GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
View Archives

View PDF of this issue


Table of Contents

Lead Story

Virtual money, tangible profits

News

Industry Update

Interac seeks for-profit status

GO-Tag a show-stopper

Certify payment pros on security?

Beltway interest drives interchange book sales

CharlieCard gets charley horse

Features

AgenTalkSM:
Karen Lazer

Prepaid acceptance online

David Fish
Mercator Advisory Group

Views

Banking on mobile

Patti Murphy
The Takoma Group

Education

Street SmartsSM:
Stay the course

Jason Felts
Advanced Merchant Services

The residual-buying game

Lane Gordon
MerchantPortfolios.com

Old is new in POS fashion

Dale S. Laszig
DSL Direct LLC

Body language

Vicki M. Daughdrill
Small Business Resources LLC

A day in the life of a successful MLS

Jason Felts
Advanced Merchant Services

A day in the life of a successful MLS

Jason Felts
Advanced Merchant Services

Company Profile

SignaPay

Affinity Solutions

New Products

Cash advance reaches new vertical

ProMAC Electronic Payment Advance
Companies: Professional Merchant Advance Capital L

Inspiration

Information, please

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

September 22, 2008  •  Issue 08:09:02

previous next

CharlieCard gets charley horse

Editor's Note: This story is reprinted from SellingPrepaid E-Magazine at www.sellingprepaid.com.

T he legal case that pitted smart card security researchers against a big-city transit authority came to an unsettled conclusion recently. On Aug, 19, 2008, a federal judge lifted a gag order that had prevented three Massachusetts Institute of Technology undergraduates from revealing security vulnerabilities in Boston's CharlieCard and CharlieTicket electronic transit fare systems.

By lifting the temporary restraining order, the U.S. District Court of Massachusetts allowed the three MIT students to freely discuss security weaknesses they reportedly exposed in the stored value CharlieCard and CharlieTicket systems managed by the Massachusetts Bay Transit Authority.

In the case of the CharlieCard, the weakness involved the ease with which the students were presumably able to hack the radio frequency identification (RFID) chip embedded in the transit card.

The three students had planned to reveal their findings on Aug. 10, 2008. According to the MBTA's lawsuit, it found out about this on July 30, 2008. Representatives of the MBTA, the students, and the students' research advisor, MIT professor Dr. Ron Rivest, met on Aug. 4 to discuss the upcoming presentation.

At odds

According to the students' legal counsel, the San Francisco-based nonprofit legal organization Electronic Frontier Foundation, the students made it clear to the MBTA that they would not reveal technical details that would enable others to use their research to exploit flaws in the MBTA's systems.

However, in a statement, the MBTA asserted, "MIT staff and the students agreed to provide the MBTA with a copy of the presentation and other information they claimed to possess. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday."

That Friday, Aug. 8, the MBTA filed its lawsuit. Invoking the Computer Fraud and Abuse Act, which puts restrictions on disclosure of information that might enable others to violate the law, the MBTA argued that the MIT students' claims, if true, would "significantly compromise the CharlieCard and CharlieTicket systems." The CharlieCard, implemented in January 2007, has become the preferred fare medium for MBTA mass transit users, generating approximately $475,000 every weekday, the lawsuit said.

In addition to the lawsuit, the MBTA was granted a temporary restraining order that prohibited the students' presentation. Although Hofmann said the presentation's information was already available on the Internet, the students decided against giving the talk.

Closing the barn door

One vulnerability the students would have discussed involved the MiFare Classic RFID chip, which was developed by NXP Semiconductors of The Netherlands and reportedly embedded in CharlieCards. This embedded chip enables the card to be waved at POS terminals rather than swiped.

In December 2007, researchers revealed how to hack into the MiFare chip and crack its security encryption. Fraudsters could then hypothetically clone that security code onto other RFID chips, embed those chips on blank cards and sell them on the black market.

According to Karsten Nohl, a graduate student at the University of Virginia, the MBTA had known about the security flaw at least since early March 2008 when a story on the system vulnerability ran in The Boston Globe.

"If [MBTA] had started working on an upgrade to their systems in February or March when everybody in Boston was talking about it for a few days, then they would have something ready now," Nohl said.

Wet blanket

Nohl said the suit "completely disrupts the trust that has been built between researchers and industry if any progress has been made toward what we call responsible disclosure - for example, informing on MBTA's security problems beforehand and then giving them time to respond.

"Well, that's not going to happen anymore if the only response you'll get is a lawsuit that prevents you from doing further research."

Hofmann added that researchers need to be able to freely point out vulnerabilities in systems; otherwise the flaws won't get fixed.

Nohl sees another negative aspect. The lawsuit "attracts attention to the wrong side of the problem," he said. Instead of focusing on a solution to the security weakness, the lawsuit focuses attention on the weakness itself.

Time running out

Although the EFF was successful in getting the gag order lifted, the nonprofit said the MBTA's lawsuit against the students continues.

According to the EFF, the students have voluntarily provided a 30-page security analysis to the MBTA regarding the supposed vulnerabilities in Boston's electronic ticketing systems. EFF claims the students have offered to personally consult with the MBTA on the security flaws and how to fix them. Nohl said that regardless of how the MBTA lawsuit plays out, the security vulnerabilities will be published at a security conference in Spain in October 2008.

"And probably MBTA hasn't made the connection yet," Nohl added. "The most time they can ever buy themselves [to fix the vulnerabilities] is until October."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next