Some people got just a little too hysterical last week when news of a security vulnerability in Myki came out.
The story broke on Monday, but it wasn’t until Wednesday that the mainstream media got hold of it, with the Melbourne Times running it first, spreading rapidly to The Age, AAP, 3AW and others — and along the way a good deal of misinformation came into play:
MORE than 1.1 million Myki cards are set to be phased out as hackers have found a method of cloning the tickets.
Two problems with this:
They weren’t hackers. “Hackers” implies bad guys sitting in darkened rooms trying to find a way to defraud the system.
They were actually scientists at a German university, doing cryptography research — what some refer to as “white hats”. They did the right thing and told the card manufacturers (NXP) about the problem some six months before publishing their results:
In April 2011 the University of Bochum, Germany, informed NXP that their cryptographic research group, led by Professor Paar, had successfully attacked the MF3ICD40. The research group also informed us of their intent to publish the attack at the annual Workshop on Cryptographic Hardware and Embedded Systems (CHES), held September 28 to October 1 2011.
What some of the reporting also missed is that it’s not a simple task to perform the hack and clone a card. It requires some sophisticated (and expensive; apparently costing $3000 or more) equipment and many hours of processing. It’s highly unlikely that in the short term, anybody will do it “in the wild”.
It’s possible the technology will get cheaper and more available, of course… that’s the nature of tech. But it’s specialised equipment that doesn’t work quite along the lines of Moore’s Law — it’s hard to conceive that within the next few years, high-end oscilloscopes will be common or cheap.
And it’s worth noting here that the earlier version of the same card, “Mifare Classic”, used in some systems including (until recently) the Transport for London network (eg Oyster card) and Brisbane and elsewhere got hacked many years ago, but these networks have not been subject to widespread fraud. In fact, a quick search around the place shows reported instances of it are very difficult to find.
Of course, it’s probable that authorities would be reluctant to make such fraud public if the offenders are not caught. Still, it doesn’t seem that fraudulent cards are common.
Putting the boot in
Among those putting the boot into Myki was regular Myki-kicker David Heath, in another of his “comment-disguised-as-journalism” pieces for IT Wire:
Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it. All fine (although a tiny bit crazy) thus far. Next, you clone the card 1,000 times and sell the clones for $200 each.
…iTWire has reported extensively on the whole Myki saga on numerous occasions. Through all this history, virtually nothing positive has come out of the entire project. We have seen function contraction, cost blow-out and foolishness time and time again.
— IT Wire
Now I’m all for kicking Myki when it deserves it (heaven knows I’ve done it often enough myself). But surely anybody writing in IT must realise by now that it’s here to stay, that most of the people currently using it actually don’t mind using it, and that we’re way past the point of scrapping it and buying Oyster instead.
More importantly, a little research and rational thinking wouldn’t have gone astray here.
Firstly, you can’t load $1000 onto a Myki card. They have a limit of $999.
Secondly, it should be fairly obvious that any ticketing system with a little basic security will have safeguards against something like lots of copies of the same card being used around the system. As soon as the fraud was detected, that card number would be blocked for travel (as already happens when a card is reported lost or stolen).
Thirdly, who with a little common sense would buy a dodgy card for that amount of money? Would you even pay $100? $50? Would you buy one at all, knowing that the chances of it being detected and blocked, and worse (for you) that the ticketholder might well be caught and prosecuted? Would these theoretical criminals ever get their thousands of dollars of investment money back?
Surely punters aren’t that gullible. Hardcore fare evaders don’t use fake or cloned tickets. They jump barriers and dodge inspectors and other staff.
Hysteria aside, what’s the real situation?
ZDNet has some good coverage, which notes that in Myki’s favour (who’d have thought!) they didn’t actually skimp on the security:
Although this could have been a cost-cutting method, the TTA appears to have avoided cutting corners with respect to card security. There are four security measures that can be installed for the cards relating to key diversification, fraud detection, card blocking and card information binding. The TTA elected to include all four, pointing the issue further up the chain to the manufacturer.
Despite the cards being theoretically vulnerable, however, there isn’t a need to replace the cards as a matter of urgency. NXP stated that even if the lab equipment required to pull off the vulnerability is obtained, it could still take hours to days for the analysis of a card to be completed.
So yes, there’s a problem. But there’s no need to panic.
My take on it
Given the information available so far, it doesn’t seem to me to be necessary to go and recall the million cards issued and replace them all with the newer version straight away. The existing cards are rated for a life of four years, and that means that unless it is shown that this or another attack are actually practicable outside a laboratory it would make more sense to just replace them with the more secure version as they come up for renewal, eg from late-2012, rather than panic and rush out replacements now.
After all, rush into it now (at great effort and expense) and you might find in 12 months that another theoretical attack becomes apparent, and have to do it all again for no good reason.
From the sounds of it, this is what the TTA is doing; planning a migration rather than rushing new cards out. Unless there’s a more major problem we’re not hearing about, this seems to me to be a pretty reasonable course of action.
PS. Thursday: I’ve had it confirmed that there is checking for duplicate Myki cards, with found duplicates being blocked from use (not immediately, but pretty quickly after detection).
12 replies on “Myki “hacking”, and jumping at shadows – DON’T PANIC!”
Maybe I live in a different world, but who would put as much as $999 on a Myki card?
very good summation …
Nicely written Daniel
Unfortunately fear and panic sells in the media, measured reason doesn’t, just look at the carbon pricing debate.
A good analysis
A few months ago, I applied for a concession card, being a teritary student. Of course I signed up for a free concession Myki. Didn’t really care for it nor used it for a few months, until I got caught up with a jam with a Metcard machine at Hoppers Crossing station, It froze on me. The (part-time) station assistant managed help out a bit, (the assistant was wearing a badass longcoat, the only good thing to staff attire, VR MMTB, and Met’s uniforms win hands down, see Tram Conductor) So! I put $20 cash into the Myki machine, loaded it on the card, and on I went. Over time, I’ve realised that it was slowly increasing my fare each time I get off and on, on each trip, this includes a terminated train, in which I touched of at Laverton Station and went on an Tangerine replacement bus to Hoppers. I don’t trust this anymore. The experience, It was bad and good at the same time. It isn’t really the same as when you buy a ticket from a bus driver at 6.25 in the morning, you get that rush of energy from human interaction that a card does do. What I would like to see is paying and receiving a punch ticket from a person with a funny hat than from a machine.
I should say ‘that a card DOESN’T do’
Yep, I read the headline on The Age and thought, well that was bound to happen sooner or later. Once I’d gotten 3 paragraphs into the story I realised it was yet to happen despite the hysterical headline.
Then again.
ZOMG! Hackers! They’ve hacked my card details and they’re stealing my travels!!
!\/3 b33|\| p\/\/|\|3d!
How do I tell if I’ve got an *old* card or a new one? I haven’t seen any photos comparing them.
^There’s no such thing yet. I doubt myki have even got any of the new cards let alone rolled them out.
Devils advocate: Nobody knows for sure if the $999 limit is even real. And who’s going to top-up their card with that much money to find out :)
I’ve travelled on six trams in the past week, and felt like an eccentric. Why? Because as far as I could see I was the ONLY person who touched on or off. Neither did I see anyone putting a ticket through a machine, either.
Did our tram system go completely free and I just missed the news?
@Andrew, nobody would really put $999 on a Myki card, but the scenario is someone wanting to clone the cards and sell them.
@Steve, please refer to: http://www.danielbowen.com/2009/10/20/not-revalidate/
(Remember, you don’t need to touch-off on trams.)
@Steve, many of the people you see not validating on the tram may already have valid tickets that they choose not to put through the validators for whatever reason.
Here’s one reason. I’ve had more than one yearly Metcard that has given up the ghost several months short of the twelve months it is supposed to last. Even when stored carefully – and I always store mine in a cardboard sleeve in my wallet – all that sliding in and out of validators just seems to wear out the magnetic strip. And I know I’m not the only person this has happened to.
Once the magnetic strip wears out, it’s a right pain, because you need human intervention to get through railway barriers, and bus drivers have to read the expiry date on the ticket before they’ll let you on, which makes some of them rather irritated. It’s even more of a pain getting the defective Metcard replaced. (Tried that once; never again.)
So to try and prevent it wearing out too soon, some yearly cardholders who are heavy users of public transport simply skip the validation on trams, and validate it only at railway barriers and on buses. They are not evading the fare; the ticket is perfectly valid and already stamped with an expiry date. They simply choose not to add to its wear and tear unnecessarily.
I’m sure the authorities frown on this practice, but the way I see it, the onus is on them either to make more durable yearly Metcards (which they won’t bother doing now that Metcards are being phased out), or to train their staff better so that a person trying to replace a defective card doesn’t experience the giant hassle that I did on the one occasion I tried it, due to a staff member’s incompetence and lack of training.
Anecdotally, I’ve heard that some monthly Metcard holders take the same preventative measure, although it would come as a surprise to hear that a ticket actually failed to last even one month. My yearly Metcards that failed were heavily used, but they always lasted several months at least.
What I’d like to know is what sort of ticket Her Maj will be using when she takes a ride on a Melbourne tram this week. Hope she’s got coins for the ticket machine.