this post was submitted on 11 Aug 2023
517 points (98.3% liked)
Technology
59201 readers
3114 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I guess I am just and old grinch, but I feel like this is written to feel more epic and crazy than it really is, and to accuse the subway engineers of incompetence, rather than what seem to be a conscious architectural decision.
The subway system basically encodes how much money you have on your RFID card, and merely overwrites that value when you recharge it or use it. To me, this sounds like a cost-saving measure and a cheap way to have a fault-tolerant system. It is vulnerable to hackers tho, sort of by design. The alternative is to build a very complex and expensive centralized system with higher maintenance cost and points of failure. Both options work, but it is a tradeoff.
To me, the reason they didn't want word of this to get out is because the system is really good at doing what it is doing otherwise, and the small amount of fraud is probably costing them less than having to build a centralized system.
Kudos for students to even figure that out, but the feat in itself is almost equivalent to learning how to print counterfeit tickets to trick a clerk. It feels more crooked than technically impressive. Those responsibles for the system already knew of this "flaw". They just don't need the instructions how to make counterfeit cards out there.
The flaw is that the checksum is so bad.
I knew someone who worked at a company that handled e-payments for a certain service (purposefully being vague). They're system functioned similar-ish to what you describe, but it also checked the amount on the card with the amount on a database, and also kept a history both on the card and on the database. If they all didn't match up, they knew there was some tampering going on.