Schneier's metrocard cracked
Information Security
guy at panix.com
Tue Jan 13 11:53:42 PST 1998
> From schneier at visi.com Mon Jan 12 18:21:01 1998
> Subject: Re: Schneier's metrocard cracked
> In-Reply-To: <199801122150.NAA11668 at comsec.com> from Information Security at "Jan 8, 98 11:40:23 pm"
> To: guy at panix.com
> Date: Mon, 12 Jan 1998 17:19:22 -0600 (CST)
> Cc: cp-lite at comsec.com
>
> Information Security wrote:
> > Dr. Dim wrote:
> > >
> > > I heard on the radio that the security scheme used in New York City metrocards
> > > (designed with much input frm Bruce Schneier) has been cracked and that the
> > > "hackers" can now add fare to the cards.
> > >
> > > Does anyone know any details? What encryption did Schneier use?
> >
> > It sounds like a procedural thing.
> >
> > Something like there was a way to swipe cards and have the
> > system wrongly think it updated the card.
> >
> > The city announced that every cardreader in the system
> > is going to be recalibrated, and this will cause problems
> > for "a few" existing cardholders.
>
> That's not my design. Counterpane consulted on the next generation
> cards, not the current mag stripe cards in the NY system. The
> protocols we developed are not currently being used in any fielded
> system.
>
> Bruce
A subsequent news report said hackers were taking discarded
(single-use?) MetroCards and "reprogramming" them so they
would work again.
However, the description didn't sound like it was really hacking...
The MTA said only 6 fraudulent uses of this was happening per day,
and 40 of these total per day.
"Of these"?
The MTA said there was some limited tolerance for nicked or
scratched cards, and in this situation - where the software
guessed that it was a scratched card - that it was programmed
to be "lenient" and let them in.
The news report showed the MTA's new recommendation for carrying
MetroCards: sliding them into a protective container for travel.
The mag-strip cards suck.
---guy
More information about the cypherpunks-legacy
mailing list