Comments on: Security Review: Husky Cards with Smart Card Technology http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/ Thu, 24 Jul 2008 10:56:50 +0000 http://wordpress.org/?v=2.5.1 By: Karl Koscher http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-4271 Karl Koscher Fri, 21 Mar 2008 11:50:20 +0000 http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-4271 I've been looking into the ORCA cards for over a year now, and what we know is kind of scary. The cards are ISO 14443-complaint, with a fairly short read range, so I wouldn't worry too much about surreptitious reads. What I do worry about is the fact that the card stores your last ten trips per transit agency, so someone with access to your card could determine where you've boarded the bus the last ten times. This could happen when you use another ISO 14443 card, like an RFID credit card, if you keep both in your wallet. Even more concerning is the fact that there will be a database of these transactions (which will likely keep the data for about six years, unless the law is changed), and UW will have access to it. So, they could easily track where you've been. They have talked about trying to do fraud detection by mining the data, but I think they've backed away from this plan. I’ve been looking into the ORCA cards for over a year now, and what we know is kind of scary. The cards are ISO 14443-complaint, with a fairly short read range, so I wouldn’t worry too much about surreptitious reads. What I do worry about is the fact that the card stores your last ten trips per transit agency, so someone with access to your card could determine where you’ve boarded the bus the last ten times. This could happen when you use another ISO 14443 card, like an RFID credit card, if you keep both in your wallet. Even more concerning is the fact that there will be a database of these transactions (which will likely keep the data for about six years, unless the law is changed), and UW will have access to it. So, they could easily track where you’ve been. They have talked about trying to do fraud detection by mining the data, but I think they’ve backed away from this plan.

]]> By: alpers http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-4126 alpers Wed, 19 Mar 2008 04:25:33 +0000 http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-4126 The big thing that Boriello was worried about was the fact that all of this information about when the card was used would eventually be transfered to a master database where it would be stored for *three months*. I believe he and other professors from CSE drafted up a paper detailing the risks behind the original UW ID schematic. The big thing that Boriello was worried about was the fact that all of this information about when the card was used would eventually be transfered to a master database where it would be stored for *three months*. I believe he and other professors from CSE drafted up a paper detailing the risks behind the original UW ID schematic.

]]> By: Robert http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-4026 Robert Mon, 17 Mar 2008 20:37:43 +0000 http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-4026 Thanks for the comments. The "tag" you see is actually a footnote marker that the system misinterpreted and I didn't fix. :) It's very interesting to see the same concerns we have been talking about detailed in that article. It is shocking to me that, even though only a serial number will be transmitted, the UW does not seem to understand the ability to cross-reference that serial number to an individual just by hanging out at a bus-stop with a reader. Privacy is a serious concern to me but as I also pointed out fraud can also be a strong possibility and one that I do not know if the UW has contemplated. Thanks for the comments. The “tag” you see is actually a footnote marker that the system misinterpreted and I didn’t fix. :)

It’s very interesting to see the same concerns we have been talking about detailed in that article. It is shocking to me that, even though only a serial number will be transmitted, the UW does not seem to understand the ability to cross-reference that serial number to an individual just by hanging out at a bus-stop with a reader. Privacy is a serious concern to me but as I also pointed out fraud can also be a strong possibility and one that I do not know if the UW has contemplated.

]]> By: nekret http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-3968 nekret Mon, 17 Mar 2008 06:58:24 +0000 http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-3968 I wish there was some more information available on what information was going to be exchanged between the cards and the readers. If it was only a unique ID for that particular physical card, I wouldn't be too worried about tracking since a new card would end the ability of an adversary to track you. Unauthorized scans are still a bit of a problem which could be mitigated by one-time use codes programmed into the card. I wish there was some more information available on what information was going to be exchanged between the cards and the readers. If it was only a unique ID for that particular physical card, I wouldn’t be too worried about tracking since a new card would end the ability of an adversary to track you. Unauthorized scans are still a bit of a problem which could be mitigated by one-time use codes programmed into the card.

]]> By: alpers http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-3960 alpers Mon, 17 Mar 2008 05:13:59 +0000 http://cubist.cs.washington.edu/Security/2008/03/16/security-review-husky-cards-with-smart-card-technology/#comment-3960 I think you left a tag open in here or something. :P Also, Prof. Boriello talked a bit about this on RainyDawg late last year, it was fun listening to his concerns about privacy there. :) http://thedaily.washington.edu/2007/10/15/what-about-radio-update-is-the-smart-card-too/ I think you left a tag open in here or something. :P

Also, Prof. Boriello talked a bit about this on RainyDawg late last year, it was fun listening to his concerns about privacy there. :)

http://thedaily.washington.edu/2007/10/15/what-about-radio-update-is-the-smart-card-too/

]]>