[Dave Birch] The ramifications of the MiFare classic shenanigans that we have discussed here before continue to widen.

NXP said that the decision meant that affected parties such as system integrators and operators using MIFARE chips would likely want to review their systems, but that October was not long enough to deal with the problem properly.

[From Oyster card ‘free travel’ hack to be released | IT PRO]

NXP were right to point out that not every single card everywhere in the world needs to be replaced instantly, but our original conclusion that many schemes would need to start planning their upgrade route right away has turned out to be entirely justified. The story is a salutary parable about the benefits of “open” versus “closed” security, with a dash of hubris thrown in, and the need for long-term planning with these kinds of secure transaction systems. You might, by the way, be interested in this Channel 4 News segment on the Oyster card in London, which includes interviews with our friends from Royal Holloway and The Smart Card Group.

But the reason that I was thinking about MiFare again was that, in the best tradition of British journalism at its very finest, the headline of The Daily Express yesterday was “Thieves Crack Chip and PIN Bank Accounts“. OMG! It’s the end of money as we know it. Someone has “done a MiFare” on cards that I thought were economically secure! As soon as I saw this headline on the newsstand at the station, I immediately put my hand into my pocket and pulled out my iPhone and looked the story up on the interweb. It was rubbish. “Thieves crack” — no, they didn’t crack anything — “Chip and PIN” — no, they obtained PINs, the chips are untouched — “Bank Accounts” — no, counterfeit magnetic stripe cards used to make withdrawals from foreign ATMs, exactly the same story that has been discussed here ad nauseum. Yawn.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

1 comment

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: