« HAC ID cards oral evidence 3rd Feb transcript online | Main | DVLA electronic Driving Licence consultation »

Foiling the Oyster Card

Many people are worried about the privacy implications of the new Transport for London Oyster Smart Card. This promises greater convenience (and some introductory discounted fares) for travel on London Underground railways and Bus services, at the cost of greater surveillance of individuals, since each Oyster Card is uniquely numbered, and has to be swiped at the start and end of each journey. This self tracking behavior is reinforced by the poster advertising campaign and the policy of charging the maximum possible fare unless you swipe the card past the reader at the end of your journey, not just at the start.

The season ticket versions of the card have name and address and credit card details associated with them. Even the new pre-pay cards, which are more anonymous, unless you use a credit card or choose to register the card, still have a unique tracking serial number which can be tied to the omnipresent CCTV Surveillance on London Underground, and increasingly even on London Buses.

The system uses contactless MIFARE based smart cards with distinctive yellow readers at Tube station barriers and on buses.

There is no authentication mechanism e.g. a Personal Identification Number as with "Chip and PIN" credit cards, it depends only on whether the Oyster card is within range of a reader, typically 10 centimetres or so for the readers currently deployed by Transport for London (which is far less than what the equipment is actually capable of). The only security against being accidentaly overcharged or having your private details read or associated with a particular Oyster Card by people operating their own MIFARE scanners, is to shield the Oyster Card from unwanted radio signals. These private details includes information about the last 10 or so trips that you have made, which is data stored directly on the card, and which will be available to the 3rd party retailers who come on board the "electronic purse" aspects of the scheme.

The MIFARE system uses one of the Industrial Scientific Medical licence free frequencies at 13.56 MHz, so it is not illegal for other people to have or to use their own reader equipment.

One way to preserve your privacy somewhat is to shield the Oyster Card with aluminium kitchen foil. This seems to block the readers on the charge up ticket machines even when only the back of the Oyster Card is shielded i.e. you have to remove the Oyster Card from the shielded holder for it to be read/charged up:

Foiling_the_Oyster_Card.jpg

Even if, like us, you do not think that non-Oyster Card readers are very common yet, there is still a case for shielding your Oyster Card. especially the pre-paid one which currently only operates in the central zones 1 to 3. If you travel into London from outside these zones, on a paper ticket which you present to the slot in a Tube ticket barrier on your right, you do not want money to be deducted from your zone 1 to 3 Oyster Card as well - it depends on your physical size as to how close the Oyster Card readers are to whatever pocket or handbag etc you keep your card in.

Similar use of aluminium foil to line pockets or handbags or shopping bags etc. will also block RFID tags on consumer items which have not been "killed" or disabled at the checkout (again, more of a potential problem in the future, rather than a big risk at the moment).

However, if you choose to use such radio frequency shielding techniques, be aware, that you currently run the risk of being suspected of carrying concealed weapons or explosives by the operators of the still rare but controversial "see under your, or your childrens', clothes" Passive Millimetre Wave Radar cameras and scanners being tested by the Police and other military security forces.

UPDATE:

We are getting visitors directed to this article via links from discussions about the security and privacy problems with the new US Biometric passport.

This involves some international "bait and switch" propaganda e.g. the US and UK governments claim "we have to introduce biometric passports because that is what the International Civil Aviation Organisation says we have to do."

Speak to anyone in the ICAO and they say "we are specifying biometric passports because the US and UK government were pushing this policy"

Biometric Passports need a chip inside them, and for some astonishing reason, probably to do with commercial lobbying, the ICAO has specified a contactless smartcard solution. All well and good, except that this is not a very tight specification, and the US Government, has chosen not to use any encryption in its passports, i.e. they have ignored all the technology and experience gained through the issue of millions of Mifare type contactless travel smartcards, like the Oyster card.

This means that US citizines will have their passport details secretely read , through their clothing or luggae, by unauthorised standard reader devices, some of which could be operating with more sensitive antenna and amplification in excess of the normal off the shelf equipment which has to obey local radio frequency allocation power limit regulations. This is a threat to the privacy of US citizens(and any other country stupid enough to copy the US system). In the worst case, there will be terrorist bombs and booby traps triggered by a specific individual's US Passport, or a generic "are there sufficient US passpoertholders in the imm3ediate area" type detonation command.

The way to overcome this is obviouslty to shield the passport in the same way as the Oyseter Card above. However the same laws of physics apply, so you cannot put the chip and antenna into the cover of the passport if you intend to shield it with aluminium etc.

You end up having to have a thickly laminated page, effectively a smartcard , bound into the passport booklet (border control visa ink pad stamps are not going to be phased out). You could then shield the covers of the passport booklet.

This means that instead of a convenient, rapid check like the Oyser card, such a passport will involve fumbling to get the covers ope to expose the smartcard page inside, and then presenting it to the reader device. Why on earth couldn't they have used a contact smartcard, like millions of "Chip and PIN" credit cards, or an optical barcode system, which can be read by laser without the risk of it ever being read secretly through your clothes or luggae by radio ?

If the US style passport is not shielded (still an option), and people go for the home brew or commercial (there must be millions of leather and other passport wallets on the market) shielded passport holder, then experience with the Oyster Card shows that you will have to remove the passport from this shielded wallet for it to work. Simply flipping it open will not be sufficient, especially if the offical passport readers are deliberately detuned to only work at a vey short range (so as not to get confused by the next people in the invetiable queue).

All the worries about "see under your clothes" snooping devices applies even more to such shielded passports - this equipment is being introduced in airports first, as it is still expensive. Therefore there will be a number of "false positives" where people are suspected of carrying weapons, explosives or drugs, simply on the basis of their shielded passport holders which will show up in high contrast aginst their "naked" bodies.

Obviously when this happens too many times, the security gurds will become lax, and criminals will start to smuggle small amounts of drugs, explosives or sharp weapons, within the shielded passport holder itself.

TrackBack

TrackBack URL for this entry:
http://www.spy.org.uk/cgi-bin/mt32/mt-tb.cgi/490

Listed below are links to weblogs that reference Foiling the Oyster Card:

» RFID in the London Transport "Oyster" cards from RFIDbuzz.com
Clearly, regulations must address potential abuse of a widespread identification system as the Oyster card is (most of London's frequent users of public transport already carry an Oyster card with them). In the mean time, the Spy blog recommends alumin... [Read More]

» Move right along from thehighrise
Yet again today I found myself hanging around at the head-scratching, companion-referring, square peg in round hole (read: extra-large piece... [Read More]

Comments

Interesting post.

I am generally a big fan of Oystercard - makes accounting for travel easier, has the potential for intelligent fares (one day cards, loyalty etc).

The privacy issues are a concern and for me the issue is making the risks fully transparent and trying to ensure that no one is fooled.

Thanks for an interesting blog which I scan regularly!

any more info on jamming techniques would be appreciated

Thanks for your post. I too am not a great fan of giving out my personal details to all, specially to the likes of Ken L., who would only use it to track down your every move and think of ways to maximize his fares. As it is, too many organisations already have my details. I had thought that the prepay Oyster card would be ideal for me, now that I have been forced into using TFL (YUK!). Problem is, they won't sell me one unless I register. No amount of explaination works,even showing their leaflet which explains it. I do not mind paying the deposit, that makes sense. The idea of this card is great, only if it was'nt used to screw the poor defencless public. After all, it's only a glorified train ticket. (I await phone taps etc)

We certainly have not registered our pre-paid Oyster Cards. Perhaps it is worth trying to find some better trained staff at a different station ?

If you don't want to give your information to Uncle Ken, register with fake details. I did. Makes no difference whatsoever, and nobody has ever checked anything. I think I gave my real date of birth in case it's ever used as password verification or something, but that's it and I've never been asked for it anyway.

Great comments (thanks GOOGLE for bringing me here)

Im concerned with the subject though and thanks for making me aware.

One matter where there will be difficulty is (myself included) for the 'out of towners' who have to pay their TOC (train operating Company) for a zone 1 ticket (eg to get to VICTORIA) then, when passing through the gate, the OYSTER READER will deduct a zone 1 debit from the card when I have no intention to use the underground and then, on my return, will deduct another single on my way home - equating to paying for the zone 1 journey twice both ways when all I did was cross the border line.

On the other hand if I buy a train ticket from my TOC for a journey up to the zone 2 border (vauxhall) and then use my oyster card I will have to get off the train to validate it or may run the risk of payment avoidence claims.

Hmm another one of those amazingly good ideas thought up in an 'ivory tower' without any reference to whats going on on 'planet earth'

Maybe another attempt by Ken L to win the greater london travel franchise from Network Rail and the TOCS?

If so (and Ken if you are reading this) what a fiasco would have been last night (new years eve) if the unions had shut down the whole of greater london travel (if you do get to run the lot) based on their wish to renage on an earlier agreed terms and conditions?

I keep my Oyster Card in my leather wallet as opposed to the plastic wallet given free with it (and seen in the picture in the first post).

When I "touch in and touch out" it often doesn't work the first time I put the hidden face of the card in contact with the reader. Between the card and the reader there's one layer of leather and three thin silk layers (and sometimes a receipt, bank note, or something else).

The reader often flashes an error / unreadable message at me but, when pressing the wallet more firmly to the reader, it reads it okay and lets me through the barrier.

So, if it struggles to read the card through a bit of leather and paper, then surely there is little risk of it accidentally deducting money from the card when you're just walking past the barrier and the Oyster Card is in your pocket? Similarly, how would anyone sitting next to me on a train with a scanner read the information on this (or a passport, etc.). I guess a stronger (unauthorised) scanner would do this easily would it?

From my experience I see no need for protecting the card with foil or some other means. Has anyone else had similar experiences to me?

@ IanC - how can you tell if your Oyster Card (or any other contactless Smart Card in common use, like door entry passes or the forthcoming contactless / RFID ICAO standard Passports) has been sneakily read by an unuthorised scanner or not ? You cannot.

When the Oyster system was being tested prior to going live, they did have to turn down the power on the yellow readers, as they were picking up Oyster Cards from the adjacent Tube gates. The 13.56MHz ISM licence free radio signals can be legally used at a power setting which is adequate for "portal" applications i.e. a doorway wide enough for a person to walk through, like an airport metal detector scanned by a reader on one side i.e. somewhat wider than a Tube gate.

So even "legal" scanning equipment will pick up your Oyster Card at a distance 8 or 10 times the TfL implemented power setting.

An illegal scanner (which would not have to even be a modified one, only one designed to work in a country like the USA where higher power levels and/or more sensitive antenna are permitted) could do so at an even longer range.

Provided that the TfL equipment is maintained properly (not something that is certain), then, it is likely, that there is little risk of having money falseley deducted from your Oyster card by TfL.

However, when stage 2 of the project rolls out, with Oyster Card readers in third party company hands, for the Electronic Purse function "cashless shopping", then all bets are off.


In reading the oyster cars, is the whole card read, or is there a chip inside, Essentially i want to cut out the chip and stick it to the back of my wallet, i just thouht this would be less hassle, so please tell me if cutting the card would render the oyster inoperable

@ Boy-o-flex - the chip is quite small - it is about half a centimetre square in the upper right hand of the card level with the word oyster (blue side up). It is easeier to see the slight blemish in the plastic where it is embedded, on the reverse i.e. in the top left corner.

However there is also a wire loop antenna, which is vital for the radio link and for powering up the chip, which runs around the circumference of the card, again, about half a centimetre from the edge.

If you have really good scalpel skills you could probably do it without damaging the system, but what will it achieve ?

The antenna will not work properly if it is bent or folded, which is why it is held nicely in place by the thin plastic card.


Thanks a lot, for your advice, i realise it is not possible to do what i had planned

actually some of what you've said is crap
You don't need to take the card out of the plastic wallet for it to be charged or read. There is no need to get it out What so ever. Thus no body being able to see your card number...

@ Matthew - You seem to have entirely missed the point. Perhaps you should read the whole thread again.

We were talking about preventing accidental deductions of money, or sneaky remote reading / tracking by unauthorised reader equipment, of the electronic ID number in the Oyster Card, by use of a simple homemade aluminium foil radio frequency shielding
lining the standard plastic wallet as illustrated by the photo.


Post a comment