Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze 139
McGruber writes "Seven metro Atlanta residents are facing theft, fraud, and racketeering charges for allegedly selling counterfeit MARTA Breeze cards. Breeze cards are stored-value smart cards that passengers use as part of an automated fare collection system which the Metropolitan Atlanta Rapid Transit Authority introduced to the general public in October 2006. Breeze cards are supplied by Cubic Transportation Systems, an American company that provides automated fare collection equipment and services to the mass transit industry. At the time of this slashdot submission, the Wikipedia page for the Breeze Card (last modified on 2 August 2013 at 14:52) says: 'The Breeze Card uses the MIFARE smart-card system from Dutch company NXP Semiconductors, a spin-off from Philips. The disposable, single-use, cards are using on the MIFARE Ultralight while the multiple-use plastic cards are the MIFARE Classic cards. There have been many concerns about the security of the system, mainly caused by the poor encryption method used for the cards.'"
Re:Inevitable... (Score:4, Insightful)
Re:Inevitable... (Score:4, Insightful)
There is this thing called a "reasonable man" standard. If you run a business website, you're expected to run it behind a firewall, and have other security standards in place.
Otherwise, you end up like any one of those companies that get hacked. I had stated it incorrectly earlier - I do not mean to say criminals who hacked the system are not in the wrong. However, implementing shitting security is also wrong.
Just like a bank should have a reasonable security system, and the bank's vault should have something better than a $5 padlock. Bank robbers are wrong, but if a bank had only a $5 padlock on it, *THEY ARE WRONG TOO!*
WHY ARE YOU SO FORGIVING OF COMPANIES THAT IMPLEMENT SHITTY SECURITY OR PUTTING IN FAKE SECURITY?