Join 3,494 readers in helping fund MetaFilter (Hide)


Can an Oyster Card be hacked?
June 22, 2007 6:45 AM   Subscribe

Can an Oyster Card be hacked?

As i was leaving the tube yesterday a security guard scanned my oyster card with a handheld device just before I was about to scan out through the barrier.

This made me wonder why?.. what was it his handheld scanner would show that the normal barrier scanner couldn't pickup. The only thing i could think of was that somehow oyster cards can be faked and he was checking the status of the card against the main central database.

Oyster card?
if your wondering what an oyster card is.. its a new contactles smartcard that you use instead of a normal ticket on the london underground. It uses Philips' MIFARE Standard 1k chips provided by G&D and SchlumbergerSema. It is the same contactless smartcard as Touch 'n Go card in Malaysia which is mainly used for tollway fares.
http://en.wikipedia.org/wiki/Oyster_card

I found a MIFARE card writer on ebay.. could this do it?
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=250134169733

So my question is..
1.) can Oyster cards be hacked and faked?
2.) How would it be done?
posted by complience to Technology (18 answers total) 5 users marked this as a favorite
 
Discussion of security of the Oyster card, with response from Transport for London here.
posted by mdonley at 6:52 AM on June 22, 2007


'he was checking the status of the card against the main central database.'

Surely this happens on every normal use of the card anyway?
posted by edd at 7:03 AM on June 22, 2007


It could be that he was checking you actually had the credit to travel, and that you weren't just waving around an empty card and planning to 'tailgate' someone through the barriers.
posted by danteGideon at 7:18 AM on June 22, 2007


no.. the card is not checked against a central database normaly.. all the credit details are held on the card. At the end of each day details of your travel movements are sent to a database and kept for 8 days.

Why check if i have credit.. when the barrier will check that when i go through. Its virtually impossible to tailgate the barriers are so small and quick.. and why not just wait and watch to see if i do.. plus i work in an office and wear a suit, not exactly a good candidate for that sort of behavior.
posted by complience at 7:25 AM on June 22, 2007


2600 did a big thing (it was picked up by the NYT in 2005) about people trying to hack Oyster and the NYC version of the same. I am sure you can find articles, but if you're trying to hack it and failing, why don't you just go and steal someone's credit card information and load up an oyster with that money. I mean, either way, you are breaking the law.
posted by parmanparman at 7:41 AM on June 22, 2007


Hm. Balance/expiry information is kept on the Oyster itself - if it contacted a database to check, a network problem would prevent people from exiting. So, there's no reason it can't work, if two problems are overcome:

- The information on the card is encrypted. That guy offers MIFARE readers, and points out cracking the password takes an age or two. I don't know of any claims to have bruteforced the encryption. Even a run-of-the mill scheme would take the NSA to break.

- Also, it's possible that the central system keeps track of money on cards asynchronously, checking no discrepancy occurs between its records and the data on the card. If it does that, it could easily mark the Oyster as invalid, blocking gates if they can act on such information, and probably triggering a human investigation.

Cloning an Oyster onto a new card is probably a better bet, defeatable only if RFID cards contain a hardware, read-only serial number used in the encrypted information.

Regardless, using a hacked Oyster would legally be fraud. Not even mentioning the moral arguments there, I'd find it pretty stupid to engage in fraud against a company whose system can trivially detect it, and knows exactly where and when to find you...
posted by Spanner Nic at 7:54 AM on June 22, 2007


i work in an office and wear a suit, not exactly a good candidate for that sort of behavior.

I think you are mistaken on that. Also, tailgating happens on a daily basis.

Anyway, I doubt this guy's handheld scanner had a realtime link to the central Oyster database. I think what he was looking for was less esoteric—people who hadn't touched in. If you went to the gates, you would only get a £4 maximum fare for doing so, but a real live authorized person checking your ticket could give you a £20 penalty fare, or have you prosecuted (£££) for fare evasion. As LUL continually warns people.
posted by grouse at 7:56 AM on June 22, 2007


Is there perhpas a discount in place for 65+ people or children? Perhaps he was just checking you had a 'normal' card and were not travelling cheaper on someone else's card?
posted by sebas at 8:00 AM on June 22, 2007


Yes, sebas, there are several types of Oyster card that are tied to individuals for discounts, so that's another reason. I believe (but am not sure) that most of these are identifiable as special cards just by looking at them, so scanning would be unnecessary if this were all he cared about.
posted by grouse at 8:03 AM on June 22, 2007


The way that these are typically "hacked" is to take a special card and clone it onto a normal one. When NYC introduced the Metrocard (eliminating the "New York Dollar Coin" tokens), the targets of choice were the employee cards, because MTA employees ride for free.

So while a real discount or employee card can be identified on sight (so the guard can easily spot it when the 40-ish lawyer uses his teenager's student-discount card), the cloned ones must be identified electronically.

My guess is that London has a bit of a problem with this, and is looking to get a handle on it.
posted by toxic at 8:50 AM on June 22, 2007


toxic: If you cloned an Oyster card, the system would be able to identify the discrepancy and block the card overnight during batch operations.
posted by grouse at 9:07 AM on June 22, 2007


It is actually quite easy to accidentally tailgate. Once or twice I've "touched out" and left through the gate, immediately after someone else, only to hear the "seek assistance" alarm telling me there's a problem with my card.

Or if it was crowded he could have been operating a manual scanner before directing people out through a manual gate? But you would have mentioned that.

Or... pointless bureaucratic makework monitoring nonsense from Transport for London. It sure as hell wouldn't be the first time.
posted by game warden to the events rhino at 9:22 AM on June 22, 2007


2600 did a big thing (it was picked up by the NYT in 2005) about people trying to hack Oyster and the NYC version of the same.

There is no New York version. New York cards have to be swiped.

posted by dame at 10:14 AM on June 22, 2007


"My guess is that London has a bit of a problem with this, and is looking to get a handle on it."

Something else is strange - if I find a discarded Oyster card I'll pick it up, taken it inside and scan it. Usually the balance is zero or damn close to it, maybe twenty pence of so. But twice now, and only recently mind you, I've found discarded Oyster cards with large negative balances. Once almost ten pounds, then second time twelve pounds.

Negative. I didn't know you could run up such a large, negative balance.

So I agree. I think there is already some problem going on they are trying to get control of.
posted by Mutant at 10:37 AM on June 22, 2007


A negative balance is easy to contract with an auto topup card. When your balance falls below the minimum amount (£5 I think), your designated amount (£10 or £20 usually) is added to your card the next time you touch in, but the actual card transaction takes place later. If you don't have sufficient funds, or, as seems to be the case around 70% of the time, the transaction fails for no reason, and hey presto you've got a negative balance, and an infuriating call to customer 'services' in your near future.
posted by influx at 11:18 AM on June 22, 2007


If you cloned an Oyster card, the system would be able to identify the discrepancy and block the card overnight

That was supposed to be true of NYC, too. It took years before the cloned employee cards were finally locked out.

There are still reportedly some problems with cloned unlimited/monthly cards circulating, but once MTA started requiring you to wait 20 minutes to use the same card twice in the same station, the effectiveness of cloning went way way down. In short, they cut the effectiveness of a cloned card through a systematic rule change, and not by applying countermeasures directly towards cloned cards.

The Oyster system and NYC systems are different from one another (in particular, the NYC one does not store value on the card -- the card is simply a unique identifier). But, all stored value systems are sweet targets for hackers -- and one of the more common ways to target this sort of system is to be able to produce a working copy of an existing card.
posted by toxic at 4:39 PM on June 22, 2007


The Oyster system and NYC systems are different from one another (in particular, the NYC one does not store value on the card -- the card is simply a unique identifier)

This is the key difference here. As soon as you use either the legitimate Oyster card or its clone, the other card's stored value will no longer match up with what's in the central database, when the system tries to reconcile all the transactions overnight.

Regardless, it is cloning an Oyster card poses great difficulty. On the other hand, it is extremely easy to enter the system without touching in as there are many places where the LU revenue area is not protected by gates. Furthermore, LUL acknowledges that many people have not been touching in/out, and that therefore has tightened the rules on doing so and been warning people for the last few months that they will get penalty fared or prosecuted for doing so. With all this, I think it is very unlikely that the staff member was looking for cloned employee passes rather than people who just didn't touch in.
posted by grouse at 5:57 PM on June 22, 2007


Regardless, it is cloning an Oyster card poses great difficulty.
posted by grouse at 5:57 PM on June 22, 2007


« Older A friend of mine has searched ...   |  I blacked out on a roller coas... Newer »
This thread is closed to new comments.