Home Business IT Security Myki: The mess that keeps on messing (updated)

Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


1.1 million Myki cards will be replaced in response to the announcement that they can be cloned.

Update: TTA has advised iTWire that cards will not be replaced.

Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it.  All fine (although a tiny bit crazy) thus far.  Next, you clone the card 1,000 times and sell the clones for $200 each.

It's a win-win-lose proposition!

You win, the purchaser wins, but unfortunately, the Transport Ticketing Authority (TTA) loses.

iTWire has reported extensively on the whole Myki saga on numerous occasions.  Through all this history, virtually nothing positive has come out of the entire project.  We have seen function contraction, cost blow-out and foolishness time and time again.

And now we have the latest saga. (Update: see the bottom of the page for details)

Fresh from the announcement that there will be no single-use tickets when Metcard is switched off next year, we hear today that every single Myki on issue will have to be replaced.

It seems that German researchers have discovered a way to clone the current cards, based on the MiFare DESfire platform.  Although not easy, taking around 7 hours to perform the clone, this is a sign that such attacks will get easier and faster as time progresses.

TTA Chief Executive Bernie Carolan is reported as saying that the public "don't need to worry about the security of their Myki card.

"There is no reason to assume any cards will become wasted or inoperable," he said.  "The TTA, through its contractor Kamco, has already begun developing a migration strategy to a newer version of chip, the MIFARE DESFire EV1."

The researchers (David Oswald and Christof Paar of the Ruhr University) are reported to have said that they can see no similar gaps in the security of the EV1, but time will tell if that remains true.

Carolan has insisted (probably correctly) that the stored value on an existing card cannot be fraudulently increased, but that clearly doesn't address the cloning issue.

So, fresh from all manner of attacks, including hacked electronic passports and related documents, yet another nail is hammered into the coffin of smartcard based systems.

For the technically-minded the research paper is available here.

Update follows:

A TTA spokesperson contacted iTWire to dispute many of the points made and directed our attention to the Myki website, where a statement by CEO Bernie Carolan may be found (click on the big blue security button).

In this statement, Carolan insists that Mifare DESFire is the safest card available, yet the researchers who discovered the problem suggest strongly that the DESFire EV1 variant is a much better choice as their attacks have not yet penetrated this version.

Carolan's statement also observes that the attack is quite sophisticated and cannot be done "simply by walking past a cardholder."  Unfortunately, neither this report nor any other that this author has read made any such claim.  The statement also claims (possibly correctly) that existing security initiatives are sufficient.  For now.

As any security researcher will tell you, attacks only ever get better over time; a small chink in the armour now will turn into a paper-thin wall as the research continues.

The fact that TTA has chosen to NOT replace the cards says more about their focus on costs than on security.

 

OWN THE FUTURE OF SOFTWARE

Tomorrow, 26 August we’re delivering a FREE day of high-impact content to give you the know-how to lead in the App Economy. Please don’t be sorry you missed it.

• Keynotes on how software is rewriting businesses the world over, including our own backyard

• View code level details with context and repair problems quickly

• Fix problems in minutes before they wreak havoc

• Streams covering DevOps, Security and Management Cloud from pioneers at the coalface.

Register Now - it's FREE!

CLICK TO REGISTER!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.

Connect