Home Business IT Security Myki: The mess that keeps on messing (updated)


JUser: :_load: Unable to load user with ID: 3018

Myki: The mess that keeps on messing (updated)

  • 12 October 2011
  • Written by 
  • Published in Security

1.1 million Myki cards will be replaced in response to the announcement that they can be cloned.

Update: TTA has advised iTWire that cards will not be replaced.

Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it.  All fine (although a tiny bit crazy) thus far.  Next, you clone the card 1,000 times and sell the clones for $200 each.

It's a win-win-lose proposition!

You win, the purchaser wins, but unfortunately, the Transport Ticketing Authority (TTA) loses.

iTWire has reported extensively on the whole Myki saga on numerous occasions.  Through all this history, virtually nothing positive has come out of the entire project.  We have seen function contraction, cost blow-out and foolishness time and time again.

And now we have the latest saga. (Update: see the bottom of the page for details)

Fresh from the announcement that there will be no single-use tickets when Metcard is switched off next year, we hear today that every single Myki on issue will have to be replaced.

It seems that German researchers have discovered a way to clone the current cards, based on the MiFare DESfire platform.  Although not easy, taking around 7 hours to perform the clone, this is a sign that such attacks will get easier and faster as time progresses.

TTA Chief Executive Bernie Carolan is reported as saying that the public "don't need to worry about the security of their Myki card.

"There is no reason to assume any cards will become wasted or inoperable," he said.  "The TTA, through its contractor Kamco, has already begun developing a migration strategy to a newer version of chip, the MIFARE DESFire EV1."

The researchers (David Oswald and Christof Paar of the Ruhr University) are reported to have said that they can see no similar gaps in the security of the EV1, but time will tell if that remains true.

Carolan has insisted (probably correctly) that the stored value on an existing card cannot be fraudulently increased, but that clearly doesn't address the cloning issue.

So, fresh from all manner of attacks, including hacked electronic passports and related documents, yet another nail is hammered into the coffin of smartcard based systems.

For the technically-minded the research paper is available here.

Update follows:

A TTA spokesperson contacted iTWire to dispute many of the points made and directed our attention to the Myki website, where a statement by CEO Bernie Carolan may be found (click on the big blue security button).

In this statement, Carolan insists that Mifare DESFire is the safest card available, yet the researchers who discovered the problem suggest strongly that the DESFire EV1 variant is a much better choice as their attacks have not yet penetrated this version.

Carolan's statement also observes that the attack is quite sophisticated and cannot be done "simply by walking past a cardholder."  Unfortunately, neither this report nor any other that this author has read made any such claim.  The statement also claims (possibly correctly) that existing security initiatives are sufficient.  For now.

As any security researcher will tell you, attacks only ever get better over time; a small chink in the armour now will turn into a paper-thin wall as the research continues.

The fact that TTA has chosen to NOT replace the cards says more about their focus on costs than on security.



Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?