27C3 - Version 1.6.3
27th Chaos Communication Congress
We come in peace
Speakers | |
---|---|
Harald Welte |
Schedule | |
---|---|
Day | Day 3 - 2010-12-29 |
Room | Saal 3 |
Start time | 20:30 |
Duration | 01:00 |
Info | |
ID | 4036 |
Event type | Lecture |
Track | Hacking |
Language used for presentation | English |
Feedback | |
---|---|
Did you attend this event? Give Feedback |
Reverse Engineering a real-world RFID payment system
Corporations enabling citizens to print digital money
How to reverse engineer the data format of a real-world RFID based debit card system.
One of Asia’s most popular electronic payment systems uses insecure technology. The EasyCard
system, established in 2001, is the most popular stored-valued card in Taiwan. With more than 18 million issued cards, it is the predominant means of paying for public transportation services in the capital Taipei. In 2010, use of the EasyCard was extended beyond transportation. Card holders can now pay in all major convenience stores like 7eleven, coffe shops like Starbucks and and major retail companies like SOGO. Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was first publicly broken several years ago at 24C3 This presentation analyzes the results of combining the practical attacks on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment system. It describes the process of reverse- engineering the actual content of the card to discover the public transportation transaction log, the account balance and how the daily spending limit work. Furthermore, the talk will present how fundamentally flawed the system is, and how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system.