Security is hard, lets go shopping.
The papers in Melbourne this week are a buzzing with the departure of Victoria's highest paid public servant.
But Vivian Miners, who was paid over $500K p.a. to manage the Transport Ticketing Authority, and oversaw the extremely controversial $1 billion myki smart card ticketing replacement tender (now three years late) may have come unstuck for other reasons.
Why is the introduction of this system still years away[1] when contact readers are being rolled out to train stations already? Because the system as designed has already been cracked wide open.
The myki system is being implemented by a consortium named Kamco. The partner responsible for the contactless smartcards, or RFID tokens is Giesecke & Devrient Australasia. The vendor that supplies these cards is Phillips/NXP and the cards are called MIFARE[2]. And MIFARE has been cracked wide open.
How open is open? How about "Dutch $2B Transit card hacked before it's deployed"[3] or "London Tube Smartcard Cracked"[4]? We've seen this story before. System is selected based on proprietary vendor cryptography (CRYPTO1) because it's less expensive than standards based crypto (Philips/NXP MIFARE has both Triple DES and AES based products but at 3 times the cost). Proprietary crypto is shown have more holes than swiss cheese.
So if it's a choice between deploying a system that is trivial to defraud because you chose the cheaper but less secure option, and falling on your sword, it's not that hard a choice.
The market for security is still the poster child for the "Market for Lemons"
[1] http://www.theage.com.au/news/national/myki-group-may-be-hit-with-millions-in-fines/2008/04/03/1206851106588.html
[2] http://www.gdaus.com.au/transit.html
[3] http://www.schneier.com/blog/archives/2008/01/dutch_rfid_tran.html
[4] http://www.schneier.com/blog/archives/2008/03/london_tube_sma.html
But Vivian Miners, who was paid over $500K p.a. to manage the Transport Ticketing Authority, and oversaw the extremely controversial $1 billion myki smart card ticketing replacement tender (now three years late) may have come unstuck for other reasons.
Why is the introduction of this system still years away[1] when contact readers are being rolled out to train stations already? Because the system as designed has already been cracked wide open.
The myki system is being implemented by a consortium named Kamco. The partner responsible for the contactless smartcards, or RFID tokens is Giesecke & Devrient Australasia. The vendor that supplies these cards is Phillips/NXP and the cards are called MIFARE[2]. And MIFARE has been cracked wide open.
How open is open? How about "Dutch $2B Transit card hacked before it's deployed"[3] or "London Tube Smartcard Cracked"[4]? We've seen this story before. System is selected based on proprietary vendor cryptography (CRYPTO1) because it's less expensive than standards based crypto (Philips/NXP MIFARE has both Triple DES and AES based products but at 3 times the cost). Proprietary crypto is shown have more holes than swiss cheese.
So if it's a choice between deploying a system that is trivial to defraud because you chose the cheaper but less secure option, and falling on your sword, it's not that hard a choice.
The market for security is still the poster child for the "Market for Lemons"
[1] http://www.theage.com.au/news/national/myki-group-may-be-hit-with-millions-in-fines/2008/04/03/1206851106588.html
[2] http://www.gdaus.com.au/transit.html
[3] http://www.schneier.com/blog/archives/2008/01/dutch_rfid_tran.html
[4] http://www.schneier.com/blog/archives/2008/03/london_tube_sma.html