

How to Crack Mifare Classic Cards - FireFart
https://www.firefart.at/how-to-crack-mifare-classic-cards/

======
abritishguy
The oyster travel cards in London are Mifare cards (not actually classic ones
though) but the system was designed in a way to be resilient to attacks on the
card.

When you tap the card on the reader the transaction happens locally with the
card and the reader, this means that there is no latency and the system can
continue to operate even if the central server goes down.

Every minute or so the machines sync with a central server and if at any point
a machine saw a card with a balance or journey history that conflicted with
the server copy then that card gets blacklisted and no machine will accept it
any more. This means if you clone a card you can use it to start your journey
but by the time you get to your destination you won't be able to get out.

~~~
kayfox
I'm under the impression all Vix-ERG designed systems do this as well.
Examples are ClipperCard (SF Bay area) and OrcaCard (Seattle).

I had heard that the OrcaCard system had an issue early on where a number of
cards were disabled as a result of a TVM not being synced back to the
database. There certainly was a large number of completely dead cards for a
couple of weeks in 2010.

------
xwintermutex
In the Netherlands, the public transport card "ov-chipkaart" used Mifare
classic too [0]. Even worse, the "defensiepas", for access to military bases,
uses it too [1], even as of today.

[0] [http://en.wikipedia.org/wiki/OV-
chipkaart](http://en.wikipedia.org/wiki/OV-chipkaart) [1]
[http://www.computable.nl/artikel/ict_topics/security/2735292...](http://www.computable.nl/artikel/ict_topics/security/2735292/1276896/gekraakte-
chip-geeft-toegang-tot-wapendepots.html)

------
souriguha
A pretty detailed presentation from Defcon. I believe these people were one of
the firsts to tinker with Mifare in real life scenarios (IIRC this was back in
2008).
[http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf](http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf)

------
SomeoneWeird
The problem with any type of hardware/usage like this is that it's susceptible
to offline attacks, which widens the attack surface greatly. A better way to
do this would be to encrypt any data that you need to store on the card. And
an even better way would be to communicate with a server and have it validate
the transaction.

------
imrehg
Taiwan's EasyCard is also Mifare Classic (AFAIK), and been cracked a few
times. Here's some more info:
[http://www.fuzzysecurity.com/tutorials/rfid/4.html](http://www.fuzzysecurity.com/tutorials/rfid/4.html)

------
martin_bech
I find the key is either using a purely online system that relies on the UID*
or seperately encrypting the content stored on the card.

* Perhaps even using the UID combined with some encrypted data on card, as the UID can be changed on questionable mifare cards.

------
mschuster91
...which is, if at all, this type of card should be used for storing an user
identifier which is linked to the UID of the card and both verified on a
server.

Of course, this does not prevent cloning with chinese knockoffs where the UID
can be overwritten.

