Security of Oyster cards

Are there any facts on cloned Oysters?

At a discussion with bus operator recently who is introducing a sort of
Oyster. Discussions they had had with TfL suggest that TfL is only aware of
one successful clone through the whole history of Oyster. That loophole is
now closed of course. I presume 'successful' here means it was used for more
than 24 hours before being spotted.

Both TfL and the bus company seem pretty confident that they are ahead of
the cloners. Although I dare say an army of computer nurds/criminal gangs
are trying to prove them wrong.

David

On Tue, 24 Jun 2008 10:51:27 +0100, David Thornhill wrote:

> Are there any facts on cloned Oysters?

This sort of thing tends to have a lot of 'security by obscurity'.


> Both TfL and the bus company seem pretty confident that they are ahead
> of the cloners. Although I dare say an army of computer nurds/criminal
> gangs are trying to prove them wrong.

Cloning is going to happen. It will be impossible to prevent. They will
be working to reduce the loss from cloning by various means, but stopping
it completely would be near impossible. One way of slowing things down is
to reduce the amount of money to be made. Have a system with known flaws
but it isn't worth an organised gang's time to exploit it.

Some one infiltrating the card production/encoding facility and selling
cards/top ups out the back door would have far greater potential for loss
I think. (Until an audit caught the perpetrator, the cards would look
legit to any normal data mining cross check).

In article <4862b8f7$0$17506$afc38c87@news.optusnet.com.au> ,
Matthew Geier <matthew@no.sleeper.no.apana.no.org.no.au> wrote:

> It's going to depend on the operating frequency of the cards and how
> clever the software is in the reader at dealing with the data stream it
> gets back from the 'foreign' card - or even if it can read the data at
> all. If two cards respond at exactly the same time, I would imagine their
> data streams would be corrupted and not be readable.
>
> I doubt the case of people carrying cards together from multiple systems
> was even considered :-)

I thought one of the design aims for some RFID systems was to be able to
scan a basket full of shopping without having to handle each item
separately. I have no idea how that was supposed to work and I may have
misunderstood, but that would certainly require disentangling multiple
responses.

Sam

In message <486407a8$0$26090$db0fefd9@news.zen.co.uk>, at 22:18:33 on
Thu, 26 Jun 2008, Q <?.?.?@?.?.?.invalid> remarked:
>There is no reason you couldn't program an existing access card with
>'oyster' (Assuming TfL would let you) and use the same card for both
>building access, and travel.

My "other" two cards are a building access card and a Nottingham City
Transport [bus] pre-pay card.

What would start concerning me a lot, is if the e-ticketing that's in
the franchise commitment of several ToCs in the latest round were to
involve me having

(a) More than one extra card in my wallet to store all ToC's tickets on
(b) Any additional "RF incompatibilities" with existing cards like
Oyster and NCT such that they need to be removed from the wallet
before use.
--
Roland Perry