By kdawson on no-pearls-in-sight

Barence sends along PcPro coverage of the second crash of London’s Oyster card billing system in two weeks. Transport for London was forced to open the gates and allow free travel for all. “There is currently a technical problem with Oyster readers at London Underground stations which is affecting Oyster pay as you go cards only,” explains the TfL website. This follows the first crash two weeks ago, which left 65,000 Oyster cards permanently corrupted. Speculation is increasing that the crashes may be related to the hacking of the Oyster card system by Dutch researchers from Radboud University, though TfL denies any link. Plans to publish details of the hack were briefly halted when the makers of the chip used in the system sued the group, although a judge ruled earlier this week that the researchers could go ahead. During the court action, details briefly leaked on website Wikileaks.

In Technology

A Dutch judge rules that details of how to copy Oyster cards can be published.

Looks like lousy cryptography.

Details here. When will people learn not to invent their own crypto?

Note that this is the same card — maybe a different version — that was used in the Dutch transit system, and was hacked back in January. There’s another hack of that system (press release here, and a video demo), and many companies — and government agencies — are scrambling in the wake of all these revelations.

We guess around two million access control cards are in use in the Netherlands, worldwide we assume two billion.

By schneier

The Dutch RFID public transit card, which has already cost the government $2B — no, that’s not a typo — has been hacked even before it has been deployed.

A lot depends on how the Oyster system is designed. It may be that the MIFARE cards are flawed but the system remains secure, or mostly secure.

No doubt, people are already investigating it.