RFID Bank Cards messing with Oyster Card

BrokenArrows

I reciently got a batch of new debit and credit cards which are all RFID enabled for contactless payments.

This has started causing trouble for my oyster card. Alot of the time i need to take it out of my wallet in order to swipe it.

Anyone have any tips to shield the oyster card from the rest of the cards?

Fysh

BrokenArrows wrote: »

I reciently got a batch of new debit and credit cards which are all RFID enabled for contactless payments.

This has started causing trouble for my oyster card. Alot of the time i need to take it out of my wallet in order to swipe it.

Anyone have any tips to shield the oyster card from the rest of the cards?

TBH, my solution to this has been to give my bank grief about it and demand RFID-free bank cards. I don't want NFC payment mechanisms and they have consistently failed to tell me ahead of issuing the card that RFID tags are in the new cards by default. Cue angry phone call, apologetic/helpful phoneline person, and a new RFID-free card in about a week's time.

Given the various security issues present with the current NFC payment mechanisms offered by UK banks, I strongly advise you to follow suit. Shielding isn't a bad idea, but unless you want NFC payment ability it's adding a needless (and verified) security hole to your financial arrangements.

(Edited to add: I've added this to the FAQ as it's a ballache that every bank seems intent on forcing upon us, so forewarned is forearmed...)

enda1

Fysh wrote: »

(Edited to add: I've added this to the FAQ as it's a ballache that every bank seems intent on forcing upon us, so forewarned is forearmed...)

I don't agree that your scaremongering should be reflected in this forums FAQ. It doesn't represent the views of the community at large and there is not general consensus about the legitimacy of the threat.

exiledelbows

The only solution I've found is keeping Bank and Oyster cards on opposite sides of my wallet. It's now just a habit of mine to open the wallet out to swipe my oyster knowing I'm keeping my bank card away from the reader.

I agree with Fysh in that I hate the cards and get very pissed off with bar and retail staff who automatically swipe my card without me asking. However, I've kept mine because my gf very occasionally loses/misplaces her Oyster on a night out, and I like the piece of mind of just being able to swipe her onto a nightbus for a nominal fee rather than worrying about having cash on me.

I haven't seen the updated FAQ yet, but I know that this was featured on Watchdog recently so there's quite a rump of people in London who have a problem with them.

BrokenArrows

exiledelbows wrote: »

I agree with Fysh in that I hate the cards and get very pissed off with bar and retail staff who automatically swipe my card without me asking. However, I've kept mine because my gf very occasionally loses/misplaces her Oyster on a night out, and I like the piece of mind of just being able to swipe her onto a nightbus for a nominal fee rather than worrying about having cash on me.

I also wasnt aware that the machines could actually debit my contactless debit/credit cards.

So when i place my wallet against the reader it could debit any one of my oyster, debit or credit cards?

Thats a bit of a bollix.

enda1

BrokenArrows wrote: »

I also wasnt aware that the machines could actually debit my contactless debit/credit cards.

So when i place my wallet against the reader it could debit any one of my oyster, debit or credit cards?

Thats a bit of a bollix.

Only on the buses can you use contactless cards to pay. Tube is Oyster only.

Fysh

enda1 wrote: »

I don't agree that your scaremongering should be reflected in this forums FAQ. It doesn't represent the views of the community at large and there is not general consensus about the legitimacy of the threat.

I'd agree with you if banks were upfront about the potential issues with the tech or the fact that they're making it the default option for all new debit cards.

They're not, though. RFID payment technology is not a widely-used except in repeatedly-compromised public transit ticket systems (if you don't believe me, do some research about the continued exploits on the RFID systems used by the likes of the Boston subway, the amsterdam subway, or on a more general basis that includes the Oyster card, the Mifare classic chip). So it would be entirely reasonable for someone moving here from elsewhere to be caught by surprise by its presence.

I think it's exceptionally disingenuous to say that I'm scaremongering by pointing out an existing security exploit that's included by default in people's debit cards.

Edited to add: For context, I'm a sysadmin by profession. IT system security is part of my purview and something in which I take a keen interest. I don't tend to trust any given bank's statements about its IT security without independent 3rd party verification, because I've read enough stories like this or this. I've also seen first hand on more than one occasion what happens if you haven't got rigorous plans and procedures in place to deal with all sorts of potential problems (for example, a colleague of mine once made an understandable mistake while processing account deletions in Active Directory that created over a week's worth of overtime for a 12-person team which should have been resolved with a 30-minute job for a server engineer - except the server engineer who took the call didn't know about that option and assumed a full restore-from-tape backup was required....). So I take the attitude that it's compromised in some fashion, unless I see papers from a combination of academics, independent security consultants and the kind of greyhats who write for 2600. Your mileage may vary.

Playboy

I like contactless.. saves me time. Bank will refund me in the case of fraud so not too worried about security issues. As another poster said I keep my oyster and bank cards on opposite sides of my wallet to get around the issue of double payment

Louche Lad

exiledelbows wrote: »

The only solution I've found is keeping Bank and Oyster cards on opposite sides of my wallet. It's now just a habit of mine to open the wallet out to swipe my oyster knowing I'm keeping my bank card away from the reader.

Playboy wrote: »

I like contactless.. saves me time. Bank will refund me in the case of fraud so not too worried about security issues. As another poster said I keep my oyster and bank cards on opposite sides of my wallet to get around the issue of double payment

Or just keep two wallets — I have one with my Oyster and cash, and another one with my bank cards. This also means if I ever lose a wallet I'm not stranded.

Fysh

Playboy wrote: »

I like contactless.. saves me time. Bank will refund me in the case of fraud so not too worried about security issues. As another poster said I keep my oyster and bank cards on opposite sides of my wallet to get around the issue of double payment

The real issue for me is that with the number of vulnerabilities that most widely-used RFID-based systems have, and the removal of the "something you know" test means that it can be much easier for a bank to claim negligence and refuse to accept a fraud claim. The occasional additional security check requiring a PIN was originally going to be for transactions of £10 or more but is now £20, and it's not obvious from many providers how often this will be applied (ie how many anonymous transactions can take place between succesfully authenticated transactions). And that's before the issue raised upthread comes up, where you've got more than one RFID-enabled card in the same wallet.

I do appreciate that it can be faster if you're used to it and shopping somewhere set up with it (the comparison between using a ticket and using Oyster on the Tube, for example) but most times I've seen NFC payment in operation it's been no faster than a Chip & PIN transaction. Gaining a small reduction in transaction time in exchange for significantly increasing the attack surface of your financial system is a poor trade-off, IMO.

Jack B. Badd

Faraday cage wallet (you'll want to include an external pocket for your Oyster card) - http://howto.wired.com/wiki/Make_a_Faraday_Cage_Wallet

Or you can buy posh ones with leather & whatnot. It's amazing what you can find on the Internet :-)

afatbollix

Oyster will be gone in 5 years its all going contactless. A mate of mine is on the TFL team bringing it in. So maybe having one card that is contactless might be a good idea.


Also if you worry about security Oyster is contacless have you had all your funds scammed from your oyster?

BrokenArrows

afatbollix wrote: »

Also if you worry about security Oyster is contacless have you had all your funds scammed from your oyster?

Ya but you can only spend it on travel and its a limited amount of money.

Fysh

afatbollix wrote: »

Oyster will be gone in 5 years its all going contactless. A mate of mine is on the TFL team bringing it in. So maybe having one card that is contactless might be a good idea.


Also if you worry about security Oyster is contacless have you had all your funds scammed from your oyster?

Oyster's current system uses the Mifare Classic chip, which has been known to have broken security for years. A whole bunch of other transport networks have used the same cards, despite the growing ease of exploiting them. For instance, it's now possible to exploit certain Mifare-Classic-based cards with an Android application, assuming you've got the right phone.

I can think of anti-fraud measures that would probably help fight this, but that will merely push attackers in a different direction - the current use is basically the Mifare Classic equivalent of phreaking (getting free phone calls by exploiting telephone system control codes). If that gets harder, but attackers can still trivially read/write card contents, then the next step is to start writing new account identifiers to the cards - at which point other people will start seeing their tickets/credits being misused. Yes, additional data is required to do this reliably from an attack perspective, but when we're talking about systems still using the Mifare Classic chip despite its crap security, how much faith do you have in their computer security in other areas?

It's no good saying that the new contactless systems will axiomatically be better either - as the technology advances, it becomes easier to carry out attacks as well as improve security. NFC hardware is gradually being rolled out to new phones, which will mean that the security implications of any exploit (like, say this one from last year, which is still only really a proof-of-concept) will be easily exploited in a similar fashion.

Assuming that "it hasn't happened yet, therefore it won't" is like saying "well, I've not been hit by a car thus far in my life so I'll just stop looking both ways before crossing the street". Security issues in financial systems are by definition high-impact, which means that even a low-probability issue still has an overall high severity.

londonbus

Fysh wrote: »

They're not, though. RFID payment technology is not a widely-used except in repeatedly-compromised public transit ticket systems (if you don't believe me, do some research about the continued exploits on the RFID systems used by the likes of the Boston subway, the amsterdam subway, or on a more general basis that includes the Oyster card, the Mifare classic chip). So it would be entirely reasonable for someone moving here from elsewhere to be caught by surprise by its presence.
.

Except Oyster doesn't use Mifare Classic anymore:

Since December 2009 all new Oyster cards use MIFARE DESFire EV1 chips. From February 2010 MIFARE Classic-based Oyster cards were no longer issued


http://en.wikipedia.org/wiki/Oyster_card

Jack B. Badd

Unless they've replaced all the pre-2010 cards with new ones (which they haven't, at least in my case), then it's still an issue.