Transit Payment System Security WP

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit Alliance has used best efforts to ensure, but cannot guarantee, that the information described in this report is accurate as of the publication date. The Smart Card Alliance disclaims all warranties as to the accuracy, completeness or adequacy of information in this report. Transit agencies worldwide have implemented automatic fare collection (AFC) systems that use contactless smart card technology for transit-issued fare media. These systems are popular since they deliver fast, easy access to riders and reduced operating costs and improved efficiencies to transit operators. Recently, questions about the security of these systems arose when researchers reverse engineered one contactless chip product – the MIFARE Classic product – that is used in many transit AFC systems. The Transportation Council of the Smart Card Alliance prepared this white paper to discuss this research and to outline the approaches that the transit industry uses throughout its payment systems to ensure the security of transactions and data. The MIFARE Classic product was introduced over 10 years ago as one of the original contactless integrated circuit (IC) products and used encryption and design strategies consistent with the time of development. Since then and since the completion of the ISO/IEC 14443 contactless smart card standard, multiple vendors introduced a variety of contactless IC products. Many of these products incorporate more modern and sophisticated designs and are used in global transit projects and other applications. These newer products have not been exposed to the recently announced breach. It is also important to remember that while the contactless smart card technology that is used by both transit and financial industries operates on the 13.56MHz frequency band, there are vast differences among the contactless applications and security approaches used. For example, the MIFARE Classic product is not being used for open bank card payments in the U.S. or in countries implementing EMV 1 ; these applications have additional security, functionality, and flexibility requirements. Transit agencies who …