Victorian myki system immune to NFC attack

Victoria's myki system has been shown to be immune to recent attacks on US transit ticketing systems that are based on the same technology.
Written by Michael Lee, Contributor

Despite vulnerabilities recently being found in the same near-field communication (NFC) technology used in the Victorian myki ticketing system, it has been shown to be immune to fraudsters hoping to catch a free ride.

Earlier this week, security researchers demonstrated that MiFare Ultralight cards, which are used in the US, are vulnerable to attack by reading the information from them, using them on select US transport systems, and then writing the original contents of the card back to it.

Victoria's myki ticketing system uses several forms of MiFare cards. The reusable cards were previously MiFare DESFire MF3ICD40 cards, which the Victorian Transport Ticketing Authority (TTA) is upgrading to MiFare DESFire EV1 cards after it was discovered that hackers could possibly clone cards. It's paper short-term travel tickets, however, use the MiFare Ultralight cards that were thought to be vulnerable.

Curious as to whether they are vulnerable, programmer and engineering student Matthew McBride dumped the information from a short-term ticket, showing that the cards have been locked out from being re-written.

Kamco, the contracted firm implementing the technology behind the myki ticketing system, has also advised the TTA that the tickets are not vulnerable, and can only be written to once: at the time of activation.

Even if the tickets were vulnerable, there are relatively few of them within the Melbourne CBD where the myki system sees the most use. Short-term tickets are currently only sold in Ballarat, Bendigo, Geelong, Latrobe Valley, and Seymour, and even then are set to be phased out in 2013, according to the TTA.

"Short-term tickets have never been sold or used in metropolitan Melbourne, where passengers must have a myki card," the TTA said in a statement.

The original researchers who demonstrated the vulnerability have also released an Android application called UltraCardTester, which works with NFC-enabled phones to check whether a particular transit system's cards are vulnerable to attack.

Editorial standards