Comment on Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides
r00ty@kbin.life 1 year agoReading the article it seems they made two mistakes. The first was to make the card authoritive instead of having a account data to ensure the information matched. The second was to use a proprietary checksum algorithm instead of using an open secure signature method.
I'd put money on the information they're holding back being details on the checksum algorithm.
masterairmagic@sh.itjust.works 1 year ago
Doesn’t having an account require an online system? By making the card authoritive you can build and offline system.
r00ty@kbin.life 1 year ago
It wouldn't need an account. The card can have all the data (in case it is used in an offline situation) but also have a unique serial number.
So when an official ticket machine charges the card, it also logs the balance/tickets on the card with that ID in a central database too. Yes, it needs to be "online" within their own network. But, I'd be concerned if a large city transit didn't have their own network already.
Whenever it is used, provided the ticket reader has a connection it would be verified against the stored record. If the connection is offline then it uses the local stored information.
I do wonder in a transit system like this what the advantage to an offline system is. If someone works out your "CRC32 except I xored the result with 1337" algorithm, then you're boned and a lot of kit is "offline" and thus cannot easily be upgraded too.