information they’re holding back being details on the checksum algorithm.
Doesn’t having an account require an online system? By making the card authoritive you can build and offline system.
It wouldn’t need an account. The card can have all the data (in case it is used in an offline situation) but also have a unique serial number.
So when an official ticket machine charges the card, it also logs the balance/tickets on the card with that ID in a central database too. Yes, it needs to be “online” within their own network. But, I’d be concerned if a large city transit didn’t have their own network already.
Whenever it is used, provided the ticket reader has a connection it would be verified against the stored record. If the connection is offline then it uses the local stored information.
I do wonder in a transit system like this what the advantage to an offline system is. If someone works out your “CRC32 except I xored the result with 1337” algorithm, then you’re boned and a lot of kit is “offline” and thus cannot easily be upgraded too.