Records of journeys made by people using smart cards that allow 17 million Britons to travel by underground, bus and train with a single swipe at the ticket barrier are among a welter of private information held by the state to which MI5 and police counter-terrorism officers want access in order to help identify patterns of suspicious behaviour.

One solution being debated in Whitehall is an unprecedented unlocking of data held by public bodies, such as the Oyster card records maintained by Transport for London and smart cards soon to be introduced in other cities in the UK, for use in the war against terror. The Office of the Information Commissioner, the watchdog governing data privacy, confirmed last night that it had discussed the issue with government but declined to give details, citing issues of national security.

http://www.guardian.co.uk/uk/2008/mar/16/uksecurity.terrorism/print

Now that the Oyster card can be hacked, we learn that MI5 thinks the system is good enough to assist in preventing terrorism.

The two situations don’t quite sync.

A report just published by Parliamentary Affairs looks into election monitoring during the May 2007 elections in England and Scotland and found problems – unsurprisingly.

However the one which was highlighted did not involve deep level hacking into electronic systems, or nefarious criminal intent – they simple provided a spreadsheet which was wider than the computer screen could display, and relied on the users to not notice the horizontal scroll bar at the bottom of the screen.

Votes initially missed due to an over-wide Excel spreadsheet changed the result in the Highlands and Islands and handed control of the Scottish Parliament from the Labour party to the Scottish National Party.

More here: http://dooooooom.blogspot.com/2008/03/observing-english-and-scottish-2007-e.html

Memo to those who wish to subvert democracy – stop trying to hack into secure(ish) electronic election platforms and just work out how to change the screen resolution on computers (hint, it’s in the settings option).

It seems that the RFID chip used in London Underground’s Oyster Card – supplied by former Philips subsidiary, NXP Semiconductor – has been hacked by researchers at the University of Virginia.

The researchers were testing the claims in a report for the Dutch government that hacking the travelcard would require at least $9,000 worth of hardware and would not be an easy prospect for at least two years. They have found that they can do the same job with a standard laptop computer and some cheap equipement.
It’s not clear yet what implications this has for Oyster card users, but presumably cards can be cloned by reading the RFID signal with a small device attached to the reader in quiet stations. You can then embed that into cloned cards and sell them as a way of getting free transport.

As journeys are logged, it is likely that unusual travel patterns would trigger fraud software and cut the card off – but that then in turn causes considerable inconvenience to the legit passenger.

At a time when we are preparing for the UK government to force us into some monolithic database and ID card scheme, this is a timely reminder of how nothing is ever really secure from being hacked.

Links:

University of Virginia press release