NFC is a great technology, but like anything in this digital age security is perhaps the most important element of all. A group of hackers at the EUSecWest security conference in Amsterdam showed how it was possible to manipulate some NFC-based fare cards to allow a metro rider to get free rides.
Using an app called “UltraReset,” riders can roll their balance back up to, say, ten rides should they use all of them up. The way that it works is that the application reads a balance of ten rides from the initial card you purchase.
Once you’ve used all those rides up, your Android phone will write that information back to the fare card and use it as if you’ve purchased another ten rides — and you can keep doing this as much as you want to. Apparently this works for NFC-enabled subway systems in New Jersey and San Francisco, and it may work for even more that have yet to be tested.
One of the presenters, Corey Benninger, demonstrated an ability to read the card’s data using a modified version of “UltraReset” called “UltraCardTester.” The latter only demonstrates the ability to read, not write.
The full app is not being released for fear of abuse by those looking to save some bucks, but Benninger notes that it is so easy to code an app to manipulate the metro cards that someone with little programming experience can just as easily make their own app.
The reason for bringing this up is not to dangle some desirable functionality in our faces, of course — they simply want these cities to get the message and plug up holes that could eventually cost them hundreds of thousands of dollars in revenue due to false rides. Benninger says the fix is easy, and that it simply requires a more secure NFC chip or a better way of handling the “on/off” bits that represent each ride in the back-end.
Both cities confirmed to be vulnerable are said to be using Mifare Ultralight chips, and unless other cities have a more secure and practical back-end to handle the “bits” there’s a good chance they could be just as vulnerable if they employ these chips.
It’s an interesting development that has us wondering if many of these industries are ready for NFC. Whether it be due to lack of competence by engineers or lack of understanding of what, exactly, NFC is providing in terms of the balance between convenience and security, one thing is for sure — it’s still a relatively new technology that could mean dire financial consequences for a government or business if they’re not on their P’s and Q’s.
Unless those who are employing it completely understand what they’re doing with it we could see NFC failing fast if it happens to become an economically-taxing fumble. Let’s get it together, guys. [via Computerworld]
[polldaddy poll=6549977]
Poorly implemented tech shouldn’t decide the fate of said tech.
Poorly made security in tech shouldn’t be an excuse.
How about not storing info like that on the NFC chip, and instead just have an account number which is connected to a server that knows the number of rides on the card. Come on now, common sense security. Imagine if banks put your account balance on the actual card, we’d all be billionaires.
Well that’s how it’s done. The NFC chip in your phone does not store anything on itself, but is ready to transmit information provided by the phone. It’s not like the Mastercards that had RFID’s with permanent info written on them.
Exactly.
Doesn’t really seem to me like a problem with NFC per se, this setup would be a huge problem if it used re-writable magnetic strips or any other technology to implement it.
The first thing I thought, who the hell designed a system like that? It’s such a basic flaw, they must be hiring people with completely no experience :)
People finding ways around a system is nothing new and it will continue to happen regardless of the technology used.
Japan and other countries has had NFC working flawlessly for about a decade now, why can’t the USA catch up with the rest of the world?
Because the USA resists any change.
Because th iPhone has not it…
just because nobody did it yet doesn’t mean theirs is safe from this.
i know this could work in dutch public transport too, though you’re being tracked by the system so there is a chance you get caught.
I blame Apple for everything! lol
Aren’t these arguments the same kinds of arguments we hear every few years for:
-banking online
-shopping online
-ATMs
-monthly train passes that are electronic
-bridge/toll transponders
-Credit cards instead of cash
-safes with electronic locks instead of mechanical
-car doors that unlock with key fobs instead of a key
…… Just embrace it and stop fighting it.
i love how blame apple is the highest voted.
Love how I blame Apple is the number 1 answer lol
OK come on now “I blame apple” really? Android fans (and i am one but not in this way) have become sheep as well just on a different farm…better yet android defined is a robot with a human appearance…has google turned us all into their own version of what we call isheep…yea sort of…NO!! NOT ME IM BUYING AN IPHooooo……..zzzzzzzzzzzzzzzzz
You are a smart man. Android users are the same sheep. That’s why I use an iPhone 4S and Nexus 7. Best of both worlds!
It all depends on the type of chip used. In the past the NXP Mifare Classic chip was used, and yes, this has already been hacked. Japan uses the Sony Felica chip almost exclusively, although it is generally only used domestically and in a few neighboring regions. As is typical of Sony, there product is more expensive. Newer NXP offerings such as the Desfire module are much more resistant to hacking and offer a secure solution.
I would like to see how it would go if the iPhone 5 has it… I am pretty sure that every review and iSheep would be talking about all its advantages.
I chose blame apple for their lack of adoption of it.
As much as we hate to admit it, if Apple would finally add NFC to the iphone, it would take off
USA is a fat lazy country of convenience, and people take advantage of that. Others are smart and take advantage of the dumb and find loopholes and vulnerabilities!
Apple does both. They loophole the patent system, use money to buy what is not for sale and take advantage of iDiots
these poll options suck. the problem isn’t NFC, it’s that they were cheap on their infrastructure and programmed the amount of rides into the storage instead of some sort of accounting system. any type of device that they stored “you have 10 rides left” on would be vulnerable to simply re-writing “you have 10 rides left” on it after using it.