Some people got just a little too hysterical last week when news of a security vulnerability in Myki came out.
The story broke on Monday, but it wasn’t until Wednesday that the mainstream media got hold of it, with the Melbourne Times running it first, spreading rapidly to The Age, AAP, 3AW and others — and along the way a good deal of misinformation came into play:
MORE than 1.1 million Myki cards are set to be phased out as hackers have found a method of cloning the tickets.
Two problems with this:
They weren’t hackers. “Hackers” implies bad guys sitting in darkened rooms trying to find a way to defraud the system.
They were actually scientists at a German university, doing cryptography research — what some refer to as “white hats”. They did the right thing and told the card manufacturers (NXP) about the problem some six months before publishing their results:
In April 2011 the University of Bochum, Germany, informed NXP that their cryptographic research group, led by Professor Paar, had successfully attacked the MF3ICD40. The research group also informed us of their intent to publish the attack at the annual Workshop on Cryptographic Hardware and Embedded Systems (CHES), held September 28 to October 1 2011.
What some of the reporting also missed is that it’s not a simple task to perform the hack and clone a card. It requires some sophisticated (and expensive; apparently costing $3000 or more) equipment and many hours of processing. It’s highly unlikely that in the short term, anybody will do it “in the wild”.
It’s possible the technology will get cheaper and more available, of course… that’s the nature of tech. But it’s specialised equipment that doesn’t work quite along the lines of Moore’s Law — it’s hard to conceive that within the next few years, high-end oscilloscopes will be common or cheap.
And it’s worth noting here that the earlier version of the same card, “Mifare Classic”, used in some systems including (until recently) the Transport for London network (eg Oyster card) and Brisbane and elsewhere got hacked many years ago, but these networks have not been subject to widespread fraud. In fact, a quick search around the place shows reported instances of it are very difficult to find.
Of course, it’s probable that authorities would be reluctant to make such fraud public if the offenders are not caught. Still, it doesn’t seem that fraudulent cards are common.
Putting the boot in
Among those putting the boot into Myki was regular Myki-kicker David Heath, in another of his “comment-disguised-as-journalism” pieces for IT Wire:
Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it. All fine (although a tiny bit crazy) thus far. Next, you clone the card 1,000 times and sell the clones for $200 each.
iTWire has reported extensively on the whole Myki saga on numerous occasions. Through all this history, virtually nothing positive has come out of the entire project. We have seen function contraction, cost blow-out and foolishness time and time again.
— IT Wire
Now I’m all for kicking Myki when it deserves it (heaven knows I’ve done it often enough myself). But surely anybody writing in IT must realise by now that it’s here to stay, that most of the people currently using it actually don’t mind using it, and that we’re way past the point of scrapping it and buying Oyster instead.
More importantly, a little research and rational thinking wouldn’t have gone astray here.
Firstly, you can’t load $1000 onto a Myki card. They have a limit of $999.
Secondly, it should be fairly obvious that any ticketing system with a little basic security will have safeguards against something like lots of copies of the same card being used around the system. As soon as the fraud was detected, that card number would be blocked for travel (as already happens when a card is reported lost or stolen).
Thirdly, who with a little common sense would buy a dodgy card for that amount of money? Would you even pay $100? $50? Would you buy one at all, knowing that the chances of it being detected and blocked, and worse (for you) that the ticketholder might well be caught and prosecuted? Would these theoretical criminals ever get their thousands of dollars of investment money back?
Surely punters aren’t that gullible. Hardcore fare evaders don’t use fake or cloned tickets. They jump barriers and dodge inspectors and other staff.
Hysteria aside, what’s the real situation?
ZDNet has some good coverage, which notes that in Myki’s favour (who’d have thought!) they didn’t actually skimp on the security:
Although this could have been a cost-cutting method, the TTA appears to have avoided cutting corners with respect to card security. There are four security measures that can be installed for the cards relating to key diversification, fraud detection, card blocking and card information binding. The TTA elected to include all four, pointing the issue further up the chain to the manufacturer.
Despite the cards being theoretically vulnerable, however, there isn’t a need to replace the cards as a matter of urgency. NXP stated that even if the lab equipment required to pull off the vulnerability is obtained, it could still take hours to days for the analysis of a card to be completed.
So yes, there’s a problem. But there’s no need to panic.
My take on it
Given the information available so far, it doesn’t seem to me to be necessary to go and recall the million cards issued and replace them all with the newer version straight away. The existing cards are rated for a life of four years, and that means that unless it is shown that this or another attack are actually practicable outside a laboratory it would make more sense to just replace them with the more secure version as they come up for renewal, eg from late-2012, rather than panic and rush out replacements now.
After all, rush into it now (at great effort and expense) and you might find in 12 months that another theoretical attack becomes apparent, and have to do it all again for no good reason.
From the sounds of it, this is what the TTA is doing; planning a migration rather than rushing new cards out. Unless there’s a more major problem we’re not hearing about, this seems to me to be a pretty reasonable course of action.
PS. Thursday: I’ve had it confirmed that there is checking for duplicate Myki cards, with found duplicates being blocked from use (not immediately, but pretty quickly after detection).