Sensational headline, but the story should be dated December 10, 2004. That is the date on a paper entitled, “Privacy, SmartCards and the MBTA with a subtitle of A Policy Analysis of the MBTA’s New Automated Fare Collection System.” You can find a reference to the paper on Wikipedia.That paper did a great job at analyzing the entire automated toll concept including all the types of readers, middleware, RFID transmission sytems and databases. Let’s just say there are a lot of security and privacy issues to consider before you decide to automate your subway system. I am still a fan of tokens.
The issue of security of the Charlie Card came up again last March when University of Virginia researchers suggested that the Charlie Card could be hacked
And of course the issue came up again over this past weekend when a federal judge weighed in to prevent three MIT students from giving a presentation about Charlie Card weaknesses at the Defcon convention Las Vegas.InformationWeek has a good article with some pointers to the presentation. From the looks of it, both the students and the conference got too wrapped up in their own p.r. to think about a better way to present the information.
Now, of course all this begs the question of why anyone smart enough to hack the Boston MBTA subway system would really want to get lots of free rides on, say, the Green line out of Park Square at about 5 p.m. on a workday. The bigger issue as these type of induction-based cards (see, I read the paper and I know what the Charlie Card has in common with my electric toothbrush) are privacy issues, encryption issues and database issues. This has not been a great month for data security and it is worth remembering that all those really boring technical meetings about data security in your current projects are really worth attending. Data security and easy access are often in conflict, but you’d be wiser moving the meter to the security side of your projects these days. I wonder whatever happened to all those tokens?