Our travel card safer then cracked version, says Snapper

• Open source means freedom from 'anti-features'
• Microsoft to drop Linux, Unix versions of enterprise search
• Telstra separation announced on Thursday?
• Reverse auctions to cut government costs
• Fusion 5 to represent NetSuite in NZ

 

• Companies are wasting less money on ERP
• Live within your means
• Is Skype safe for business?
• Slapped in the face
• Why watching 'Lost' is like managing ERP

SUBSCRIPTIONS

Computerworld is New Zealand's only specialised information systems fortnightly.

Subscribe now for $97.50 (24 issues) and save more than 37% off the cover price!

NEWSLETTERS

Get the latest news from Computerworld delivered via email.
Sign up now

NEWSFEED

Subscribe to Computerworld's
RSS newsfeed here and get news stories as they break.

• Snapper says it will comply with 'agreed' ticketing standards
• Snapper 'in Auckland buses by end of 2010'
• Passport data to be copied in Kiwicon demo
• Snapper's Miki Szikszai on brands and national plans
• FryUp: No longer in the dark
• How tech is changing the banking experience

An independent security researcher says New Zealand’s Snapper electronic travel and purchase card is secure against the hack perpetrated by a group of Dutch academics on related cards, known in the Netherlands as MiFare and in the UK as Oyster.

The hackers managed to duplicate the data on the cards and add credit to them free of charge. Oyster card maker NXP took out an injunction to prevent details of the exploit being published, but a Dutch judge has ruled that the details can be published as legitimate research results under freedom of information laws.

Snapper is based on a later-generation chip than the version of the card that was cracked and has more secure encryption, says a spokeswoman for Snapper Services, the Infratil subsidiary which distributes the Snapper card in New Zealand.

“Snapper is a new generation smart card, based on NXP’s Infineon, Smart MX and is highly secure,” she says. “Snapper uses a triple DES encryption with a 168 bit key, compared to the MiFare Classic card that was cracked. This uses a single 48-bit key.

“The triple DES security is standard in financial cards and has been approved in New Zealand as a secure mechanism for connection through to the Eftpos network.”

Cryptography expert Peter Gutmann of the University of Auckland, says Snapper’s confidence is probably justified. “As far as I know the Snapper card is [equivalent to] the Korean T-Money, which apart from its use of the SmartMX doesn’t have much in common with the MiFare (or at least the closest equivalent would be a MiFare DESFire, not a MiFare Classic). So it won’t be affected by the MiFare Classic attacks,” he says.

The Snapper card can be reloaded with cash using credit card payment, either at a card-seller or online using a USB-attached reader.