Myki “hacking”, and jumping at shadows – DON’T PANIC!

Some people got just a little too hysterical last week when news of a security vulnerability in Myki came out.

Wrong MykiThe story broke on Monday, but it wasn’t until Wednesday that the mainstream media got hold of it, with the Melbourne Times running it first, spreading rapidly to The Age, AAP, 3AW and others — and along the way a good deal of misinformation came into play:

MORE than 1.1 million Myki cards are set to be phased out as hackers have found a method of cloning the tickets.

Melbourne Times

Two problems with this:

They weren’t hackers. “Hackers” implies bad guys sitting in darkened rooms trying to find a way to defraud the system.

They were actually scientists at a German university, doing cryptography research — what some refer to as “white hats”. They did the right thing and told the card manufacturers (NXP) about the problem some six months before publishing their results:

In April 2011 the University of Bochum, Germany, informed NXP that their cryptographic research group, led by Professor Paar, had successfully attacked the MF3ICD40. The research group also informed us of their intent to publish the attack at the annual Workshop on Cryptographic Hardware and Embedded Systems (CHES), held September 28 to October 1 2011.

NXP Semiconductors

What some of the reporting also missed is that it’s not a simple task to perform the hack and clone a card. It requires some sophisticated (and expensive; apparently costing $3000 or more) equipment and many hours of processing. It’s highly unlikely that in the short term, anybody will do it “in the wild”.

It’s possible the technology will get cheaper and more available, of course… that’s the nature of tech. But it’s specialised equipment that doesn’t work quite along the lines of Moore’s Law — it’s hard to conceive that within the next few years, high-end oscilloscopes will be common or cheap.

And it’s worth noting here that the earlier version of the same card, “Mifare Classic”, used in some systems including (until recently) the Transport for London network (eg Oyster card) and Brisbane and elsewhere got hacked many years ago, but these networks have not been subject to widespread fraud. In fact, a quick search around the place shows reported instances of it are very difficult to find.

Of course, it’s probable that authorities would be reluctant to make such fraud public if the offenders are not caught. Still, it doesn’t seem that fraudulent cards are common.

Putting the boot in

Among those putting the boot into Myki was regular Myki-kicker David Heath, in another of his “comment-disguised-as-journalism” pieces for IT Wire:

Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it. All fine (although a tiny bit crazy) thus far. Next, you clone the card 1,000 times and sell the clones for $200 each.

iTWire has reported extensively on the whole Myki saga on numerous occasions. Through all this history, virtually nothing positive has come out of the entire project. We have seen function contraction, cost blow-out and foolishness time and time again.

IT Wire

Oyster in MelbourneNow I’m all for kicking Myki when it deserves it (heaven knows I’ve done it often enough myself). But surely anybody writing in IT must realise by now that it’s here to stay, that most of the people currently using it actually don’t mind using it, and that we’re way past the point of scrapping it and buying Oyster instead.

More importantly, a little research and rational thinking wouldn’t have gone astray here.

Firstly, you can’t load $1000 onto a Myki card. They have a limit of $999.

Secondly, it should be fairly obvious that any ticketing system with a little basic security will have safeguards against something like lots of copies of the same card being used around the system. As soon as the fraud was detected, that card number would be blocked for travel (as already happens when a card is reported lost or stolen).

Thirdly, who with a little common sense would buy a dodgy card for that amount of money? Would you even pay $100? $50? Would you buy one at all, knowing that the chances of it being detected and blocked, and worse (for you) that the ticketholder might well be caught and prosecuted? Would these theoretical criminals ever get their thousands of dollars of investment money back?

Surely punters aren’t that gullible. Hardcore fare evaders don’t use fake or cloned tickets. They jump barriers and dodge inspectors and other staff.

Hysteria aside, what’s the real situation?

ZDNet has some good coverage, which notes that in Myki’s favour (who’d have thought!) they didn’t actually skimp on the security:

Although this could have been a cost-cutting method, the TTA appears to have avoided cutting corners with respect to card security. There are four security measures that can be installed for the cards relating to key diversification, fraud detection, card blocking and card information binding. The TTA elected to include all four, pointing the issue further up the chain to the manufacturer.

Despite the cards being theoretically vulnerable, however, there isn’t a need to replace the cards as a matter of urgency. NXP stated that even if the lab equipment required to pull off the vulnerability is obtained, it could still take hours to days for the analysis of a card to be completed.

ZD Net: Myki gets upgrade as vulnerability emerges

So yes, there’s a problem. But there’s no need to panic.

My take on it

Given the information available so far, it doesn’t seem to me to be necessary to go and recall the million cards issued and replace them all with the newer version straight away. The existing cards are rated for a life of four years, and that means that unless it is shown that this or another attack are actually practicable outside a laboratory it would make more sense to just replace them with the more secure version as they come up for renewal, eg from late-2012, rather than panic and rush out replacements now.

After all, rush into it now (at great effort and expense) and you might find in 12 months that another theoretical attack becomes apparent, and have to do it all again for no good reason.

From the sounds of it, this is what the TTA is doing; planning a migration rather than rushing new cards out. Unless there’s a more major problem we’re not hearing about, this seems to me to be a pretty reasonable course of action.

PS. Thursday: I’ve had it confirmed that there is checking for duplicate Myki cards, with found duplicates being blocked from use (not immediately, but pretty quickly after detection).

Armed guards at stations

The debate around armed Protective Service Officers on stations is heating up.

The Police Association, the Rail, Tram and Bus Union and the Public Transport Users Association want a high-level meeting to develop the best way of tackling crime and safety problems.

Support for the armed guard plan is evaporating.

There now appears to be no organisation other than the Government that supports the proposal.

Herald Sun: Fears mount on guard plan

Armed guards on stations at night is one of those things that at first glance sounds like a good idea. Stations at night are scary places. Crime probably happens. Guards would make it safe.

But the more you look at it, the more problematic the plan appears to be. Stations at night sometimes look scary, but that’s most often because the lighting can be poor, the building design has nooks and crannies and concealed spaces, and many stations have no staff (at any time of day). It doesn’t mean they’re all a cesspit of crime.

For me the clincher was a PTUA study of assault statistics for the whole of 2009. The key findings were:

  • 45% of reported assaults occur at just ten stations: Flinders St, Dandenong, Broadmeadows, Footscray, St Albans, Ringwood, Bayswater, Frankston, Southern Cross, and Thomastown.
  • About half the assaults occurred before 6pm when the PSOs would be on duty. (186 daytime, 199 at night)
  • For the year there were 385 assaults reported at 85 stations, with 116 stations (eg most of the network) having no reported assaults at all.

Other issues that have come up include whether the officers will have toilet facilities (6pm to 2am is a long shift); where would the guns be stored; would they have jurisdiction in neighbouring areas such as bus interchanges; and would they be able to board a train if there’s trouble occurring?

As John Silvester wrote in a superb the Age on Saturday, the numbers don’t stack up. You’ll have 940 armed officers in a bid to prevent 199 assaults per year, and 232 of those officers at the 116 stations where nothing ever happens would be twiddling their thumbs.

I reckon you’d get a better result in terms of crime prevention by putting them on every CBD corner all night every night.

Instead, what about staffing every station from first to last train (you know, with people who can actually tell you which train you have to catch, help you with the ticket machines, and may deter some incidents, or be able to call for assistance for others), with fulltime police at those hotspots that do have genuine safety problems, and enough resources for regular police to quickly attend where needed?

I reckon that’d probably cost less, and be a better result for train passengers.

I should note that from what I’ve seen around the courts and Parliament, the PSOs do a good job. But that doesn’t mean putting two of them on every single station after 6pm is a good idea.

Update Thursday 13/4/2011: Premier Ted Baillieu has an interesting opinion piece in today’s Herald Sun. The article is well worth a read — he makes some good points about the training and professionalism of PSOs. But he doesn’t address the issues around the planned railway station deployment — that at hotspot stations, much crime occurs before they would be on duty, and that at quiet stations, they would have nothing to do.