Forgot your password?
typodupeerror
Crime Security Transportation

Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze 139

Posted by timothy
from the but-you're-still-in-atlanta dept.
McGruber writes "Seven metro Atlanta residents are facing theft, fraud, and racketeering charges for allegedly selling counterfeit MARTA Breeze cards. Breeze cards are stored-value smart cards that passengers use as part of an automated fare collection system which the Metropolitan Atlanta Rapid Transit Authority introduced to the general public in October 2006. Breeze cards are supplied by Cubic Transportation Systems, an American company that provides automated fare collection equipment and services to the mass transit industry. At the time of this slashdot submission, the Wikipedia page for the Breeze Card (last modified on 2 August 2013 at 14:52) says: 'The Breeze Card uses the MIFARE smart-card system from Dutch company NXP Semiconductors, a spin-off from Philips. The disposable, single-use, cards are using on the MIFARE Ultralight while the multiple-use plastic cards are the MIFARE Classic cards. There have been many concerns about the security of the system, mainly caused by the poor encryption method used for the cards.'"
This discussion has been archived. No new comments can be posted.

Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze

Comments Filter:
  • Re:Inevitable... (Score:4, Insightful)

    by Shuntros (1059306) on Sunday December 29, 2013 @02:19PM (#45812647)
    Well thanks Anonymous Coward (latin: buffoonus maximus), but that's a bit of a tenuous jump. I don't even use public transport, I'm just a guy who does a bit of NFC engineering for the day job and knows the difference between the wrong way to do it and the way I do it. The token security is weak, certainly, but it's easy to protect against with some very low-overhead crypto.
  • Re:Inevitable... (Score:4, Insightful)

    by the_B0fh (208483) on Sunday December 29, 2013 @07:45PM (#45814487) Homepage

    There is this thing called a "reasonable man" standard. If you run a business website, you're expected to run it behind a firewall, and have other security standards in place.

    Otherwise, you end up like any one of those companies that get hacked. I had stated it incorrectly earlier - I do not mean to say criminals who hacked the system are not in the wrong. However, implementing shitting security is also wrong.

    Just like a bank should have a reasonable security system, and the bank's vault should have something better than a $5 padlock. Bank robbers are wrong, but if a bank had only a $5 padlock on it, *THEY ARE WRONG TOO!*

    WHY ARE YOU SO FORGIVING OF COMPANIES THAT IMPLEMENT SHITTY SECURITY OR PUTTING IN FAKE SECURITY?

No hardware designer should be allowed to produce any piece of hardware until three software guys have signed off for it. -- Andy Tanenbaum

Working...