Actually, from Engadget's summary this sounds like RFID as it was designed. RFID done RIGHT.
The only information stored on these will be a unique number to identify the user. That information is useless. I'll go through scenarios that could be done and we'll see why:
1) Someone steals the data on the RFID chip.
Great. Now they have a free train ride, at best, if they can get that number onto their own RFID chip. Not worth the effort There are easier, more lucrative targets for hackers, and that's really the best security you can have in a system, IMO.
2) Someone randomly assigns their own RFID chip a number
It's possible you could get free train rides, but more likely (if whoever designed this system had any brains, and indications are they did) valid numbers follow a specific, complex algorithm, like US dollar ID numbers (they're divisible by 6, hurr)*. Anyways randomly generating RFID numbers would get you mostly invalid numbers that would be rejected. Many valid numbers will be empty accounts, too.
3) Someone erases someone else's RFID chip.
See #1. Not worth the effort to deprive someone of their train ride.
Granted, I can see people doing any of these for kicks, but you're going to see that anywhere, no matter what type of system you use or security measures you employ. In this case, if someone has malicious intent I bet they will skip this and look elsewhere.
Oh yeah... compare this to the type of systems that have been repeatedly criticized...
In that case, we'd see stuff like money amounts being kept on the RFID chip and being trusted by the system as correct. In this case the system is very vulnerable and it would be worth someone's time to hack it as all they'd have to do was buy one train ride and they could modify the chip to give themselves as many rides as they wanted.
Not to mention with more complex data structures on the chip, there's an increased chance a hacker could implant a buffer overflow or similar exploit in his chip and bring down the entire system just by swiping his tag, for kicks. When you're just storing a single number the chances of that happening are still existent, but low, especially since again it sounds like the guy who designed the system has half a brain.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
I don't foresee this being hacked at all.
If MIT could do it with little magswipe cards, I would think putting it on a USB dongle would make it that much easier.
I give it 10 days after release...
any other bets?
That what I first thought. "You mean I don't have to buy an RFID reader now?"
Actually, from Engadget's summary this sounds like RFID as it was designed. RFID done RIGHT.
The only information stored on these will be a unique number to identify the user. That information is useless. I'll go through scenarios that could be done and we'll see why:
1) Someone steals the data on the RFID chip.
Great. Now they have a free train ride, at best, if they can get that number onto their own RFID chip. Not worth the effort There are easier, more lucrative targets for hackers, and that's really the best security you can have in a system, IMO.
2) Someone randomly assigns their own RFID chip a number
It's possible you could get free train rides, but more likely (if whoever designed this system had any brains, and indications are they did) valid numbers follow a specific, complex algorithm, like US dollar ID numbers (they're divisible by 6, hurr)*. Anyways randomly generating RFID numbers would get you mostly invalid numbers that would be rejected. Many valid numbers will be empty accounts, too.
3) Someone erases someone else's RFID chip.
See #1. Not worth the effort to deprive someone of their train ride.
Granted, I can see people doing any of these for kicks, but you're going to see that anywhere, no matter what type of system you use or security measures you employ. In this case, if someone has malicious intent I bet they will skip this and look elsewhere.
* - IIRC
Oh yeah... compare this to the type of systems that have been repeatedly criticized...
In that case, we'd see stuff like money amounts being kept on the RFID chip and being trusted by the system as correct. In this case the system is very vulnerable and it would be worth someone's time to hack it as all they'd have to do was buy one train ride and they could modify the chip to give themselves as many rides as they wanted.
Not to mention with more complex data structures on the chip, there's an increased chance a hacker could implant a buffer overflow or similar exploit in his chip and bring down the entire system just by swiping his tag, for kicks. When you're just storing a single number the chances of that happening are still existent, but low, especially since again it sounds like the guy who designed the system has half a brain.