Trying to pay by card at Maynooth

dillo2k10

Is there any specific reason that stores on Campus don't accept cards?
Specifically Londis!

I know it isn't the most important issue but I think it's a bit stupid that you can't pay by card.

On positive while Im thinking about it I think its cool that you can take €10 from the ATM at Maynooth any other ATM Iv been to you need to take a 50 or 20


But seriously they should really get some card machines in londis and the pheonix.

Dr. Nguyen Van Falk

i could be mistaking but think rob said that in the future students would be able to pay using their student cards for shops on campus(as well as for printing an photocopying), and u could top this up at points around campus. im open to concretion on that though.

the only reason i can think that they don't is that the shop is only busy in between lectures, at which point it is really busy and they want the que to move as fast as possible because people are trying to get to lectures etc

banquo

I completely agree. It's a small issue but I've always thought that everything should be as easy as possible.

Single student card coming soon, can be topped up by ATM, online banking, or though machines around campus - these machines take coins, notes and card.

Eric Cartman

The companies that process the card transactions take a fee every time a card is used, in a massive chain like tesco that fee is as low as 1-2 cent a transaction but in a smaller franchise based situation like the SU shop the fee would be somewhere in the 60 cent to 1.30 mark due to the low frequency and amounts of transactions, so the SU would have to only allow laser transactions for a 10er or more like a lot of small shops do elsewhere, in all honesty , how many people (aside from smokers) spend more than a 10er at a time in the SU shop ? id imagine it would account for less than 5 transactions a day, thus not really viable.

dillo2k10

banquo wrote: »

I completely agree. It's a small issue but I've always thought that everything should be as easy as possible.

Single student card coming soon, can be topped up by ATM, online banking, or though machines around campus - these machines take coins, notes and card.

Oh that's good, I was actually thinking about something like that q few weeks ago when an American friend said that's what they do in her college.

Great idea ! Is there any idea of when this might be happening?

banquo

Sure, hopefully the end of March. It was supposed to be mid-February but it turns out there are certain times you can't go out to tender (I didn't know this) so the tender got delayed by a few weeks.

I was just down in WIT for USI National Council, they have the single card system there. Was drooling the entire time, it's so good. It just works.

Ostrom

As a former WIT head I can attest to its working goodness.

I remember the golden days of WITcard however. The civil engineers' room was above the old atrium, which was surrounded by WITcard vending machines (swipe and vend). Every so often the system went down (or some such technical failure), whereby the swiper got his sweets/crisps but wasn't charged.

The trick was to pool together, empty one backpack of books and proceed in groups before the administrators copped on.

Eric Cartman

no im trying to think of names for the new card

paynooth

chargemaster extreme

FUNd SUcker

PDSDIDFS (Please dont say declined im dyin for a smoke)

or if the card is mifare classic call it BEEP ( basic encryption (exploits published))

Alt_Grrr

Eric Cartman wrote: »

the card is mifare classic call it BEEP ( basic encryption (exploits published))

After Rob told me it was said card and I explained to him how mentally retarded it was (Its as good as affixing the contents of your wallet to your back with blu tack and hoping that nobody helps themselves while your not looking), what I got back was "....so?"

compromising students information and money for the sake of minor convenience is not worth any of this systems supposed benefits.

CaoimH_in

Can we call it Checkers?

Richard Nixon had a dog named Checkers.

[/Python Quote] Also, if thats what Rob told you I'm disgusted. Foolish, ignorant behavour.

Eric Cartman

CaoimH_in wrote: »

Can we call it Checkers?

Richard Nixon had a dog named Checkers.

cards hacked easily causing kranky easily robbed students

Eric Cartman

Alt_Grrr wrote: »

After Rob told me it was said card and I explained to him how mentally retarded it was (Its as good as affixing the contents of your wallet to your back with blu tack and hoping that nobody helps themselves while your not looking), what I got back was "....so?"

compromising students information and money for the sake of minor convenience is not worth any of this systems supposed benefits.

while ill agree, I can see his point in some way , you have to factor the cost of a better system into this , and to be fair, compared to chip and pin , mifare classic cracking is about as successful as robbing a bank with a dildo , yet we still use chip and pin for our normal bank cards

dillo2k10

Alt_Grrr wrote: »

After Rob told me it was said card and I explained to him how mentally retarded it was (Its as good as affixing the contents of your wallet to your back with blu tack and hoping that nobody helps themselves while your not looking), what I got back was "....so?"

compromising students information and money for the sake of minor convenience is not worth any of this systems supposed benefits.

Surely students will have a choice as to weather or not they put money on it? Its also for use on campus (I think so anyway) so its not like people can go spend thousands on the cards. Theres also cameras at most of the tills so they would easily be caught.

Id like to know if it will work with existing cards or if we need to buy a new one and if there will be any charges.

Alt_Grrr

dillo2k10 wrote: »

Surely students will have a choice as to weather or not they put money on it?

Yes, they do have a choice, but the cards are clone-able (in other words I can make a blank card which behaves like your card)

dillo2k10 wrote: »

Its also for use on campus (I think so anyway) so its not like people can go spend thousands on the cards. Theres also cameras at most of the tills so they would easily be caught.

Physical security has not stopped this happening in DIT or AIT, the MiFare Classic Card is trivial to clone and then top up, the real losers out of this would be campus shops who can lose out in fraudulent transactions and the university which is hoping to make some money off this system.

hopefully they don't tie it into building access or we're all fecked.

dillo2k10 wrote: »

Id like to know if it will work with existing cards or if we need to buy a new one and if there will be any charges.

Rob explained this in an earlier post, new student cards issued have the MiFare rfid chip installed and that when the system is rolled out, students can upgrade old cards free of charge.

Ostrom

Alt_Grrr wrote: »

After Rob told me it was said card and I explained to him how mentally retarded it was (Its as good as affixing the contents of your wallet to your back with blu tack and hoping that nobody helps themselves while your not looking), what I got back was "....so?"

compromising students information and money for the sake of minor convenience is not worth any of this systems supposed benefits.

Never heard once of any such issue in WIT. In fact, coming to NUIM I was struck by how nonsensical it was to have separate payment methods - it took me a while to get used to the sheer inconvenience.

With my WITcard, I loaded about 20 euro a visit, and that meant no messing around with copy cards, no separate card to borrow books, no separate cards for public PC printing, no change needed for the vending machines, no need to reach into my walllet in the canteen, no need for change in the college bar. If your card was lost, you called straight into student services who suspended your account and issued a new unique card. Everything from cans of coke to sheets in the printer was deducted in real time, with your balance displayed.

In fact, it was considered strange by most of us not to regularly use your WIT card. Also got an automatic 5-10% reduction on food across campus, so I saved quite a bit.

Also, our cards were uniquely tied to building access, so the dirty first years couldn't get into our new shiny CAD lab

Alt_Grrr

efla wrote: »

Never heard once of any such issue in WIT.

The security problems were first shown to me by a WIT student, who pointed all of these problems out in a project of his.

The last big hack in MiFare Classic was around 2008, (explained here) since then its trivial to break into them.

I've seen the DIT version broken in just the same way as the WIT system. (That was one students final year project)

But it is possible to have a secure rfid card, the new leapcard uses a different and more secure MiFare version
(the leap card itself has an implementation of triple-des, a common encryption standard built in, where as the classic card uses its own dreamed up cryptographic system called crypto-1)

I know DIT are looking to migrate to a more secure system. while NUIM who are probably well aware of the security problems with the MiFare Classic system, still decided to buy into it, rather then a more secure alternative.

efla wrote: »

In fact, coming to NUIM I was struck by how nonsensical it was to have separate payment methods - it took me a while to get used to the sheer inconvenience.

With my WITcard, I loaded about 20 euro a visit, and that meant no messing around with copy cards, no separate card to borrow books, no separate cards for public PC printing, no change needed for the vending machines, no need to reach into my walllet in the canteen, no need for change in the college bar. If your card was lost, you called straight into student services who suspended your account and issued a new unique card. Everything from cans of coke to sheets in the printer was deducted in real time, with your balance displayed.

In fact, it was considered strange by most of us not to regularly use your WIT card. Also got an automatic 5-10% reduction on food across campus, so I saved quite a bit.

Also, our cards were uniquely tied to building access, so the dirty first years couldn't get into our new shiny CAD lab

I'm stuck by how idiotic it is to use these for building access, since its possible to clone somebodies card without ever having physical access to it.

Ostrom

Alt_Grrr wrote: »

The security problems were first shown to me by a WIT student, who pointed all of these problems out in a project of his.

The last big hack in MiFare Classic was around 2008, (explained here) since then its trivial to break into them.

I've seen the DIT version broken in just the same way as the WIT system. (That was one students final year project)

But it is possible to have a secure rfid card, the new leapcard uses a different and more secure MiFare version
(the leap card itself has an implementation of triple-des, a common encryption standard built in, where as the classic card uses its own dreamed up cryptographic system called crypto-1)

I know DIT are looking to migrate to a more secure system. while NUIM who are probably well aware of the security problems with the MiFare Classic system, still decided to buy into it, rather then a more secure alternative.



I'm stuck by how idiotic it is to use these for building access, since its possible to clone somebodies card without ever having physical access to it.

You might be overestimating our cloning capabilities (of which I know nothing).

In any event, aren't such instances likely to be a small minority? Is demand for weekend access to the biosciences building really so intense? Surely most will, with appropriate recommmendation, carry small amounts of cash? You make it sound as if such systems lead to unmitigated chaos, when the sheer amount of simple benfits outweigh any such incidents (again, I'm assuming minority).

Alt_Grrr

efla wrote: »

You might be overestimating our cloning capabilities (of which I know nothing).

I'm not over stating the ability of these cards to be cloned, not in the slightest.

efla wrote: »

In any event, aren't such instances likely to be a small minority?

Like with all technology, these hacks start out small, but its now within the reach of every student. you just need the hardware to read and write to the cards, which is cheap (€40 - €75) and freely and legally available and some blank cards if you want to clone them. You don't even need to see the victims card, I've seen readers which can pick up rfid cards from 20 feet away

efla wrote: »

Is demand for weekend access to the biosciences building really so intense?

I think access to facilities like these should not be switched to these new cards, the university has samples of MRSI, hepitis B and supplies of explosives and radioactive materials stored in buildings on the campus. I'd rather not make it easy to get past the first layer of security (the front door)

efla wrote: »

Surely most will, with appropriate recommmendation, carry small amounts of cash? You make it sound as if such systems lead to unmitigated chaos, when the sheer amount of simple benfits outweigh any such incidents (again, I'm assuming minority).

Well there are a number of attacks,

DIT has a system like WIT, where each student has a card and can add money to the card and a central sever logs almost-all transactions and tallies accounts.

one attack I saw in DIT was simply cloning a students card and altering the purse value (amount of money) on the card,
this allowed them to make transactions which were greater then the amount on the original card and student who's card was cloned ended up with an account in deficient. Since a lot of transactions aren't verified by the server first, only tallied after.
it assumed the amount the card says it has is the same as amount in your account and never bothered checking. I understand they half fixed this problem in DIT (by checking every transaction and never allowing accounts into deficit) but that doesn't stop the cloning.

In this demo they paid the student's deficient and the person giving the demo returned all the items they bought.

I'm not against the idea, I'm sure it'll be great when its all in place, but I'm against the implementation, more secure options were simply ignored.

Ostrom

Alt_Grrr wrote: »

I'm not over stating the ability of these cards to be cloned, not in the slightest.



Like with all technology, these hacks start out small, but its now within the reach of every student. you just need the hardware to read and write to the cards, which is cheap (€40 - €75) and freely and legally available and some blank cards if you want to clone them. You don't even need to see the victims card, I've seen readers which can pick up rfid cards from 20 feet away



I think access to facilities like these should not be switched to these new cards, the university has samples of MRSI, hepitis B and supplies of explosives and radioactive materials stored in buildings on the campus. I'd rather not make it easy to get past the first layer of security (the front door)



Well there are a number of attacks,

DIT has a system like WIT, where each student has a card and can add money to the card and a central sever logs almost-all transactions and tallies accounts.

one attack I saw in DIT was simply cloning a students card and altering the purse value (amount of money) on the card,
this allowed them to make transactions which were greater then the amount on the original card and student who's card was cloned ended up with an account in deficient. Since a lot of transactions aren't verified by the server first, only tallied after.
it assumed the amount the card says it has is the same as amount in your account and never bothered checking. I understand they half fixed this problem in DIT (by checking every transaction and never allowing accounts into deficit) but that doesn't stop the cloning.

In this demo they paid the student's deficient and the person giving the demo returned all the items they bought.

I'm not against the idea, I'm sure it'll be great when its all in place, but I'm against the implementation, more secure options were simply ignored.

I'm sure it is as you say, I just cant imagine a significant amount of university students (outliers of pricks aside) engaging in such a level of organised crime with potentially serious consequences (i.e. expulsion / coviction) as would render the system unworkable.

I'm sure it appears intuitive for you - and I dont know how representative I am of a typical students technical knowledge - but it seems like an awful lot of high risk trouble to go to for change.

Alt_Grrr

efla wrote: »

I'm sure it is as you say, I just cant imagine a significant amount of university students (outliers of pricks aside) engaging in such a level of organised crime with potentially serious consequences (i.e. expulsion / coviction) as would render the system unworkable.

I'm sure it appears intuitive for you - and I dont know how representative I am of a typical students technical knowledge - but it seems like an awful lot of high risk trouble to go to for change.

Well the handy thing for security researchers and these students was, it was "research". Once you peel back the layers, these things are very simple.

Do I think students will abuse this system?, yes, both at launch (I'm 99% sure that a fourth year in CS will make breaking it their Final Year Project, in the past another fourth year proved that the security on the campus wifi was pants) and as the information disseminates others will get in on the act.

Just look at the eircom Wi-Fi thing, if I explain to you how eircom's automatically default passwords for their wireless routers were generated and how by looking at the network name, who you could figure out the password, you might not understand it, but when the information is everywhere and people make phone apps to allow you to connect to your neighbours eircom router, then your in on the act too.

this type of information on the mifare classic cards and its weaknesses has been in the public sphere for years and attacks are becoming more common.

A more secure card would at least stand a better chance.