Update: The cards are not being replaced. See a statement by the Transport Ticketing Authority at the bottom of the article.
blog Victoria’s troubled Myki public transport smartcard project has suffered another high profile setback, with the state reported to be replacing over a million of the cards following revelations they can be hacked for free transport. The Melbourne Times Weekly reports:
“German engineering academics David Oswald and Christof Paar, both from Ruhr Universitat Bochum, have been studying how to hack into the card and claim their research forced [Myki manufacturer] NXP to discontinue the Myki card. The scientists are studying the cards as part of their cryptography research.”
The move is the latest in a series of problems for the Myki project. Alleged improprieties in contractual processes, delays and glitches — Myki has had every issue in the book. But at least Victorians can stand proud and acknowledge Myki largely was implemented and does work — unlike New South Wales’ botched Tcard equivalent.
update: Transport Ticketing Authority chief executive Bernie Carolan has posted the following statement on the Myki website, clarifying that the organisation will not be replacing any Myki cards already owned by customers:
The Transport Ticketing Authority (TTA) has no intention of replacing any myki cards already owned by customers, as erroneously reported by some media outlets. The TTA believes that myki customers do not need to worry about the security of their myki card.
It is important to note that no personal information is stored on a myki card. Only the card balance and past 10 transactions are held on the card. Mifare DESFire is the safest smart card available on the market. It is far more technologically advanced than other models.
There are four separate security measures that can be installed to minimise the chances of this sort of attack and myki cards have all four. These relate to security key diversification, fraud detection countermeasures, blocking of fraudulent cards and an additional binding of card information.
Advice in a statement issued by the chip’s manufacturer indicates that laboratory conditions, very expert knowledge and plenty of time is required to carry out the claimed attack. It cannot be done simply by walking past a cardholder.
The TTA believes that myki customers do not need to worry about the security of their myki card. The only information available to a hacker would be the card balance and last 10 transactions. If one of the 10 previous transactions was a top up, no banking details are recorded on the myki card, just the amount added.