Home Business IT Security Myki: The mess that keeps on messing (updated)

1.1 million Myki cards will be replaced in response to the announcement that they can be cloned.

Update: TTA has advised iTWire that cards will not be replaced.

Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it.  All fine (although a tiny bit crazy) thus far.  Next, you clone the card 1,000 times and sell the clones for $200 each.

It's a win-win-lose proposition!

You win, the purchaser wins, but unfortunately, the Transport Ticketing Authority (TTA) loses.

iTWire has reported extensively on the whole Myki saga on numerous occasions.  Through all this history, virtually nothing positive has come out of the entire project.  We have seen function contraction, cost blow-out and foolishness time and time again.

And now we have the latest saga. (Update: see the bottom of the page for details)

Fresh from the announcement that there will be no single-use tickets when Metcard is switched off next year, we hear today that every single Myki on issue will have to be replaced.

It seems that German researchers have discovered a way to clone the current cards, based on the MiFare DESfire platform.  Although not easy, taking around 7 hours to perform the clone, this is a sign that such attacks will get easier and faster as time progresses.

TTA Chief Executive Bernie Carolan is reported as saying that the public "don't need to worry about the security of their Myki card.

"There is no reason to assume any cards will become wasted or inoperable," he said.  "The TTA, through its contractor Kamco, has already begun developing a migration strategy to a newer version of chip, the MIFARE DESFire EV1."

The researchers (David Oswald and Christof Paar of the Ruhr University) are reported to have said that they can see no similar gaps in the security of the EV1, but time will tell if that remains true.

Carolan has insisted (probably correctly) that the stored value on an existing card cannot be fraudulently increased, but that clearly doesn't address the cloning issue.

So, fresh from all manner of attacks, including hacked electronic passports and related documents, yet another nail is hammered into the coffin of smartcard based systems.

For the technically-minded the research paper is available here.

Update follows:

A TTA spokesperson contacted iTWire to dispute many of the points made and directed our attention to the Myki website, where a statement by CEO Bernie Carolan may be found (click on the big blue security button).

In this statement, Carolan insists that Mifare DESFire is the safest card available, yet the researchers who discovered the problem suggest strongly that the DESFire EV1 variant is a much better choice as their attacks have not yet penetrated this version.

Carolan's statement also observes that the attack is quite sophisticated and cannot be done "simply by walking past a cardholder."  Unfortunately, neither this report nor any other that this author has read made any such claim.  The statement also claims (possibly correctly) that existing security initiatives are sufficient.  For now.

As any security researcher will tell you, attacks only ever get better over time; a small chink in the armour now will turn into a paper-thin wall as the research continues.

The fact that TTA has chosen to NOT replace the cards says more about their focus on costs than on security.



Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.


David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities