French public rail trials RFID / USB combo ticket system
by Dante Cesa 
posted Sep 4th 2008 at 8:32PM
[Via Wired]
Filed under: Transportation
[Via Wired]
[Via Wired]
Previous
Palm Pixi review
ASUS UL80Vt review
HP Envy 15 unboxing and hands-on
Motorola DROID review
Crazy-hinged Dell Adamo XPS hands-on!
BlackBerry Bold 9700 hands-on and impressions
HTC's HD2 hands-on
Sony Ericsson XPERIA X10 hands-on
Engadget Podcast 171 - 11.13.2009
Breaking news Feed
- Palm Pre WebOS 1.3.1 update available now
- T-Mobile launching BlackBerry Bold 9700 on November 16 for $199.99
- Dell Mini 3i officially set for imminent launch in Brazil and China
- Samsung Behold II hits T-Mobile on November 18th, unboxed today (now with video!)
- Boxee inks deal with first hardware partner: a 'Boxee Box' is coming
- Palm's Pixi TV spot heads in a new direction, bids adieu to creepy redhead
- Zune HD Marketplace now loaded with free 3D games
- Saygus VPhone to bring video calls and a bit of chub to Android and Verizon
- Kindle for PC app out now, Mac version to soon follow
- Nokia N900 is now shipping!
Featured stories Feed
- How would you change Garmin-Asus' nuvifone G60?
- HP dm3t review
- The Engadget Show: Philippe Starck Q&A bonus round
- The Engadget Show: Inside the mind of designer Philippe Starck
- Chumby One review
- Ask Engadget: Best multitouch monitor?
- Samsung Behold II hits T-Mobile on November 18th, unboxed today (now with video!)
- BlackBerry Storm2 hands-on and impressions
- Palm Pixi review
- Regen's ReNu solar panel system in the flesh
- Bookmark sync arrives on Chromium for Mac - here's how to make it work
- FeedBurner stats now showing up in Google Analytics
- Apple finally lets you check out iTunes store without installing iTunes
- Wally is a kick-ass, connected wallpaper changer for Windows, Mac, and Linux
- Linux Mint 8 RC1 brings a kicked-up Karmic Koala to your desktop
Resources
Sections
WIN Network
- Autos
- Technology
- Lifestyle
- Gaming
- Finance
- Entertainment on AOL
- Lifestyle on AOL
- Sports on AOL
- Travel on AOL
- Also on AOL
Reader Comments (Page 1 of 1)
EpicWinrar @ Sep 4th 2008 8:51PM
I don't foresee this being hacked at all.
If MIT could do it with little magswipe cards, I would think putting it on a USB dongle would make it that much easier.
jongscx @ Sep 4th 2008 9:53PM
I give it 10 days after release...
any other bets?
BigD145 @ Sep 4th 2008 9:59PM
That what I first thought. "You mean I don't have to buy an RFID reader now?"
Dan Bugglin @ Sep 4th 2008 11:23PM
Actually, from Engadget's summary this sounds like RFID as it was designed. RFID done RIGHT.
The only information stored on these will be a unique number to identify the user. That information is useless. I'll go through scenarios that could be done and we'll see why:
1) Someone steals the data on the RFID chip.
Great. Now they have a free train ride, at best, if they can get that number onto their own RFID chip. Not worth the effort There are easier, more lucrative targets for hackers, and that's really the best security you can have in a system, IMO.
2) Someone randomly assigns their own RFID chip a number
It's possible you could get free train rides, but more likely (if whoever designed this system had any brains, and indications are they did) valid numbers follow a specific, complex algorithm, like US dollar ID numbers (they're divisible by 6, hurr)*. Anyways randomly generating RFID numbers would get you mostly invalid numbers that would be rejected. Many valid numbers will be empty accounts, too.
3) Someone erases someone else's RFID chip.
See #1. Not worth the effort to deprive someone of their train ride.
Granted, I can see people doing any of these for kicks, but you're going to see that anywhere, no matter what type of system you use or security measures you employ. In this case, if someone has malicious intent I bet they will skip this and look elsewhere.
* - IIRC
Dan Bugglin @ Sep 4th 2008 11:27PM
Oh yeah... compare this to the type of systems that have been repeatedly criticized...
In that case, we'd see stuff like money amounts being kept on the RFID chip and being trusted by the system as correct. In this case the system is very vulnerable and it would be worth someone's time to hack it as all they'd have to do was buy one train ride and they could modify the chip to give themselves as many rides as they wanted.
Not to mention with more complex data structures on the chip, there's an increased chance a hacker could implant a buffer overflow or similar exploit in his chip and bring down the entire system just by swiping his tag, for kicks. When you're just storing a single number the chances of that happening are still existent, but low, especially since again it sounds like the guy who designed the system has half a brain.
Paulmichael @ Sep 4th 2008 8:48PM
Bring something like that to the States! Well, New York at least...
Reikon @ Sep 4th 2008 11:06PM
They already have RFID for public transit in the US. The Bay Area is rolling out TransLink for all its public transit.
LanFeusT @ Sep 5th 2008 2:03AM
it is like metro pass, a lot of cities in the world have this system...... this is the same, but you can "fill" it on your computer or anywhere else where there is a computer and internet connection. and it is for travelling accross the whole country
(01) @ Sep 5th 2008 1:42PM
Yeah, DC has the SmartTrip card, which is basically the same thing.
ポール @ Sep 4th 2008 8:59PM
Hum... I guess it is a good initiative, because let me tell you something about the hassle of getting tickets from my dear "not-anymore-friends" of the SNCF!
First, I'd like to mention that I am French, and I have been living in the States for 10 years now. Therefore, I have a bank account, well, you know, in America!
I happened to be in France over the summer, and I was travelling to Brussels, from Paris by train. The train going to Brussels from Paris is called "Thalis." It is a fast train from the SNCF Co. and I had purchased my ticket on line about, hum... Three months in advance... As a native parisian that I am, I knew that I could retrieve my tickets in less than 5 sec. (in theory) from one of the automatic machines at the beginning of the train platforms at the train station. The only "ick" was that you needed a VISA card (the one you used to buy your ticket with on line!). Not a problem, I say: I mean, I'm travelling... I live for plastic, right? Wrong!
I needed a chip on my card in order to get my tickets, even though I had already bought the ticket, mind you!
I am lucky enough to actually speak French (well, it's my native language! I'm from Paris, as I said!) and I called one of these little cute girls to help me with the issue. She could not figure out why it would not work at first, and I asked her to call her manager, because I am so americanized now, that I do not need to deal with petite people, right! Her manager came to me with the most annoying non-parisian-who-give-a-bad-name-to-parisians attitude, and told me: "Sir, it is written on the machine that it will not accept cards that do not have chips." She was right! It was in very very very very small, fine print, under the VISA sign! I have a 20 x 20 sight, and I could not spot this. I argued that THEY should write this on the eTickets, and she told me that she could not do it right now, obviously, because she was too busy! Like she was actually going to do that herself! Pfuuu!
Anyway, all of this to let you know that I had to wait about an hour at a regular teller to retrieve my ticket, and was in line with hundreds of other foreigners who got the same issue... Obviously, the SNCF is on strike like... Hum... Every week, or so... I ain't kidding you! It also has major issues on how it manages to sell tickets, because their infrastructure is packed of dumb lazy people. It's sick and madening... So, I welcome any type of improvement... It's MORE THAN WELCOME... Anything to just zap these dumb French girls I need to deal with when they tell me: "Where is this card from? That is soooooooo Third world!" What kind of comment is that? B***
tehrealwilliz @ Sep 4th 2008 9:04PM
...I'll have some of what your smoking please.
Jeff @ Sep 4th 2008 9:23PM
That amazing story deserves a +1 for sure
Philippe @ Sep 4th 2008 9:30PM
Yes, no microchip on credit cards IS actually 3rd world! I mean, come on, credit card companies put RFID on cards, but putting a chip is not possible? hellloooo.
And yes the SNCF is always on strike, as everybody else in France. And forget about customer service.
Good luck on your next trip ;-)
Ignatius @ Sep 4th 2008 10:19PM
What four letter curse word starts with B?
Octopus23 @ Sep 5th 2008 1:24AM
Poor boy... I'm french too, And I used a lot this automatic ticketing system without any problem.
You're right that they should have write it bigger but come on, you try to "teach" people here that SNCF is full of lazy people and strikes?
For sure there are very lazy people and many problems with SNCF, but when they try to improves things, I don't see the point to be so negative.
This news is about a RFID dongle, they never said that SNCF is the perfect rail company... No ?
Thomas @ Sep 5th 2008 3:07AM
Hey Paul,
Too much time in the US ?
Smartcard with microchip has been invented by a Parisian like you and the only card without chip in France are the one that bank deliver to children. And it's like that more than 10 years.
Le seul reproche envers la SNCF, c'est la grève !
coolblue @ Sep 5th 2008 5:06AM
It is about time the US caught up with Europe on the chip and pin cards. Why should European transactions be held back from being more secure just because the US can't be arsed to get with the program.
Wwhat @ Sep 5th 2008 5:03PM
They tried chip cards here, nobody was interested much, everybody use magnetic swipe and pin.
Personally I despise RFID, but not as much as biometrics, not by far, at least RFID I can block/disable.
However the RFID transport cards don't have the issue of hackability (that's not my issue) but of the companies/government being able to track your every move, probably live even, so bitch about that instead about something which isn't an issue for users, and then gets dismissed as not being an issue making it seem the things are flawless.
SNP @ Sep 4th 2008 9:21PM
half the people gonna lose the cap in the 1st few months...
Shadyman @ Sep 5th 2008 4:00AM
It's ok, I bet they'll provide a replacement cap for the low, low price of three EASY payments of $19.99. Sorry, no COD.
Wwhat @ Sep 5th 2008 5:06PM
You'd only take it off at home, so you lose it at home but you can dive under the desk and retrieve it, no problems.
SimonRichards @ Sep 4th 2008 9:42PM
See, its not so damn difficult. Just DONT PUT PERSONAL DATA ON THE GODDAMN THING. Sheesh.
Philippe @ Sep 4th 2008 9:52PM
Good for you.
archie852 @ Sep 4th 2008 10:52PM
Where I resides; The Hong Kong Special Administrative Region, part of the "Evil Communist Run" China as depicted by your most honorable President; have been using a similar set up since 1997. Yeah NYC MTA got the MetroCard but that's not a contactless RFID device. Take a look if you are interested. http://www.octopuscards.com/enindex.jsp Cheers and have a great day and Labor Day Weekend!
Barton @ Sep 5th 2008 11:06AM
YAY OCTOPUS!
:]
I live in Hong Kong and I use it everyday. No. It's not solid lead. or part lead. Actually I believe it's developed by Sony, using its FeliCa system. In fact, it's used by so many people that some schools have the students "doot" their cards for attendance records. It can be used anywhere, from buses to trains to the MTR (that's the subway for you Americans) to McDonalds and 7-Eleven.
"The Octopus card has been internationally recognized, winning the Chairman's Award of the World Information Technology and Services Alliance's 2006 Global IT Excellence Award for being the world's leading complex automatic fare collection and contactless smartcard payment system, and for its innovative use of technologies."
"The Octopus card uses encryption for all airborne communication and it uses two-way authentication based on public key infrastructure (PKI). In other words, data communications to and from the card are only established when mutually authenticated security handshaking is verified followed by transfer of encrypted data. The Octopus card and system have never been successfully cracked." - Wikipedia (http://en.wikipedia.org/wiki/Octopus_card)
Joe @ Sep 4th 2008 9:56PM
About that French ticket story above, yeah, that's exactly right.
The French built these wonderful ticket machines that automatically dispense the tickets that you've bought on the internet beforehand. (Some tickets can even be bought and printed online like airline boarding passes.)
However, these stupid ticket machines only accept credit/debit cards with a chip (a "puce"). While this is fine for the French, as nearly all of their cards have these chips, it's a nightmare for tourists from around the world who bang at these machines multiple times before walking over to the staffed window to figure out the problem.
So a solution to the problem is welcome. The French metro already has an RFID pass that you can reload online, thereby obviating the need for standing in line at a ticket window or machine. Many of the machines, which, by the way, only accept a card with a chip.
Osiris @ Sep 5th 2008 2:44AM
In the UK your ticket can be collected by putting in the card used to pay or by entering a reference code that is issued when you buy the ticket online.
It's hardly a difficult feature to impliment, they have no excuse.
On the other hand, why do American cards continue to ignore the growing worldwide standard of chips on credit cards?
I was in Thailand and met countless Americans who had their cards rejected at all ATMs for this very reason.
Adam Rosner @ Sep 4th 2008 10:16PM
We have these in Wellington NZ as well, they're called "snapper" - www.snapper.co.nz
phanbouy @ Sep 5th 2008 12:01AM
that's quite the name, mate!
futaris @ Sep 4th 2008 10:42PM
The Snapper looks very similar to the Translink go card used in SE QLD, Australia (Brisbane)
Shame that in NZ you can do the top up via your home PC, etc.
Joker4ever @ Sep 5th 2008 12:24AM
In fact, the chip system is one of the most secure system card could had. But as it was a french system, us didn't spread it...(as the concorde) and then you're stuck with your old 70's black line cards.
Visa wants to put all RFID system for the next summer olympics games when here in canada, visa says "its a big innovation for security to put a chip on the card". What a joke....
So i think that"s a pretty good initiative...
JayCee @ Sep 5th 2008 12:57AM
Yeah, it's good that you can use the Wellington snapper to buy coffees etc from a lot of places around town.
There is a USB version of this too - my partner got issued one as a staff trial at the ANZ bank.
Chuck it into your PC and refill your $ - where with the card which most people have, you need a "snapper feeder", which is a USB card reader, to refill it.
One thing I don't like is the annoying voice on the bus "please swipe card", "Please ticket"
The best thing with the Wellington bus trips, you swipe on, then swipe off afterwards, and it calculates the fare. (no more speaking to angry bus drivers in the morning!)
FluffyPanda @ Sep 5th 2008 4:05AM
But why RFID? I just don't understand the advantage to a contactless transaction.
The exact same system could be implemented with a chip that requires contact and people wouldn't be able to skim your RFID account number (by simply walking close to you with a scanner) and buy travel with your credit.
Keeping a single piece of info on the chip reduces the security risks down to a single vulnerability, but it's a pretty big one.
mrhahn @ Sep 5th 2008 4:23AM
We use Chip and Pin (http://en.wikipedia.org/wiki/Chip_and_PIN) here, don't see why they'd ever want to replace it with RFIDs.
BlackCoffeeNoSugar @ Sep 5th 2008 6:34PM
Well. Because of the improved speed and convenience. No one would mind being able to do something faster. Imagine your are in a queue in front of the ticket machine for a train, then find out there are a couple of idiots in front of you who can't find the card slot or swipe/insert the card in the right way.
Brian @ Sep 5th 2008 2:13PM
So, if the only thing that is stored on the card is your account number, why does it need USB? Couldn't you just link a login to their website to that account number? I guess I don't get it.
Even for Oyster card (London/TFL underground), which does store more than just your account number (I assume because you don't want to have to wait for a server to respond to open the gates), you can add tickets/passes online, although you have to choose to "pick up" at a specific station.
Wwhat @ Sep 6th 2008 6:48AM
One possible issue with just using an account number is that you can't link the actual owner and homeaddress/IP to the number, and that's information they like, oh they like it so much to keep track of people, that's what the bastards hope to get from RFID, a way to track and track.