11 Nov 2013

'Smart cards' not so smart

8:05 am on 11 November 2013

Thousands of Christchurch residents’ personal details could be at risk due to a security flaw with the city’s bus smart card.

A security researcher who goes by the handle “AmmonRa” highlighted a series of vulnerabilities in the card’s system, which allows hackers to access the private information of hundreds of thousands of users.

AmmonRa presented his findings at the internet security conference Kiwicon over the weekend.

He said registering a card online with an email address and a six-digit number etched on the front gives a user access to the name, address, date of birth, and phone number given when the card was bought.

The sign in form for the MetroCard website.

The sign in form for the MetroCard website. Photo: Unknown

“In New Zealand, you could forge someone’s identity with that,” he said.

He told The Wireless that he found the flaws when he was trying to make a smaller card, and looked into how the cards were designed.

AmmonRa said anyone with the technical knowledge – and malicious intent – could write a programme to register all unregistered cards, and access those details.

“I haven’t done it because I don’t want to mess with everybody. But it’s trivial to do that kind of thing.”

In 2011, there were more than 320,000 cards in circulation in Christchurch.

He said he reported the security flaw to Environment Canterbury, the group that oversees the bus network, three months ago, but nothing had been done.

“I can’t understand why they’ve chosen not to fix it,” he said, adding it would probably be an afternoon’s work for a technician. “There’s no reason not to.”

The technology in the card was released 20 years ago. Environment Canterbury had planned to upgrade it by 2011, but the plans were abandoned after the February earthquake.  

Canterbury Regional Council's director of operations Wayne Holton-Jeffreys told Radio New Zealand's Morning Report they are taking it seriously and have shut down the website.

He says to the best of his knowledge, no one's personal information has been accessed.  

AmmonRa also found a way to add and remove funds from cards. Though he hasn't tampered with others’ cards, he says others with the technical knowledge could be able to.

AmmonRa told Kiwicon to pay for the bus with cash, or at least register their smart card online so that no one else can do it.