• Free CIO-level whitepapers



    [ad] Check out these whitepapers published by IDC and HP to help you make tough decisions about your IT environment.

    Leveraging the Always On support experience for IT transformation: This IDC whitepaper outlines the importance of support services in IT environments. IT organisations are now required to support everything from legacy systems and storage to virtualised configurations and cloud-based computing in complex, heterogeneous environments. The increasingly critical role of vendor-supplied external support services is discussed and highlighted in addressing these emerging IT environments going forward.

    Conquering the challenges of data center complexity: Virtualisation and cloud are two popular IT trends that lower costs and make computing more secure and efficient. However, they also add complexity. Read this thought leadership paper and learn new ways to conquer your data center complexity challenges.

  • Great articles on other sites

  • RSS Delicious/delimiterau


  • Save up to $200 on ThinkPad laptops



    [ad] Lenovo ThinkPad Edge laptops boast best-in-class voice and video conferencing capabilities to help you stay in touch and HDMI, stereo speakers and a HD screen to keep you entertained on-the-go. Grab this coupon and save up to $200 each on each laptop.

  • 5 months FREE on phone system rental



    [ad] Rent a new phone system and connect your phone lines with Commander to receive 5 months rent free. Why rent with Commander?

    -Tailored complete solutions
    -Great offers from leading phone system brands
    -Rental & communication on a single bill
    -Renting systems conserves cash flow

    Hurry – act before 30 June!

    • Enterprise IT - Written by on Thursday, October 13, 2011 17:07 - 8 Comments

    Victoria to replace hacked Myki cards — or not

    Tags: , , , , , , ,

    Update: The cards are not being replaced. See a statement by the Transport Ticketing Authority at the bottom of the article.

    blog Victoria’s troubled Myki public transport smartcard project has suffered another high profile setback, with the state reported to be replacing over a million of the cards following revelations they can be hacked for free transport. The Melbourne Times Weekly reports:

    “German engineering academics David Oswald and Christof Paar, both from Ruhr Universitat Bochum, have been studying how to hack into the card and claim their research forced [Myki manufacturer] NXP to discontinue the Myki card. The scientists are studying the cards as part of their cryptography research.”

    The move is the latest in a series of problems for the Myki project. Alleged improprieties in contractual processes, delays and glitches — Myki has had every issue in the book. But at least Victorians can stand proud and acknowledge Myki largely was implemented and does work — unlike New South Wales’ botched Tcard equivalent.

    update: Transport Ticketing Authority chief executive Bernie Carolan has posted the following statement on the Myki website, clarifying that the organisation will not be replacing any Myki cards already owned by customers:

    The Transport Ticketing Authority (TTA) has no intention of replacing any myki cards already owned by customers, as erroneously reported by some media outlets. The TTA believes that myki customers do not need to worry about the security of their myki card.

    It is important to note that no personal information is stored on a myki card. Only the card balance and past 10 transactions are held on the card. Mifare DESFire is the safest smart card available on the market. It is far more technologically advanced than other models.

    There are four separate security measures that can be installed to minimise the chances of this sort of attack and myki cards have all four. These relate to security key diversification, fraud detection countermeasures, blocking of fraudulent cards and an additional binding of card information.

    Advice in a statement issued by the chip’s manufacturer indicates that laboratory conditions, very expert knowledge and plenty of time is required to carry out the claimed attack. It cannot be done simply by walking past a cardholder.

    The TTA believes that myki customers do not need to worry about the security of their myki card. The only information available to a hacker would be the card balance and last 10 transactions. If one of the 10 previous transactions was a top up, no banking details are recorded on the myki card, just the amount added.

    Image credit: Benjamin Diehl, royalty free

    Related posts:

    1. E-health record will be hacked, says AusCERT
    2. Victoria is ‘gun shy’ on big IT projects
    3. RailCorp still trying to replace CIO
    4. Spies may have hacked Gillard’s PC, says Telegraph
    5. Replace RSA tokens, DSD tells agencies
    		 submit to reddit Print Friendly and PDF

    8 Comments

    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    1. Mmm
      Posted 13/10/2011 at 6:44 pm | Permalink | Reply

      Bzzt, Renai. You fell for popularist tech reporting. Seriously, a MSM article with “hacker” in the title? Did a tram need to fall from the sky for you to get your skepticism pants on?

      Everything you needed to understand that was even in the article. The old MIFARE Classic cards aren’t being made anymore because although they are cheap they are insecure. However, Myki/Kamco knew this and there are security countermeasures that ban that card’s unique ID once any tampering is detected. The newest most secure cards (the “MIFARE DESFire EV1″) require different programming initially, the TTC is working out how to manage that migration/upgrade.

      Look, it even says clearly: “TTA chief executive Bernie Carolan said the hacks didn’t force the authority to replace the cards.” The cards aren’t being replaced, only new cards will be on new stock.

    2. Crenn
      Posted 13/10/2011 at 6:44 pm | Permalink | Reply

      Might want to look at the MyKi website, they’re not going to replace the cards because “no personal information is stored on a myki card”. I personally use MyKi on a daily basis as my main method for getting to uni. I’m not worried too much, but I’m a little concerned about it.

      Either way, the statement from the TTA can be found here: http://www.myki.com.au/

    3. Mathew McBride
      Posted 13/10/2011 at 9:33 pm | Permalink | Reply

      I will repeat what I have said on another forum. It is unlikely any cards will be replaced until their four year expiry dates, which would place the first to be replaced (from regional Victoria) from December next year.

      Oyster in London has been ‘vulnerable’ to a security flaw in the previous ‘Mifare Classic’ model for some years now – but for various reasons mass cloning of cards in that system is not viable. They are slowly moving to the DESFire EV1 which myki will now do as well.

      The DESFire attack is a ‘side-channel attack’ which looks for electromagnetic radiation emitting from the circuitry inside the chip itself (to see what 1′s and 0′s are flying around). It is much harder than the attack on Mifare Classic which found a flaw in the cards software.

      Having poked a myki with an NFC reader, I can say a few things about the security of it:
      1. No data on the myki or the short term ticket is readable without authenticating with a known key first.
      2. The secret key is never passed over the air (unlike Mifare Classic) – rather a three way handshake is used
      3. The encryption itself is 3DES (AES in EV1)- and if an attack was found on that, all the banks in the world will be running for cover.
      4. Further security can be achieved by encrypting over-the-air transmissions as well; I don’t know if myki readers do this.
      5. Also, there can be different keys for reading, writing, creating and deleting data.

      Personally I think an easier attack would be to get ones hands on a myki machine (CVM or bus console), give yourself lots of topups/encode many short term tickets and then remove all evidence (transaction log, money) anything took place.

    4. Renai LeMay
      Posted 14/10/2011 at 12:11 am | Permalink | Reply

      Cheers for the feedback on this, everyone. I hear you loud and clear — will fix the article tomorrow morning (Friday).

    5. Goku Missile Crisis
      Posted 14/10/2011 at 9:43 am | Permalink | Reply

      When NFC chips are standard in smartphones it will be interesting to see how much more readily systems like this are vulnerable to skimming/cloning

      • PeterA
        Posted 14/10/2011 at 11:58 am | Permalink | Reply

        Much easier to upgrade the software in a phone, than a non internet connected card though.
        Security updates will be easier to propagate.

        • Goku Missile Crisis
          Posted 18/10/2011 at 11:55 am | Permalink | Reply

          Interesting, but I was thinking more about the potential for using NFC-equipped phones to skim/clone the cards…

    6. pete
      Posted 15/10/2011 at 8:08 pm | Permalink | Reply

      get with the program everybody if it has a chip,strip or brain of any kind it will be hacked welcome to the future of our world sad isn’t it people with nothing better to do than stuff peoples lives up should have their fingers smacked with a big hammer what sort of morons will our children have to deal with in forty years time with the technology they will have

    Leave a Comment

    Comment

    Get our daily newsletter

    Get our new articles every day by signing up to our daily newsletter.

    Email address:



  • Anonymous tips

    Got some inside information on something that should be made public? Use our anonymous tips form. Even Delimiter won't have a clue as to your real identity.

    • Most Popular Content


  • Three lessons ING's private cloud teaches us
    sponsored post ING Direct recently implemented a private cloud solution to virtualise its entire banking platform, allowing it to provision a new copy of itself -- a so-called 'bank in a box' -- within minutes. Here's three things other organisations can learn from this interesting deployment.

  • Enterprise IT news & views

    • The ABC didn’t sack Bitcoin miner dollar-coin

      The Australian Broadcasting Corporation didn’t fire an un-named IT worker who attempted to use the broadcaster’s vast server infrastructure to make himself a fortune through the Bitcoin virtual currency system, it has emerged, with the employee merely being disciplined and having their access to certain IT systems restricted.

    • Victoria dumps HealthSMART e-health project pills-2

      The Victorian State Government has reportedly decided to walk away from its troubled central electronic health project HealthSMART, which has reached only a limited number of its goals over the past decade since it was initiated, despite soaking up several hundred million dollars worth of government funding.

    • HP completes giant new NSW datacentre 1

      Global technology giant HP has finished building its colossal $119 million new datacentre in Western Sydney and will launch the “world-class” facility next month, with a speech slated to be given by Communications Minister Stephen Conroy.

    • Microsoft beats Salesforce to utility CRM deal microsoft1

      Energy retailer Australian Power & Gas has picked Microsoft’s Dynamics CRM system over rivals Salesforce.com and Right CRM as the base platform for a customer relationship management overhaul to tackle incoming email complaints.

    • NSW finalises colossal datacentre consolidation cableguy

      The New South Wales State Government this week announced the Leighton subsidiary Metronode as the winner of its long-running and wide-ranging datacentre overhaul project, with the company to construct two new substantial facilities which will allow the state to consolidate its IT operations drastically.

    • Two good Australian CIO interviews IT-manager-cio

      There have been a couple of good interviews with Australian chief information officers done by various media outlets over the past couple of days — good enough that we thought them worth highlighting to readers on Delimiter.

    • Three lessons ING’s private cloud teaches us Cloud computing

      If you could provision a new copy of your organisation’s entire internal application environment for development purposes in just ten minutes, and you could do whatever you liked with it, what sort of new systems and processes would you build?

    • SAP considers Aussie datacentre sap1

      The Financial Review has reported that German software giant SAP is likely to build an Australian datacentre to provide services to Australian organisations, should new privacy legislation pass that could affect vendors’ ability to sell cloud computing services locally from global facilities.

    • Enterprise IT, News - May 21, 2012 13:32 - 15 Comments

    The ABC didn’t sack Bitcoin miner

    More In Enterprise IT


    Blog Enterprise IT

    News, Telecommunications - May 21, 2012 10:48 - 5 Comments

    iiNet ramps up Internode digestion

    More In Telecommunications


    News Telecommunications

    Gadgets, News - May 21, 2012 12:32 - 5 Comments

    Galaxy S III listed for Telstra, Optus and Vodafone

    More In Gadgets


    Blog Gadgets Intellectual Property

    Reviews - May 7, 2012 18:16 - 2 Comments

    Telstra Mobile Wi-Fi 4G: Review

    More In Reviews


    Reviews