Transport for London has confirmed that the Oyster Card can be ‘cracked’ – but only for 24 hours.
Security experts in the Netherlands have reportedly ‘cloned’ Oyster cards using scanners and laptops and conducted an experiment that allowed them free travel across the transport network for a day.
Constantly testing the network
TfL released a statement that the “most anyone could gain from a rogue card is one day’s travel.” And that daily tests would find and stop the rouge card.
However, it seems 17 million cards are now at risk after Bart Jacob’s and his team from Radbound University revealed how the compromised the system. The Dutch government have even gone as far to postpone their own €1billion smartcard transport scheme.
How it’s done
Attackers first scan a card reading unit at a station, capturing the ‘cryptographic key’ that protects a user’s security.
That key is uploaded to a computer. The hackers then brush past a card user wirelessly reading the cards details which are then transferred to the computer. Then using a card reader and blank ‘Oysters’ the information can be cloned repeatedly.
In the London experiment, Dr Jacobs ‘reversed’ the cards code allowing him to ‘load’ credit back onto the card.
TfL deny there is a breach of the system but admitted that a dodgy card could operate for at least a day.