back to article London public transport tap-cash plans will be 'entirely safe'

Fraudsters will not be able to extract confidential information from a person's contactless bank card or other compatible technology as the type of data held on such cards will be restricted, Will Judge, head of future ticketing at Transport for London (TfL) has said. Giving evidence to the London assembly transport committee …

COMMENTS

This topic is closed for new posts.
  1. Richard Harris
    Facepalm

    Awww blesss

    I see the naive "hands over the ears, eyes closed, chanting 'La La La' repeatedly, while thinking all is well, nothing bad will happen" method of security is alive and flourishing.

    1. Anonymous Coward
      Anonymous Coward

      There can be no more terrifying words in technology than

      'entirely safe'

      Because you know the people who said it have know idea what they're talking about.

      1. gtropx
        FAIL

        There can be no point reading posts on internet forums...

        Because you know the people posting them cannot spell.

  2. Anonymous Coward
    Anonymous Coward

    Convenient declaration from a conveniently-named man.

    Though he does deserve ridicule for the "100% security" claim. Nobody who actually understands security dares honestly claim any such thing. So either he's clueless or he's dishonest.

    Though this system appears to be a grade better than the (newer!) system about to be deployed nationwide over in the Netherlands, so it might well prove a shade more resistant to attack, but even so such declarations also amount to a challenge. If the card itself doesn't contain all the info needed to conduct transactions, then how will the original card work? Let's see if the things aren't functionally clonable anyway, or whether you can proxy payments, or fake upping the balance on a card, whatnot. It'll be interesting to see people with less conviction in the system's infallability will manage to come up with.

    1. Aitor 1
      Mushroom

      Card

      The card DOES contain all the data, but it is encrypted inside it.

      The card will (in theory) only reply to a challenge, and each time the card will get a different challenge that only that card (because of the shared key) will be able to reply.

      The theory is that the card will never release the key.. only the correct answers.

      Of course, you can always sit near your victim in a restaurant and flood his cards with requests... and "harvest" his cards for an hour.. and know a huge pile of correct answers. An then steal his car.. that is how Beckham got his car stolen some 500m (about 600 yd for you;) ) from where I sit right now.

      1. Anonymous Coward
        Anonymous Coward

        my oyster

        My oyster barely works when you press it against the reader, I'm not so worried about a guy the other side of the room, or even sat next to me on the underground.

      2. Anonymous Coward
        Anonymous Coward

        @Aitor1

        You'd have to sit pretty close to harvest in the manner you describe because NFC only works over about 10-20cm if you /really/ ramp it up.

        Also Beckham's car is hardly comparable, it's an entirely different system to NFC bank cards, that's like saying I broke into a Windows machine, so Linux must be insecure.

  3. Anonymous Coward
    Coat

    "Only bankers can take money from your card, not crooks"

    Wait, what, there is a difference?

    No coat, yes despite the weather. It got mortgaged.

    1. Anonymous Coward
      Meh

      So, when the money/data goes missing or gets stolen...

      You'll have exactly the same defense now as you have with debit or credit cards. Er, none....

      "It must be your fault sir/madam. We've told you, our systems are infallible. Now go away.... while we tell the same story to the other 100 people waiting behind you..."

      1. Anonymous Coward
        Anonymous Coward

        @AC 1113

        Please will you and everyone else who keeps bringing this up stop it.

        It's been written into law for something like two years now that the banks have the burden of proof and that the customer is considered a victim, until proven that they gave their data away/took out their own cash and reported it stolen. It's also worth noting that a pin auth'd transaction doesn't count as proof because it could have been shoulder surfed.

        1. Starkadder
          Holmes

          What law

          This is news to me, what is the law? Is it applicable internationally?

    2. Anonymous Coward
      Anonymous Coward

      Yes, I nearly needed a new keyboard when I saw the subheading!

  4. Aitor 1

    Plain lie

    They think we are plain stupid.

    If you can pay with a contactless card, then you can wirelessly also duplicate the card.

    I do know that most of these cards are "challenge" based, but remember that the oyster card had known vulnerabilities.. and a man-in-the-middle attack could happen.

    1. Anonymous Coward
      FAIL

      Duplicate?

      No, your understanding of the way challenge/response systems function is deeply flawed.

      Please make an effort to understand the subject before applying fingers to keyboard.

    2. Anonymous Coward
      Anonymous Coward

      @Aitor1

      Oyster and NFC bank cards are a different technology, they just don't work in the same way at all.

  5. JimC

    I dunno, all spin...why can't people tell the truth...

    In a less spin crazy world you'd hope people would have the guts to stand up and say

    "of course its not 100% safe, nothing is. But over 5,000 people a year have their pockets picked on London Underground every year, so our best reckoning at the moment is that its no more unsafe than cash".

    I dunno, maybe I'm getting too old...

    1. Just Thinking

      Because...

      If it is 100% safe, the first poor sods who get ripped off *must* be lying, because its 100% safe. Even if they buy two tickets at exactly the same time in two different stations, that must have been what actually happened, because its 100% safe, so there is no other explanation.

      Remember when ATMs were offline, so your PIN was on the mag strip in plain text, and crooks could read it off a stolen card with a cassette recorder? Took ages for the banks to admit it.

      1. Anonymous Coward
        Anonymous Coward

        @Just thinking

        What? Rubbish.

        A card can be created so that it can be used without PIN verification, but the PIN was never encoded on the magstripe.

        1. Just Thinking

          Are you sure?

          Going back a while, mid 80s when there was only one ATM in the whole of Milton Keynes, and AFAIK they were not connected to anything so they had to verify the PIN without phoning home. I seem to remember reading about a scam which involved reading the stripe with a cassette recorder, and retrieving enough info to clone and use it.

          Wasn't there a case of the same card being used in two far apart cities at more or less the same time, with the bank still insisting that their system was unbreakable?

          1. Anonymous Coward
            Anonymous Coward

            Yes, I'm sure...

            You can't create a magstripe with a tape recorder, I have heard that one, but considering you've always been able to buy (albeit not always as easily as it is now) magnetic card writers, why would you even try? The alignment of the tracks is different to that of a tape recorder's write head and IIRC there is also a strobe track to align everything up.

            As I mentioned, magstripe cards can authorise their use in a cash machine without a pin verification (ie: It's offline) I'm not sure if this was used, but it's certainly possible.

            It would be very unusual to put an ATM into a location without it being linked up by a leased line. This was one of the reasons that they used to always be in a bank's wall, as there was already a leased line there.

            Yes, there were cases of cards being used in cities far apart and the banks involved didn't exactly cover themselves with glory over that, this is really before card cloning was known. This sort of thing doesn't happen any more.

            A chip and pin card does store the pin and has a much more sophisticated method of allowing (or not) authorisation if no online transaction verification is available. (It boils down to: If you're rich you get to buy stuff, if you're poor or in and out of overdraft you don't.)

  6. mark 63 Silver badge
    FAIL

    100% secure ? gosh i'm impressed

    "You cannot extract enough information from a card to spend someone else's money," he stressed"

    How can you spend your own money then? at the very least someone could grab whatever information IS available , put it on a blank rfrid chip and use it for free london transport.

    1. Anonymous Coward
      Boffin

      Nope...

      Because the card (which is more than an RFID chip, but contains secure storage and processor including cryptographic accelerators) contains information on it (keys) which it will never disclose. It uses the keys to encrypt data provided by both the card and the terminal. That data (along with some other static data) IS disclosed to the reader, which then sends it to the bank for verification. Effectively, the returned data is a one-time password that the bank can re-create to check that it was generated by the real card.

      Without the keys (i.e. somehow 'put it on a blank rfrid chip'), the bank will just see the same 'one-time-password' popping up (and rejecting the transaction). If wrong keys are used, then the bank won't verify the 'one time password' (and reject the transaction).

      Yes, this all depends on the cards not disclosing their private keys. This is one of the main focus for security evaluations of cards and operating systems on cards involving lasers, x-rays and other interesting kit to attempt to extract keys from these cards. And whilst as people have said, security can never be 100% - to even begin to attempt to get keys out of cards required physical access to the card, removing the chip from the plastic card itself, stripping the top off the chip before being attacked by some very very expensive kit. It's by a guy standing next to you on the tube whilst the card remains in your pocket!

    2. Anonymous Coward
      Anonymous Coward

      @mark 63

      I see that you don't know enough about the subject to understand the fact that you don't know enough about it to comment.

      You may want to reconsider the use of the particular icon you've used in future.

      1. mark 63 Silver badge

        a fair cop

        fair enough , ui know now a little more after reading the post above yours.

        I shall direct that icon shamefacedly at myself!

        1. Anonymous Coward
          Anonymous Coward

          @Marc

          Lol... Sorry if I was a bit harsh...

  7. Christoph
    FAIL

    External Security Audit?

    So the bloke from Transport for London reckons it's 100% safe.

    Mandy Rice Davies applies - he would say that, wouldn't he.

    But does Ross Anderson reckon it's reasonably secure? Have they even asked him to have a look at it? And if not, WHY NOT?

    1. Anonymous Coward
      Anonymous Coward

      I'll save you the effort

      Ross Anderson will say something along the lines of "It's totally broken, we've had people writing to us about it, we've even proven that it doesn't work".

      He will also miss out the bits about the proof being limited to a very specific lab environment and that the people complaining to them are not necessarily the most reliable.

      That said, should I end up with fraudulent transactions on my card and a bank not refunding it, I'd probably go to Ross because he is good at what he does, he just tends to oversell it a bit to publicise him/his department.

  8. This post has been deleted by its author

    1. Version 1.0 Silver badge
      Devil

      Your information is safe

      It's all encoded (ROT-13 I think) so the government will not be able to read it - only hackers will have privileges necessary to extract the information.

  9. Anonymous Coward
    Headmaster

    "You cannot extract enough information from a card to spend someone else's money," he stressed.

    So how are they planning charge me my tube fare, then?

  10. Anonymous Coward
    Trollface

    Time,Ii think...

    ...to go shopping for that faraday cage-lined wallet...

  11. Zygote
    Mushroom

    "100 per cent safe"

    Sounds like famous last words, to me.

    1. Anonymous Coward
      Anonymous Coward

      You have no sense of adventure...or fun

      Rather, you should think of as ill-advised, regretted and oh-so-unretractable first words.

  12. Anonymous Coward
    FAIL

    It isn't about being more secure.

    It never has been. The whole point of this isn't even convenience.

    There is only one reason that actually explains and justifies their existence (not for us, the consumer, but for the financial institutions implementing these), and that is the increased shift in liability.

    We all know that using signature to validate cards wasn't ever that great, assuming shop assistants ever checked them in the first place, which they generally didn't/don't.

    So the banks introduced Chip and PIN, which is 'more secure' but at the same time it puts less of the liability on them if there is a case of fraudulent use.

    With this, how the hell do you prove that you didn't use your card? Answer: you can't. You can't prove you didn't use your card with Chip & PIN, but at least there you had to physically insert something into a reader and enter something. Getting a PIN requires either doctoring the pad, or observation of the user - and you still need the chip's details.

    This is contactless, which means that accessing the data doesn't require putting it in a reader, meaning skimming is going to be an issue - you don't have to doctor anything, you just have to have a standalone reader unit in your hand and boom.

    As it happens, my other half paid for some stuff in a Londis near here and they have a contactless terminal (and she, unfortunately, has a contactless card from LTSB) - and that authorised a £7.50 transaction without asking for any details... she promptly said she wasn't going in there again, and I swear I hadn't done anything to convince her how iffy the whole idea was...

    1. Anonymous Coward
      Stop

      With this, how the hell do you prove that you didn't use your card?

      outside the UK, you need PIN *and* a signature. If the transaction is disputed, then they check the signature on the strip.

    2. Anonymous Coward
      Anonymous Coward

      Re: Proof

      The burden is on the bank, not the customer, that's the law. The bank can't use a pin auth as proof.

  13. John Burton

    My fear...

    My fear with this isn't someone cloning the card or something like that, it's someone using a legitimate card reader to charge me without me knowing. It's the fact that you don't have to actively "make" the payment or authorize it that scares me.

    1. Just Thinking

      CNP?

      Firstly due to transactions being limited to small amounts, a rogue merchant would have to defraud a lot of people to make a living, and would get caught within a week. Hopefully the banks do actually know who the merchants are?

      A corner shop could extract the odd unauthorised payment and hope nobody noticed, but that's a lot of risk for little reward.

      But shouldn't Card Not Present rules apply here - if the customers says the transaction didn't happen, the bank essentially believes them (unless they do it to often)?

      1. Anonymous Coward
        Anonymous Coward

        How many targets?

        Yes, if you were skimming £1 a time, you would need to hit a lot of people to make it worthwhile but when you have a few million targets this is a bit more of a possibility.

        How would they get caught?

        Only if people noticed the transactions, were aware they were fraudulent and could prove that this was the case. It may be considered by some people that its worth the risk to get a lot of small payments and hope that people dont notice them...

        Not for me personally, but then criminals have a different risk / reward assessment.

    2. Version 1.0 Silver badge
      Devil

      Buskers

      So I stand there playing my music as everyone walks by and my laptop deducts 10p from everyone with a card ... nobodies going to follow that up - I love a steady income stream - 500 quid a day + tips in central London.

      It's just a matter of time...

      1. Just Thinking

        You're serious?

        I think if you scammed 10p each off 5000 people a day, some of them would notice. And most people aren't going to ignore a dodgy transaction just because it is a small amount - they would be worried in case it is much more next month.

        I'm not saying nobody would be stupid enough to try, but they wouldn't get away with it very long.

    3. Anonymous Coward
      Anonymous Coward

      Just think...

      If you have a merchant machine, you have to have a merchant account for the money to go into. If you have an account, the bank has your name and address to send the rozzers to.

  14. Anonymous Coward
    Anonymous Coward

    100% certain?

    Is he an idiot or lying?

    Either way, no way!

  15. Anonymous Coward
    Anonymous Coward

    Do you need the person's details?

    One thing just came to mind and is probably a load of unworkable tosh but hear me out:

    PIN-less transactions for under £10-£15 are now becoming more available. Some places, like restaurants use wireless terminals so they can serve people are their tables. What's to stop someone walking around the street with a wireless terminal prepped with a £10 transaction brushing past people in the street?

    1. Anonymous Coward
      Anonymous Coward

      THINK!!!

      The fact that they would have to have a merchant account at a bank and that the bank would know who they were.

      1. Anonymous Coward
        Anonymous Coward

        The same could be said for a lot of credit card fraud.

        It still happens.

        Also, if somebody was skimming £1.99* off every 10th passer by, how many would actually notice, how many would notice and complain, and how many would complain enough to get the amount refunded?

        I suspect that somebody could get away with doing that for quite a long time.

        The real question is whether someone could do it for long enough for it to be worthwhile, but it's certainly plausible - I suspect that the first thing a bank would do is ask the trader to be more careful, which is a nice big 'heads up, you're being spotted' to the attacker.

        *Or some other 'pretty common' transaction amount.

  16. xyz Silver badge
    Big Brother

    I hate to be the paranoid one, but...

    ...apart from the obvious "I'll get a reader and stand in a crowded tube to make a fortune" option, it'll only be a matter of time before your bank gains an advertising arm to provide targeted advertising as you wander about the streets a la "Minority Report" but without the eyeball bit.

    Oh and I suppose for our "comfort and security" the police will be able to track us within an inch or two of our lives rather than the "near enough" mobile network.

    Mind you it'll stop rioting...try legging it out of JD sports with an armful of trainers without paying!

  17. Anonymous Coward 99
    Thumb Down

    Contactless pickpocketing?

    Bet I can stand less than 20cm away from someone's pocket at rush hour....

    Can I either have a card that makes a loud sound when being read or a wallet that is screened until I open the flap?

    And if they bring in "free-flow Walk-through" systems, then I definitely DON'T want my cash linked to the same card.

    1. Anonymous Coward
      Anonymous Coward

      Err...

      In order to get access to a chip and pin machine, you have to have a merchant account. In order to get a merchant account you need to explain to the bank why you want it. What do you think they'll say when you say your business model is pickpocketing.

  18. Coofer Cat
    Alert

    TFL lies - they do pass on your personal data *without a warrant*

    Verma said: "TfL never sells personal data, we don't share or sell personal data unless required by law."

    Lies! I FoIA'd TFL a few years ago and asked about this. All the police have to do is ask for travel details and they get them - no warrant required (back then, they'd been asked something like 246 times, and only once had they refused). Last time I checked, just because a policeman asks you for something doesn't make his request "required by law".

  19. Dan 55 Silver badge
    Coat

    @Anonymous Coward 11:26

    "Because the card [...] contains information on it (keys) which it will never disclose."

    And following best security practice I'm pretty sure there's a backup of said private keys safely stored on a USB memory stick in PKCS format without password protection going round the Circle line.

  20. Mike Flex

    >>With this, how the hell do you prove that you didn't use your card?

    >outside the UK, you need PIN *and* a signature.

    Not IME. In the US no-one wanted a PIN and some places didn't need a signature (just a swipe of the card).

    France/Belgium/Italy just need a PIN, as in the UK.

This topic is closed for new posts.