Security Review: ‘taspo’ RFID cards for cigarette vending machines
Being a frequent visitor to Japan and thus knowing its people and culture fairly well, I thought it’d be appropriate for me to conduct a review on the new ‘taspo’ RFID cards which Yoshi also mentioned a while back. The ‘taspo’ cards are being introduced in Japan in an attempt to reduce underage smoking. They are to be used with cigarette vending machines.
For those that have never been to Japan, vending machines are abundant there and are used for many, many things besides just drinks or snacks. (I’ve also seen alcohol vending machines). To attain a ‘taspo’ card, a person of 20 or older must apply via a process which I assume to be similar to as getting a driver’s license here. The card is printed with the member’s picture and the membership number. Also, it has the optional feature of being able to store money on the card and making payments to the vending machines through that. Since I didn’t research these cards too heavily and don’t know EXACTLY how they work, I’m going to make a few assumptions about how the they work. There’s a good chance that they work just like the new RFID credit cards since it has the ability to make purchases. Which means the vending machines themselves will probably be hooked up to ‘taspo”s main systems so that it can do the account balance logic (checking for sufficient funds, purchasing). I’m guessing the membership number is also sent either in the clear or after being encrypted.
Assets/Security Goals
-
To prevent the unauthorized usage of the members’ funds in the cards
- To prevent the purchases of cigarettes from vending machines from minors.
Potential Adversaries/Threats
- A non-technical minor wanting to bypass the age requirement.
- A non-technical person wanting to buy cigarettes without paying.
- A technical person with the ability to read cards and duplicate them. This person could also setup a market to sell illegitimate cards to minors.
Weaknesses
- Perhaps easy to lose, since this is yet another card people will have to carry around.
- The account number being transferred could be intercepted if it’s not encrypted. Even if it is, a person with the right tools could duplicate the card, unless the cards also use something like the time to encrypt with the number.
Potential Defenses
- The nice thing is that the cards are tied only to your money account that can be used to buy only cigarettes so hopefully the amount of money you keep in there will be somewhat small. Also, I’m sure the company will enable canceling of the cards when they are reported lost/stolen.
- When making purchases with the card, they could make it so that the user would have to type in a PIN number as well.
I think that, for this circumstance, the risks are fairly small, especially since (at least to me) it seems like theft is extremely low in Japan. A person finding a card will most likely report it to the area’s lost and found or the ‘taspo’ company.
Here’s the link that contains info on these cards.
http://www.taspo.jp/english/taspo/Introduction.html
Comment by MC O'Connor
March 18, 2008 @ 6:10 pm
Hi,
I’m actually doing research on the taspo card and am hoping to interview a few smokers in Tokyo to get their feedback on the vending machine scheme–especially if they have also received a taspo card. Would you be able to connect me with anyone in Japan? I won’t need much of their time, just looking for citizens/users opinions. Please let me know and thanks!
(BTW: I also don;t know exactly how they work and havve questions about security etc, that I hope to get answers to fairly soon.)
Comment by Spider
September 17, 2008 @ 9:38 pm
Yes I agree, as in your quote below someone with technical knowledge would easily be able to duplicate and profit from duplication.
The account number being transferred could be intercepted if it’s not encrypted. Even if it is, a person with the right tools could duplicate the card, unless the cards also use something like the time to encrypt with the number.