Feeds

Coventry fans blue over 'hackable' cashless payment system

Sick as a parrot

Remote control for virtualized desktops

Coventry City fans are worried about the security of a cashless payment card introduced at the football club's Ricoh Arena stadium this season.

The system, intended to reduce the time fans spend queuing at matches paying for food and beverages, is one of the first of its kind. However the technology behind the SkyBluePass is based on the MiFare Classic RFID chip, the same system used by Transport for London's Oyster card.

A security paper due to be presented at a conference in October will show how it might be possible for a hacker to use a wireless RFID sniffer device to read an Oyster card and use this data to create a cloned counterfeit version that can be used as if it was the original.

A member of the team who conducted research into the possibility of hacking the Oyster card confirms that the Ricoh Arena card is based on the same technology as Oyster and is therefore potentially subject to the same security flaws. Peter van Rossum, of Radboud University in The Netherlands, came to this conclusion after examining a Ricoh Arena card sent to him after El Reg put him in touch with Coventry City fan Ben Darlow, who was the first to raise concerns about the technology.

"The [SkyBluePass] card is indeed a Mifare Classic; the 1K variant, to be precise - that's the most commonly used variant. Except for a few sectors, that likely don't contain sensitive data, all sectors are encrypted. Of course, an attacker can decrypt them if he listens in on a communication between a reader and a tag, but without a reader this is as far as I can get," van Rossum said.

"There are ways that the system can make this harder for an attacker, but I've never seen a system where that's actually being done," he added.

van Rossum added that the use of the potentially vulnerable MiFare Classic chip on the Coventry City card is a particular concern "especially since Coventry City seems to be going to use this as some kind of electronic wallet and that could easily present an attractive target for criminals". The use of the MiFare Classic chip is an unnecessary security risk, according to van Rossum, who notes that there are "cheap and secure alternatives available".

Coventry City fan Darlow adds that Coventry appear to be using the same MiFare technology for the club's new season tickets, raising the concern that season ticket holders could be vulnerable to having their tickets cloned and stolen.

"At first I only thought the cashless payment system was vulnerable, but shortly before the first match of the season the club announced that all season ticket holders would be given £7 credit. When I went to the match I saw that this was done using the season ticket cards themselves, so it seems a very plausible scenario that the season ticket cards are also Mifare Classic cards," Darlow told El Reg.

Neither van Rossum or other security experts have examined a copy of the season ticket which may integrate with a cashless payment system in the same way that an Oyster card can carry both a travel card season ticket and Oyster PAYG credit. "It's speculation on my part, but quite likely speculation," Darlow said.

The Ricoh Arena cashless card system system was installed by German integrator Payment Solutions AG. Neither Coventry City nor Payment Solutions AG have responded to our requests to comment on security concerns, first raised by Darlow, about the SkyBluePass system. ®

Remote control for virtualized desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?