We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Contactless Cards
Comments
-
It might possibly be that those people have only read media scare stories and actually know nothing about the technology itself. The media is well known for blowing things out of proportion.
It might be, but it isn't. These are all educated, informed people. 2 of which work in the security industry btw.0 -
Jack_Griffin wrote: »The ski lift example shows that range of readers is not as limited as some people would like to imply.
As I've said in a previous post, that everyone seems to have ignored, it is a different technology.
An Oyster card and a ski-lift pass are RFID tags that can indeed be read at a distance. The communication is one-way. The "reader" fires a radio signal, that signal induces a current in the chip to power it, and it fires its own signal in response that contains its own pre-programmed ID number.
That's not how contactless cards work, despite then being labelled as RFID technology. The cards require two-way communication and use magnetic coupling to provide power to the card. This technology CAN NOT be used at a large distance because magnetic coupling simply does not work over distances more than a few centimetres.0 -
I don't know about ski-lift passes, but an Oyster card is definitely two-way. I have full logs of the communication between the reader and the card. If you have the knowledge, you can also change the information stored on the card. There's encryption involved, but its full of holes.An Oyster card and a ski-lift pass are RFID tags that can indeed be read at a distance. The communication is one-way.0 -
As I recall oyster cards (and bus pass cards) have to be presented at a reader to be topped up from the reader. Until this happens although you may have paid for the top up via the website the card is not actually topped up with whatever you have paid.
Ski lift cards will be checking the date/time validity is correct for the amount paid (high season/low season/weekend pass/week pass/morning pass) and in some cases for non resort wide passes (eg begininers passes) that the card is valid on the actual lift being used. Plus obviously the ident of the specific card for record keeping purposes
(You pay a deposit for the card when you buy it (typically 4 euros) and at the end for your holiday you return it and get the deposit back).0 -
I don't know about ski-lift passes, but an Oyster card is definitely two-way. I have full logs of the communication between the reader and the card. If you have the knowledge, you can also change the information stored on the card. There's encryption involved, but its full of holes.
But are those logs not just created by the chip on the card itself? When the chip gets powered and sends its ID information, it could write to its own log file to say what happened. That's not the same as two-way communication - the reader didn't necessarily write the log info to the card.ChiefGrasscutter wrote: »As I recall oyster cards (and bus pass cards) have to be presented at a reader to be topped up from the reader. Until this happens although you may have paid for the top up via the website the card is not actually topped up with whatever you have paid.
Hmm. Well in that case then I stand corrected. I was under the impression that the Oyster card simply presented its identification, and then the system did a database lookup to work out what funds were available and to log what entry/exit you have used.
I've never tried topping one up online so I've no experience of that. But I would have expected the card to work immediately as soon as you have topped up online. If you say that doesn't work, then fine I'll believe you, but it doesn't make any sense. The funds can't possibly be stored on the card itself because that would be ripe for abuse. There's no reason for anything to be stored on the card at all, other than an identification number.0 -
The funds can't possibly be stored on the card itself because that would be ripe for abuse. There's no reason for anything to be stored on the card at all, other than an identification number.
Whilst I completely agree with you, thats exactly what happens - the funds are stored on the card itself in encrypted format, and yes, people have broken the encryption and can topup the card themselves with the appropriate equipment, but not everyone has this equipment and the knowledge has not been made public other than the "proof of concept" (live demonstration at a public conference).
If you google, I'm sure you'll find videos of the appropriate conferences along with the proof of concept videos/images with the encryption keys blanked out.0 -
As I've said in a previous post, that everyone seems to have ignored, it is a different technology.
An Oyster card and a ski-lift pass are RFID tags that can indeed be read at a distance. The communication is one-way. The "reader" fires a radio signal, that signal induces a current in the chip to power it, and it fires its own signal in response that contains its own pre-programmed ID number.
That's not how contactless cards work, despite then being labelled as RFID technology. The cards require two-way communication and use magnetic coupling to provide power to the card. This technology CAN NOT be used at a large distance because magnetic coupling simply does not work over distances more than a few centimetres.
The information I found indicates the contactless range is 10cm, as I said in a previous post that is probably not an absolute limit, but a guaranteed range, if you have a more powerful reader I'm sure you can extend it. I never said it is a massive range, but I can imagine crooks being able fitting readers to ATM's to make some card transactions for a few days to companies registered in the Ukraine.0 -
Whilst I completely agree with you, thats exactly what happens - the funds are stored on the card itself in encrypted format, and yes, people have broken the encryption and can topup the card themselves with the appropriate equipment, but not everyone has this equipment and the knowledge has not been made public other than the "proof of concept" (live demonstration at a public conference).
If you google, I'm sure you'll find videos of the appropriate conferences along with the proof of concept videos/images with the encryption keys blanked out.
It's worth pointing out that although the details are stored on the card, the profit possible from abusing the card is minimal.
The reason for storing balances on the cards is a sound technical one. It makes the transaction when touching in/out a fast one, since no reference is made to an external database. But the card reader records all the transactions, and reports them back to an external database daily. So if a balance on a card was found to be inconsistent (i.e. the card has a higher balance than the top-ups imply), this would soon be discovered.
As I understand it, there is a blacklist, which is uploaded to the terminals each day. The card would then be added to the blacklist, and would no longer be functional,0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.9K Banking & Borrowing
- 253.5K Reduce Debt & Boost Income
- 454.1K Spending & Discounts
- 244.9K Work, Benefits & Business
- 600.5K Mortgages, Homes & Bills
- 177.4K Life & Family
- 258.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards