NXP said that the decision meant that affected parties such as system integrators and operators using MIFARE chips would likely want to review their systems, but that October was not long enough to deal with the problem properly.[From Oyster card ‘free travel’ hack to be released | IT PRO]
NXP were right to point out that not every single card everywhere in the world needs to be replaced instantly, but our original conclusion that many schemes would need to start planning their upgrade route right away has turned out to be entirely justified. The story is a salutary parable about the benefits of “open” versus “closed” security, with a dash of hubris thrown in, and the need for long-term planning with these kinds of secure transaction systems. You might, by the way, be interested in this Channel 4 News segment on the Oyster card in London, which includes interviews with our friends from Royal Holloway and The Smart Card Group.
But the reason that I was thinking about MiFare again was that, in the best tradition of British journalism at its very finest, the headline of The Daily Express yesterday was “Thieves Crack Chip and PIN Bank Accounts“. OMG! It’s the end of money as we know it. Someone has “done a MiFare” on cards that I thought were economically secure! As soon as I saw this headline on the newsstand at the station, I immediately put my hand into my pocket and pulled out my iPhone and looked the story up on the interweb. It was rubbish. “Thieves crack” — no, they didn’t crack anything — “Chip and PIN” — no, they obtained PINs, the chips are untouched — “Bank Accounts” — no, counterfeit magnetic stripe cards used to make withdrawals from foreign ATMs, exactly the same story that has been discussed here ad nauseum. Yawn.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]