Transport for London says it remains confident in the
security of the Oyster card after researchers published details on
how tohack the card's chip.
"We take fraud and the security of personal data extremely
seriously and constantly review our security procedures," a
spokesman said.
Researchers from the Dutch Radboud University published
cryptograpic details of how they duplicated an Oyster card at
the Esorics security conference in Spain on Monday.
The team intercepted the communication between chip and reader
on the London underground and cloned a card to enable free travel
in April.
NXP
Semiconductors, maker of the underlying
Mifare Classic chip used by Oyster and other public transport
and building access systems, tried to block publication of the
research.
In July,
a Dutch judge gave the academics the go-ahead to publish,
ruling that it was covered by rights to freedom of expression.
Bart Jacobs, professor of computing security at Radboud
University, said the aim of publishing the research was to enable
organisations to evaluate the seriousness of the vulnerability.
Transport for London (TfL) said a fraudulent card would be
identified within 24 hours of being used and blocked.
"The MiFare Classic chip is just one part of a number of
security features of the Oyster card system," the spokesman
said.
There has been no official confirmation that the chip technology
is under review, but TfL announced in August it was to end the
contract with TranSys, the contractor responsible for running
Oyster.
TranSys said in a
statement that Tfl had invoked a break clause to end the
contract with TranSys five years early in 2010.
"The London transport system has changed dramatically over the
past ten years," the statement said, indicating the possibility of
a technology review.