1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
|
\documentclass[a4paper]{article}
\usepackage[english]{babel}
\usepackage{graphicx}
\usepackage{subfigure}
\usepackage[T1]{fontenc}
\usepackage{times}
\pagestyle{plain}
\usepackage{url}
\setlength{\oddsidemargin}{0in}
\setlength{\evensidemargin}{0in}
\setlength{\topmargin}{0in}
\setlength{\headheight}{0in}
\setlength{\headsep}{0in}
\setlength{\textwidth}{6.5in}
\setlength{\textheight}{9.5in}
\setlength{\parindent}{0in}
\setlength{\parskip}{0.05in}
\begin{document}
\title{Security Analysis of the EasyCard Payment System}
\author{Harald Welte $<$laforge@gnumonks.org$>$}
\date{UNRELEASED (September XX, 2010)}
\maketitle
%%%%%%%%%%%%%%%%%%%
\begin{abstract}
One of Asia's most popular electronic payment systems uses insecure technology.
The EasyCard system, established in 2001, is the most popular stored-valued card
in Taiwan. With more than 18 million issued cards, it is the predominant means
of paying for public transportation services in the capital Taipei.
In 2010, use of the EasyCard was extended beyond transportation. Card holders
can now pay in all major convenience stores and major retail companies like
Starbucks or even SOGO [TODO: Starbuck ist kein Retailer und SOGO ist kein bekannter Begriff].
Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was quickly broken~\cite{mifare-attack-esorics} after the disclosure of the cipher ~\cite{mifare}.
This document analyzes the results of combining the practical attacks
on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment
system.
\end{abstract}
\tableofcontents
%%%%%%%%%%%%%%%%%%%
\section{Disclaimer}
This document is the result of independent research on the EasyCard
system. It was done out of personal interest in security technology and to raise awareness about the risks of everyday technology.
No competitor of the EasyCard corporation,
or other business or political stakeholder ever encouraged, supported or
funded this work in any way.
The result of this research is presented to the general public in the
hope it will make people re-consider the amount of trust they place
in proprietary systems that provide no evidence of their security,
and no option for the general public or the scientific community to
validate it.
This paper is also directed at the legislator and the regulatory authorities,
in the hope that it will help them to produce better rules and requirements on
the technology designed for and used by operators of security relevant systems
such as banking.
%%%%%%%%%%%%%%%%%%%
\section{System overview}
TODO Karsten
FIXME: Describe system -- Mifare Classic + Unique keys + (online?) fraud detection
%%%%%%%%%%%%%%%%%%%
\section{MIFARE Classic security}
%%%%%%%%%%%%%%%%%%%
\subsection{MIFARE Classic weaknesses}
FIXME: Summarize the existing research on mifare classic systems
MIFARE Classic security came under increased scrutiny following a talk at the 24$^{\textnormal{th}}$ Chaos Communication Congress in December 2007 which described some of the first results of silicon reverse engineering research on the MIFARE Classic 1k chip. For reasons of responsible disclosure not all details were initially published. These details these were then independently, and partially orthogonally, explored by a group of Dutch security researchers out of Radboud University Nijmegen, fueled by the rollout of a new Dutch public transport payment system based on MIFARE Classic, the OV Chipkaart.
This section describes all known weaknesses and attacks on the MIFARE Classic system, in approximate historical order and ascending severity.
\subsubsection{Protocol and implementation errors}
One of the first results was that the random number generators (RNG) that are implemented in both card and reader are time-based and easy to predict. Both RNGs start up when the corresponding device is first powered up -- in the case of the reader that's a reset, in the case of the card that's when the card enters a sufficiently strong field -- and then create a fixed number sequence with a fixed clock.
% Protocol- and implementation errors: RNG, keystream recovery, re-auth
% Theoretical results: filter function bias, algebraic attack
% Practical results and demo
% Card-only attacks
%%%%%%%%%%%%%%%%%%%
\subsection{MIFARE Classic Attack Tools}
\subsubsection{Crapto1}
TODO: introduce libnfc
\subsubsection{MFOC}
\subsubsection{MFCUK}
\subsubsection{CryptoMiniSat}
The above attacks exploit predictable random numbers and information leakage through parity bits. Both weaknesses are fixed in newer versions of the MIFARE Card such as the MIFARE Plus card in MIFARE Classic emulation~\footnote{MIFARE Plus also supports strong AES encryption. The MIFARE DESfire card also provides strong encryption and fixes the random numbers in MIFARE Classic emulation mode, but still leaks information through parity bits}.
FIXME: summarize results (12 seconds per key), state that attack applies to MIFARE DESfire, MIFARE Plus in Classic emulation mode
%%%%%%%%%%%%%%%%%%%
\section{EasyCard analysis}
The following results were generated using new EasyCard obtained from a vending machines in a Taipei MRT station in August 2010.
As it is public knowledge that the EasyCard system is based on MIFARE
technology, any MIFARE-compatible RFID reader (PCD, Proximity Coupling Device)
can be used to establish a physical communications link according to ISO
14443-1 and -2, as well as performing the anti-collision procedure according
to ISO 14443-3.
The author has used the OpenPCD RFID reader to do this, and has confirmed that
the EasyCard in fact is a card with ISO 14443-3 compatible anti-collision
procedure. The ATQA response also looks like that of a standard MIFARE Classic
transponder.
Often MIFARE Classic systems use standard keys for some card sectors, for example for empty sectors. This seems not to be the case for the EasyCard where all sector keys are card-specific. Therefore, the fastest key recovery method where keys are recovered based on one known key does not apply~\cite{pickpocketing}.
\subsection{Recovering sector keys}
Since none of the sector keys was known, the publicly available MFCUK (MiFare
Classic Universal toolKit) implementation of the ``Dark Side'' attack (Nicolas T.
Courtois) was used as a card-only attack.
All that was required was the MFCUK Free Software, as well as a RFID
reader as supported by libnfc. Compatible readers are widely available,
among them one for EUR 30 from \url{http://www.touchatag.com/e-store}.
Using the MFCUK key recovery tool, the A and B keys for all sectors have
been recovered within FIXME. This attack can definitely be optimized
by using special-purpose hardware such as the Proxmark, which gives
hard-realtime control over the communication with the EasyCard.
Furthermore, the key recovery can be optimized based on known-plaintext that is
common to all cards.
\subsection{Extracting raw data}
Once the sector keys have all been recovered, the full content of the EasyCard
can be dumped using any RFID reader supporting MIFARE Classic. The author
chose to use the same reader that was used for the MFCUK key recovery combined
with the nfc-mfclassic program (part of libnfc).
A full dump of the newly-purchased, unused EasyCard revealed the following
content:
\begin{verbatim}
0000000 a193 c031 88c3 0004 ba46 1214 1051 1004
0000010 140e 0100 0207 0308 0409 1008 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
0000030 211a ccd0 f399 7708 008f 6ac6 53bf cf08
0000040 ff02 0300 0000 059f 804c c926 0171 3601
0000050 0000 1000 1027 0027 64de 0001 0000 bb00
0000060 f1d6 b4e8 0012 0000 0000 6400 0064 6900
0000070 2e64 f724 bd57 7708 008f 8917 3d48 5dcd
0000080 0190 0000 fe6f ffff 0190 0000 ff00 ff00
0000090 0190 0000 fe6f ffff 0190 0000 ff00 ff00
00000a0 0000 0000 0000 0000 0000 0000 0000 0000
00000b0 0d3d 782b 33cd 7708 008f 2411 4ce7 ea3f
00000c0 0001 0005 0000 0000 0000 0000 0000 0000
00000d0 0000 0000 0000 0000 0000 0000 0000 0000
00000e0 0000 0000 0000 0000 0000 0000 0000 0000
00000f0 2fb1 511f 85b4 7708 008f 8dc8 eef5 2850
0000100 0000 0000 0000 0000 0000 0000 0000 0000
0000110 0000 0000 0000 0000 0000 0000 0000 0000
0000120 0000 0000 0000 0000 0000 0000 0000 0000
0000130 4587 96bd 1f22 7708 008f 47ce 7619 1558
0000140 0000 0000 0000 0000 0000 0000 0000 0000
0000150 0000 0000 0000 0000 0000 0000 0000 0000
0000160 0000 0000 0000 0000 0000 0000 0000 0000
0000170 5583 7616 749e 7708 008f 9bf3 c129 8eb6
0000180 0c00 0400 0044 0000 0000 0000 0000 4c00
0000190 0200 2200 0022 0000 0000 0000 0200 0000
00001a0 0000 0005 0000 0000 0000 0000 0000 0000
00001b0 af5f 6aeb 3a2c 7708 008f c039 7a1d d248
00001c0 0000 0000 0000 0000 0000 0000 0000 0000
00001d0 0000 0000 0000 0000 0000 0000 0000 0000
00001e0 0000 0000 0000 0000 0000 0000 0000 0000
00001f0 aebf 906e f2bd 7708 008f e3e7 988f aaaa
0000200 0000 0000 0000 0000 0000 0000 0000 0000
0000210 0000 0000 0000 0000 0000 0000 0000 0000
0000220 0000 0000 0000 0000 0000 0000 0000 0000
0000230 ec9f 8bc6 4b89 7708 008f 53b0 2571 9e66
0000240 0000 0000 0000 0000 0000 0000 0000 0000
0000250 0000 0000 0000 0000 0000 0000 0000 0000
0000260 0000 0000 0000 0000 0000 0000 0000 0000
0000270 edc5 c17c 8a36 7708 008f 9a58 b6d9 5a8b
0000280 0000 0000 0000 0000 0000 0000 0000 0000
0000290 0000 0000 0000 0000 0000 0000 0000 0000
00002a0 0000 0000 0000 0000 0000 0000 0000 0000
00002b0 40f7 60bf 4b8a 7708 008f 3a00 c93a 63e8
00002c0 0000 0000 0000 0000 0000 0000 0000 0000
00002d0 0000 0000 0000 0000 0000 0000 0000 0000
00002e0 0000 0000 0000 0000 0000 0000 0000 0000
00002f0 b50a 9f96 d2e3 7708 008f 4855 7cdb 7dff
0000300 0000 0000 0000 0000 0000 0000 0000 0000
0000310 0000 0000 0000 0000 0000 0000 0000 0000
0000320 0000 0000 0000 0000 0000 0000 0000 0000
0000330 4c06 3ebc e595 7708 008f 9a5b 001b d14a
0000340 0000 0000 0000 0000 0000 0000 0000 0000
0000350 0000 0000 0000 0000 0000 0000 0000 0000
0000360 0000 0000 0000 0000 0000 0000 0000 0000
0000370 3fb0 45ce 6f6b 7708 008f c0bf adb0 d662
0000380 0000 0000 0000 0000 0000 0000 0000 0000
0000390 0000 0000 0000 0000 0000 0000 0000 0000
00003a0 0000 0000 0000 0000 0000 0000 0000 0000
00003b0 3320 9074 e84c 7708 008f 0094 85d5 7aaa
00003c0 8000 c926 0071 0000 0000 0000 0064 0064
00003d0 0000 0000 0000 0000 0000 0000 0000 0000
00003e0 0000 0000 0000 0000 0000 0000 0000 0000
00003f0 ea02 0bda b62a 7708 008f 0000 0000 0000
\end{verbatim}
\subsection{Parsing the card content}
When the author started his research, there was no pre-existing public
knowledge on the data format used by the EasyCard system. As such,
significant time was spent analyzing it.
The card was subsequently used to perform a number of transactions such as
use of public transportation and purchase of goods in stores.
After each transaction, again a full dump of the card contents was made,
and the difference to the previous dump analyzed carefully. No particular
tools have been used for analysis. Most of the work relied on hex-dumps
of the card content and using the {\tt diff} utility to visualize differences
between two consecutive versions.
During the analysis, it was quickly revealed that there are four
distinctive sets of changes that can be associated with a transaction:
\begin{itemize}
\item The card balance, stored as MIFARE value block
\item The transaction log
\item The transaction log index
\item The last MRT entry/exit record
\end{itemize}
Furthermore, a constant header has been identified. It was never changed during
any of the tested transactions.
The result of this analysis can be found in the next section:
\section{EasyCard data format}
\subsection{Sector 0 and 1: The header}
FIXME
\subsection{Sector 2: The card balance as value block}
The first two blocks of sector 2 store the current remaining debit account
balance as a MIFARE Classic VALUE BLOCK. The format of this block is
documented in the official NXP vendor documentation on the MIFARE chip
used inside the card.
The value block is decremented every time payment is made with the card.
Given the MIFARE access bits, it is assumed that the RFID readers in public
transportation as well as stores use key A for this sector, as key A is
sufficient to read and decrement the VALUE block.
Re-charging the card must happen using authentication with key B, as only
key B has permissions to increment and/or write to this sector.
\subsection{Sector 3 through 5: The transaction log}
Every time a transaction is made with the card, an entry in the transaction log
on the card itself is generated. Every entry occupies one full 16-byte block.
The structure of a transaction log entry is as follows:
\begin{itemize}
\item 1 byte Transaction ID
\item 4 bytes Timestamp
\item 1 byte Transaction type
\item 2 bytes Cost charged for transaction
\item 2 bytes Remaining balance after transaction
\item 1 byte MRT Station ID
\item 1 byte Unknown
\item 2 bytes RFID Reader ID
\item 2 bytes Unknown
\end{itemize}
The {\em Transaction ID} is a monotonically increasing value, incrementing with
each transaction.
The {\em Timestamp} is a 32bit value in the standard UNIX time() format (Seconds
since January 1st 1970 00:00:00). However, it does not reference UTC but CST.
The {\em Transaction type} indicates the type of transaction. Following codes
are known:
\begin{itemize}
\item {\tt 0x00} Entering MRT station
\item {\tt 0x11} Leaving MRT station
\item {\tt 0x80} Re-entering (connecting) MRT station
\item {\tt 0x20} Purchase of goods in shop
\item {\tt 0x30} Re-charging the card using an {\em Add value machine}
\end{itemize}
The {\em Cost} and {\em Remaining balance} fields are unsigned 16bit integer
values representing the price in NTD (New Taiwan Dollars).
In case of a MRT related transaction, the {\em MRT Station ID} encodes the MRT
station at which the transaction was performed. By visiting the TRTC (Taiwan
Rapid Transport Corporation) website, one can see the same numeric identifiers
being used within the URLs that link from the MRT map to the per-station web
pages. As such, a full table of MRT station names and corresponding
identifiers has been compiled and implemented as part of {\tt easytool}.
The {\em RFID Reader ID} is presumed to be a unique identifer for the specific
RFID Terminal. Subsequent transactions at the same terminal will render
the same number in this field.
FIXME: Transaction log pointer
\subsection{Sector 7: The last MRT entry/exit record}
Block 2 (Offset 0x1e0) contains a record describing the last MRT station
that was entered using this EasyCard.
\begin{itemize}
\item Bytes 0...3 are unknown
\item Byte 4 contains the MRT station code
\item Bytes 6...8 are unknown
\item Bytes 9...12 contain the Timestamp
\item Bytes 13..15 are unknown
\end{itemize}
Block 1 (Offset 0xd0) of the same sector contains a record using the same
structure. However, this record describes the last MRT station that was
left using this EasyCard.
It is assumed that this information is used by the system to compute both the
distance (and thus fee) to be paid by the current ride, as well as any
applicable discount in case a connection is made from MRT into a bus.
\subsection{Sector 15: Maximum daily spending}
Block 2 (Offset 0x3e0) contains a record used for keeping track of
the amount of money spent on a single day. This is needed in order
to impose a daily spending limit of (currently) NTD 3,000.
The record is structured as follows:
\begin{itemize}
\item Bytes 0...10 are unknown (all zero in tested cards)
\item Byte 11 contains the day of the month
\item Byte 12 contains an unknown value (0x3d in tested cards)
\item Byte 13...14 contain the sum of all purchases on the indicated day
\end{itemize}
If multiple retail store purchases are made on the same day of the month, the
sum is incremented with every purchase. If an EasyCard terminal in the store
detects that the current day-of-the-month is different from that stored on the
card, the sum is re-set and starts new for that day.
\section{Tampering with the EasyCard}
\subsection{Decreasing card value}
In order to decrease the account balance on the card, the following method
was tested:
\begin{itemize}
\item Make a purchase in a retail store that accepts the EasyCard
\item Find the transaction log entry regarding this purchase and increase the transaction cost by some value. NTD 200 was chosen in this example. Decrease the {\em amount remaining after transaction} field accordingly by the same amount.
\item Alter the two VALUE blocks in Sector 2 to reflect the subtracted amount. Make sure the backup copies (inverted and non-inverted) are updated, too.
\item Alter the {\em amount spent per day} in Sector 15 to reflect the increased amount spent.
\end{itemize}
Payment using the manipulated card was possible without any problem, provided
that the to-be-paid amount is less than what the card considers the remaining
balance.
Re-reading the card after the purchase indicates the full success of the
operation. The purchase has left exactly the same changes in the card like
it would have with a card that has a genuine lower value. None of the
erroneously increased (or decreased) numbers had been updated.
This specifically confirms that the vending terminal did not have an online
connection to a centralized database. In that case, the erroneous values
on the card would have been corrected and the original value restored.
\subsection{Increasing card value}
The approach works similar to the previous one. First, a purchase in a store
is being made, preferrably with relatively high value. Later, the transaction
log record, card balance and amount spent per day fields are modified to make
this purchase appear cheaper than it actually was. So after purchasing an item
with 1000 NTD, the card will look like only 100 NTD were spent for the purchase,
giving an extra balance of 900 NTD to the attacker.
\subsection{Bypassing daily spending threshold}
As the sum of all purchases on a given day-of-the-month is stored in Sector 15,
there are two methods of evading the per-day payment limit:
\begin{itemize}
\item Simply zero-out the amount of money spent today, or
\item simply alter the day-of-the-month field to a different day.
\end{itemize}
Both options might cause problems in case the terminal does consistency checks
with the transaction log. So it would be wise for an attacker to also modify
all purchases in the transaction log to appear as if they were made on a
previous day.
\section{Lessons Learned}
Based on this research as well as publicly known information the
technical and procedural decision in the EasyCard system, a series of mistakes with cumulative effect can be identified.
\subsection{Use state-of-the-art building blocks}
The Taipei Smart Card corporation (predecessor to the EasyCard Company) was
established in 2000, and it took until June 2002 to deploy the first EasyCard
system.
The underlying Mifare Classic product was launched in 1994, and thus already
relatively old and outdated technology at that time.
It was publicly documented by NXP that the security of the system is based on a
{\em proprietary, symmetric, 48bit cipher}. Symmetric 48-bit encryption
was definitely no longer state-of-the-art in the year 2000. At that time,
the popular web-browser Netscape Navigator (used e.g. for web-based online
banking) had already introduced support for symmetric 128bit ciphers.
\subsection{Review proprietary technology}
There are two concepts of achieving security in any system: {\em Security by
design} and {\em Security by obscurity}.
In the former systems, security is achieved by using well-designed systems
that have undergone public peer review and have been subject to cryptanalysis.
As a result, the system is secure because it has undergone the review and
scrutiny of the international community of cryptographers and security experts.
So, despite making all details of the system, particularly the cryptographic
algorithms open, an attacker is not able to circumvent the system's security.
A system relying on {\em Security by obscurity} is only secure because
nobody knows the details of how it works. As soon as this information
has either leaked or recovered e.g. using reverse engineering techniques,
the system is broken.
FIXME: Link to Bruce Schneier
\subsection{Consider academic results}
Starting in 2007, researchers have published a variety of attacks on
the CRYPTO-1 cipher and MIFARE Classic system. For a list of related
publications, see the bibliography of this paper.
Following-up the scientific publications, tools implementing practical
attacks on MIFARE Classic have been developed and published. Such
tools implement a variety of attacks, including card-only key-recovery
attacks.
\subsection{Anticipate upgrade path}
In the same year the EasyCard was first deployed (2002), the supplier of the
MIFARE Classic system has already been shipping a much more secure system
called DESfire. The improvements include: 112-bit key length, and the use
of the internationally verified and audited DES algorithm in its 3DES variant.
Despite its availability for 8 years since 2002, the EasyCard corporation has
apparently never updated their system to a more secure card like the DESfire
card.
Based on the authors experience with the RFID card market, the price difference
of DESfire compared to MIFARE Classic has been on the order of USD 1 per card
from 2006 on.
So, in order to save USD 1 per each issued card, the EasyCard corporation has
artificially kept down the security level of their system, not catching
up with state-of-the-art commercially available technology.
\subsection{Limit fraud incentives}
The security of any system always has to be analyzed in the context of the
threat model, i.e. what can an attacker gain from compromising the system.
As the key derivation of the EasyCard is not (yet?) broken, it is thus
currently not possible to completely manufacture forged cards. However,
technically, cards can be re-charged without making actual payment for it.
As far as cards are only used for public transportation, the incentive
for fraudulent use is relatively small and contained. Also, the amount
of money for each transaction is relatively small.
Thus, while the author would still disagree, it might be the case that
the business risk analysis inside EasyCard Corporation would have deemed the
risk of fraud in the public transport sector as acceptable.
When such a card is used as an electronic payment system in stores where
goods of much higher value can be purchased, the threat model is quite
different, though.
The 2010 introduction of the EasyCard as means of payment in retail
stores -- while still relying on known-broken, 16 year old technology --
can thus only be seen as ignorant and incompetent.
It does not help that EasyCard corporation has to provide a full refund
and keep all deposits in a bank trust. It also doesn't help that fraudulent
use is detected using analysis of the transaction data long after it happened.
EasyCard fraud is simple to perform and will inevitably happen. Somebody
has to pay for the losses incurred due to fraud. Even if such losses
only reflect themselves in increased transaction fees for retail stores, in the
end it will be the consumer who pays them indirectly due to higher prices
including such fees.
\section{EasyCard improvement potential}
The author of this paper argues that use of the current EasyCard system
should immediately be restricted to payment for public transportation,
and the decision to authorize it as form of payment in retail stores
as of April 1st, 2010 reverted.
A new system, based on state-of-the-art technology and algorithms
and the {\em Security by Design} principle should be developed. Such
a system should go through independent, open academic review.
The approval of such a system, or technical security requirements for
such a system should not be within EasyCard itself, but should be
made by a regulatory authority, consulted by independent technical experts
in the field.
A changing roll-over to the new system can be made by starting to issue
the new cards using a more secure RFID system whenever new EasyCards are
bought. Whenever a consumer wants to re-charge their card, the old MIFARE
Classic based card should be retracted and a new, more secure card be issued.
Existing EasyCards can be circulated in the system for a grace period.
Depending on the technical details of the existing deployed RFID
reader/terminal base in public transportation and retail stores, either
a software-only update is sufficient or replacement hardware has to be
introduced.
EasyCard corporation should be liable for the complete system
upgrade/transition cost, as the fault of the system can only be blamed
on them.
\section{Credits}
The author of this paper expresses his gratitude to the many people
involved in trying to uncover the weaknesses of proprietary and ultimately
insecure RFID systems worldwide.
\begin{description}
\item[Milosch and Brita Meriac]
for their great work on OpenPCD and OpenPICC
\item[Henryk Ploetz, Karsten Nohl, starbug]
for their work on MIFARE, Crypto1 and tiresome research into all kinds of proprietary snake-oil
\item[Jonathan Westhues]
for designing and openly publishing the Proxmark
\item[Mate Soos and Karsten Nohl]
for their results on exploiting CRYPTO1's statistical wekanesses using SAT solvers
\item[Nethemba]
for the Open Source implementation of the nested key attack in MFOC
\item[Roel Verdult]
for his research on RFID security at Radboud University and libnfc
\item[Nicolas T. Courtois]
for his {\em darkside} paper
\item[Andrei Costin]
for his Open Source implementation of the darkside paper (MFCUK)
\url{http://andreicostin.com/}
\end{description}
%%%%%%%%%%%%%%%%%%%
\bibliographystyle{unsrt}
%\bibliographystyle{splncs}
{\raggedright
\bibliography{RFID}
}
%%%%%%%%%%%%%%%%%%%
%\section{Bibliography} % FIXME: Merge with LaTex bibliography in RFID.bib
%1. [WPMCC09] - "Wirelessly Pickpocketing a Mifare Classic Card"
%2. [ESO08] - "2008-esorics.pdf" %mifare-attack-esorics
%3. [ESOSL08] - "2008-esorics-slides-updated.pdf"
%4. [KON08] - "2008-koning-thesis.pdf"
%5. [VER08] - "2008-verdult-thesis.pdf"
%6. [PATMC] - "A Practical Attack on the MIFARE Classic.pdf"
%7. [NCOURFIDSEC09] - "mifare_courtois_rfidsec09.pdf"
%8. [MFCLTRB09] - "MifareClassicTroubles.ppt"
%9. [TEEP08] - "p2008-teepe-classic_mistakes.pdf"
%10. [RFIDSANJ] - "RFID Attacks_WCA_San_Jose.pdf"
%11. [ROSS] - "rossum-mifare.pdf"
%12. [PLOTZ08] - "SAR-PR-2008-21_.pdf"
%13. [ROSSSASG] - "SASG35_Peter_v_Rossum_Mifare.pdf"
%14. [DARK2009] - "THE DARK SIDE OF SECURITY BY OBSCURITY and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
\end{document}
|