From: Information Security <guy@panix.com>
To: cypherpunks@toad.com
Message Hash: 551123d1c7de8ec2b7d9882d076bd7b9c96fa887fcd2ddbda778846fccd46d69
Message ID: <199801131927.OAA21746@panix2.panix.com>
Reply To: N/A
UTC Datetime: 1998-01-13 19:53:42 UTC
Raw Date: Wed, 14 Jan 1998 03:53:42 +0800
From: Information Security <guy@panix.com>
Date: Wed, 14 Jan 1998 03:53:42 +0800
To: cypherpunks@toad.com
Subject: Re: Schneier's metrocard cracked
Message-ID: <199801131927.OAA21746@panix2.panix.com>
MIME-Version: 1.0
Content-Type: text/plain
> From schneier@visi.com Mon Jan 12 18:21:01 1998
> Subject: Re: Schneier's metrocard cracked
> In-Reply-To: <199801122150.NAA11668@comsec.com> from Information Security at "Jan 8, 98 11:40:23 pm"
> To: guy@panix.com
> Date: Mon, 12 Jan 1998 17:19:22 -0600 (CST)
> Cc: cp-lite@comsec.com
>
> Information Security wrote:
> > Dr. Dim wrote:
> > >
> > > I heard on the radio that the security scheme used in New York City metrocards
> > > (designed with much input frm Bruce Schneier) has been cracked and that the
> > > "hackers" can now add fare to the cards.
> > >
> > > Does anyone know any details? What encryption did Schneier use?
> >
> > It sounds like a procedural thing.
> >
> > Something like there was a way to swipe cards and have the
> > system wrongly think it updated the card.
> >
> > The city announced that every cardreader in the system
> > is going to be recalibrated, and this will cause problems
> > for "a few" existing cardholders.
>
> That's not my design. Counterpane consulted on the next generation
> cards, not the current mag stripe cards in the NY system. The
> protocols we developed are not currently being used in any fielded
> system.
>
> Bruce
A subsequent news report said hackers were taking discarded
(single-use?) MetroCards and "reprogramming" them so they
would work again.
However, the description didn't sound like it was really hacking...
The MTA said only 6 fraudulent uses of this was happening per day,
and 40 of these total per day.
"Of these"?
The MTA said there was some limited tolerance for nicked or
scratched cards, and in this situation - where the software
guessed that it was a scratched card - that it was programmed
to be "lenient" and let them in.
The news report showed the MTA's new recommendation for carrying
MetroCards: sliding them into a protective container for travel.
The mag-strip cards suck.
---guy
Return to January 1998
Return to “Information Security <guy@panix.com>”
1998-01-13 (Wed, 14 Jan 1998 03:53:42 +0800) - Re: Schneier’s metrocard cracked - Information Security <guy@panix.com>