Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it. All fine (although a tiny bit crazy) thus far. Next, you clone the card 1,000 times and sell the clones for $200 each.
It's a win-win-lose proposition!
You win, the purchaser wins, but unfortunately, the Transport Ticketing Authority (TTA) loses.
iTWire has reported extensively on the whole Myki saga on numerous occasions. Through all this history, virtually nothing positive has come out of the entire project. We have seen function contraction, cost blow-out and foolishness time and time again.
And now we have the latest saga. (Update: see the bottom of the page for details)
Fresh from the announcement that there will be no single-use tickets when Metcard is switched off next year, we hear today that every single Myki on issue will have to be replaced.
It seems that German researchers have discovered a way to clone the current cards, based on the MiFare DESfire platform. Although not easy, taking around 7 hours to perform the clone, this is a sign that such attacks will get easier and faster as time progresses.
TTA Chief Executive Bernie Carolan is reported as saying that the public "don't need to worry about the security of their Myki card.
"There is no reason to assume any cards will become wasted or inoperable," he said. "The TTA, through its contractor Kamco, has already begun developing a migration strategy to a newer version of chip, the MIFARE DESFire EV1."
The researchers (David Oswald and Christof Paar of the Ruhr University) are reported to have said that they can see no similar gaps in the security of the EV1, but time will tell if that remains true.
Carolan has insisted (probably correctly) that the stored value on an existing card cannot be fraudulently increased, but that clearly doesn't address the cloning issue.
So, fresh from all manner of attacks, including hacked electronic passports and related documents, yet another nail is hammered into the coffin of smartcard based systems.
For the technically-minded the research paper is available here.
A TTA spokesperson contacted iTWire to dispute many of the points made and directed our attention to the Myki website, where a statement by CEO Bernie Carolan may be found (click on the big blue security button).
In this statement, Carolan insists that Mifare DESFire is the safest card available, yet the researchers who discovered the problem suggest strongly that the DESFire EV1 variant is a much better choice as their attacks have not yet penetrated this version.
Carolan's statement also observes that the attack is quite sophisticated and cannot be done "simply by walking past a cardholder." Unfortunately, neither this report nor any other that this author has read made any such claim. The statement also claims (possibly correctly) that existing security initiatives are sufficient. For now.
As any security researcher will tell you, attacks only ever get better over time; a small chink in the armour now will turn into a paper-thin wall as the research continues.
The fact that TTA has chosen to NOT replace the cards says more about their focus on costs than on security.