Feeds

Coventry fans blue over 'hackable' cashless payment system

Sick as a parrot

Next gen security for virtualised datacentres

Coventry City fans are worried about the security of a cashless payment card introduced at the football club's Ricoh Arena stadium this season.

The system, intended to reduce the time fans spend queuing at matches paying for food and beverages, is one of the first of its kind. However the technology behind the SkyBluePass is based on the MiFare Classic RFID chip, the same system used by Transport for London's Oyster card.

A security paper due to be presented at a conference in October will show how it might be possible for a hacker to use a wireless RFID sniffer device to read an Oyster card and use this data to create a cloned counterfeit version that can be used as if it was the original.

A member of the team who conducted research into the possibility of hacking the Oyster card confirms that the Ricoh Arena card is based on the same technology as Oyster and is therefore potentially subject to the same security flaws. Peter van Rossum, of Radboud University in The Netherlands, came to this conclusion after examining a Ricoh Arena card sent to him after El Reg put him in touch with Coventry City fan Ben Darlow, who was the first to raise concerns about the technology.

"The [SkyBluePass] card is indeed a Mifare Classic; the 1K variant, to be precise - that's the most commonly used variant. Except for a few sectors, that likely don't contain sensitive data, all sectors are encrypted. Of course, an attacker can decrypt them if he listens in on a communication between a reader and a tag, but without a reader this is as far as I can get," van Rossum said.

"There are ways that the system can make this harder for an attacker, but I've never seen a system where that's actually being done," he added.

van Rossum added that the use of the potentially vulnerable MiFare Classic chip on the Coventry City card is a particular concern "especially since Coventry City seems to be going to use this as some kind of electronic wallet and that could easily present an attractive target for criminals". The use of the MiFare Classic chip is an unnecessary security risk, according to van Rossum, who notes that there are "cheap and secure alternatives available".

Coventry City fan Darlow adds that Coventry appear to be using the same MiFare technology for the club's new season tickets, raising the concern that season ticket holders could be vulnerable to having their tickets cloned and stolen.

"At first I only thought the cashless payment system was vulnerable, but shortly before the first match of the season the club announced that all season ticket holders would be given £7 credit. When I went to the match I saw that this was done using the season ticket cards themselves, so it seems a very plausible scenario that the season ticket cards are also Mifare Classic cards," Darlow told El Reg.

Neither van Rossum or other security experts have examined a copy of the season ticket which may integrate with a cashless payment system in the same way that an Oyster card can carry both a travel card season ticket and Oyster PAYG credit. "It's speculation on my part, but quite likely speculation," Darlow said.

The Ricoh Arena cashless card system system was installed by German integrator Payment Solutions AG. Neither Coventry City nor Payment Solutions AG have responded to our requests to comment on security concerns, first raised by Darlow, about the SkyBluePass system. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?