Via Freeborn John, I came across this article by Bruce Scheier regarding the Dutch transit system’s new RFID enabled travel cards:
The Dutch RFID public transit card, which has already cost the government $2B — no, that’s not a typo — has been hacked even before it has been deployed:
This would be funny if it wasn’t so serious. This system is similar, I gather to the LUL Oyster Card.
My guess is the system was designed by people who don’t understand security, and therefore thought it was easy.
Much like the simpletons who dreamed up the national identity register and the technologically illiterate chumps who think that “biometrics” will save the day. It’s a simple enough concept; the more data you put into a system, the more data you stand to lose when it is compromised.
But the Dutch Parliament recently invited the students to give testimony; they’re more than a little bit interested how $2B could be wasted.
Unfortunately, our parliament is not so forward looking… While forging a travel pass is of relatively minor consequence, it illustrates a significant point:
If the technology exists and the rewards are worthwhile; someone, somewhere will break it. The only secure system of identity management is not to have one.
“The only secure system of identity management is not to have one.”
That is brilliant, I shall link to that!
I think I can guess any response from our morons:
We note this and we will learn from it. We will review all blah blah blah, and then everything will be wonderful and you’ll be so secure.