Feeds

Coventry fans blue over 'hackable' cashless payment system

Sick as a parrot

Beginner's guide to SSL certificates

Coventry City fans are worried about the security of a cashless payment card introduced at the football club's Ricoh Arena stadium this season.

The system, intended to reduce the time fans spend queuing at matches paying for food and beverages, is one of the first of its kind. However the technology behind the SkyBluePass is based on the MiFare Classic RFID chip, the same system used by Transport for London's Oyster card.

A security paper due to be presented at a conference in October will show how it might be possible for a hacker to use a wireless RFID sniffer device to read an Oyster card and use this data to create a cloned counterfeit version that can be used as if it was the original.

A member of the team who conducted research into the possibility of hacking the Oyster card confirms that the Ricoh Arena card is based on the same technology as Oyster and is therefore potentially subject to the same security flaws. Peter van Rossum, of Radboud University in The Netherlands, came to this conclusion after examining a Ricoh Arena card sent to him after El Reg put him in touch with Coventry City fan Ben Darlow, who was the first to raise concerns about the technology.

"The [SkyBluePass] card is indeed a Mifare Classic; the 1K variant, to be precise - that's the most commonly used variant. Except for a few sectors, that likely don't contain sensitive data, all sectors are encrypted. Of course, an attacker can decrypt them if he listens in on a communication between a reader and a tag, but without a reader this is as far as I can get," van Rossum said.

"There are ways that the system can make this harder for an attacker, but I've never seen a system where that's actually being done," he added.

van Rossum added that the use of the potentially vulnerable MiFare Classic chip on the Coventry City card is a particular concern "especially since Coventry City seems to be going to use this as some kind of electronic wallet and that could easily present an attractive target for criminals". The use of the MiFare Classic chip is an unnecessary security risk, according to van Rossum, who notes that there are "cheap and secure alternatives available".

Coventry City fan Darlow adds that Coventry appear to be using the same MiFare technology for the club's new season tickets, raising the concern that season ticket holders could be vulnerable to having their tickets cloned and stolen.

"At first I only thought the cashless payment system was vulnerable, but shortly before the first match of the season the club announced that all season ticket holders would be given £7 credit. When I went to the match I saw that this was done using the season ticket cards themselves, so it seems a very plausible scenario that the season ticket cards are also Mifare Classic cards," Darlow told El Reg.

Neither van Rossum or other security experts have examined a copy of the season ticket which may integrate with a cashless payment system in the same way that an Oyster card can carry both a travel card season ticket and Oyster PAYG credit. "It's speculation on my part, but quite likely speculation," Darlow said.

The Ricoh Arena cashless card system system was installed by German integrator Payment Solutions AG. Neither Coventry City nor Payment Solutions AG have responded to our requests to comment on security concerns, first raised by Darlow, about the SkyBluePass system. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.