[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Schneier's metrocard cracked

   >   From [email protected] Mon Jan 12 18:21:01 1998
   >   Subject: Re: Schneier's metrocard cracked
   >   In-Reply-To: <[email protected]> from Information Security at "Jan 8, 98 11:40:23 pm"
   >   To: [email protected]
   >   Date: Mon, 12 Jan 1998 17:19:22 -0600 (CST)
   >   Cc: [email protected]
   >   Information Security wrote:
   >   >    Dr. Dim wrote:
   >   >    >   
   >   >    >   I heard on the radio that the security scheme used in New York City metrocards
   >   >    >   (designed with much input frm Bruce Schneier) has been cracked and that the
   >   >    >   "hackers" can now add fare to the cards.
   >   >    >   
   >   >    >   Does anyone know any details?  What encryption did Schneier use?
   >   > 
   >   > It sounds like a procedural thing.
   >   > 
   >   > Something like there was a way to swipe cards and have the
   >   > system wrongly think it updated the card.
   >   > 
   >   > The city announced that every cardreader in the system
   >   > is going to be recalibrated, and this will cause problems
   >   > for "a few" existing cardholders.
   >   That's not my design.  Counterpane consulted on the next generation
   >   cards, not the current mag stripe cards in the NY system.  The
   >   protocols we developed are not currently being used in any fielded
   >   system.
   >   Bruce

A subsequent news report said hackers were taking discarded
(single-use?) MetroCards and "reprogramming" them so they
would work again.

However, the description didn't sound like it was really hacking...

The MTA said only 6 fraudulent uses of this was happening per day,
and 40 of these total per day.

"Of these"?

The MTA said there was some limited tolerance for nicked or
scratched cards, and in this situation - where the software
guessed that it was a scratched card - that it was programmed
to be "lenient" and let them in.

The news report showed the MTA's new recommendation for carrying
MetroCards: sliding them into a protective container for travel.

The mag-strip cards suck.