Today I was faced with a moral dilemma. While boarding the MRT (subway) on my way home from work, perched perfectly on my desired seat was a card. But this was no ordinary card. This card is the supreme usurper of cards known as the EasyCard.
I have been using my EasyCard since the day I arrived in Taipei. It lives up to the name. It truly is easy. Money is put on, using booths outside the station, and by simply holding it up to the sensor, I can enter the tube.
But with great technology comes great exploitation, and this thing is too convenient to just be used in MRT. I noticed the readers at 7-11, FamilyMart, then chain stores. Now, I dump my change and cash into the machine periodically, then go off and buy a milk tea from CoCo at the night market deducting my $35 NT (just over $1.00) from my handy little card. They can be used to open the front door of your office. You can even check out library books.
So as I look down at this card, I essentially see free money. But I like to think I’m wiser–though I’m not saying I am–than to think anything free would come without a stipulation. So on went my research into these fancy cards and see what they’re capable of.
EasyCard is the largest and most circulated card system of its kind. Let me repeat. In the teeny island of Taipei, we have the biggest and most powerful purchase-through-card system in the world. It’s used more than any other card to make more transactions than anything like it.
It started for use on the bus. It’s inception was during a trail period in 2001 and it cost just over 16 million USD to develop. It was funded by a private corporation called Taipei Smart Card Corp with shareholders ranging from private individuals, banks and bus companies. Americans who use tolls may recognize RFID as the thingy in the fancy box that makes it so I can drive on the thru-way or over bridges and not throw cash at the schmuck working in the booth. Historians will know it as the technology that was created by Leon Theremin in 1945 as an espionage tool for use by the Soviet Union. By 2002, it was known as that cool new beepy thing that lets me get on the bus. Soon, the program was launched full-scale, and the stations started ringing away like a bell-choir of antsy children. By 2009, the corporation had issued over 18 million cards (over 20 million if co-branded cards are included.)
During that year, EasyCard was netting 3.1 million transactions per day. It wasn’t just for trains, buses and parking lots anymore.
So here’s the fun part. Where you see power, some people see vulnerability. And behind that cloud of beeps, there is a way to alter the system to make that power your own.
Enter Harald Welte.
Harald is a German member of the free software community, but he is known as a hacker of the Linux kernel and for his activities in enforcing the GNU General Public License (GPL), the license that governs the use of most of the free software out there.
Welte is also involved in a number of free software projects, such as Openmoko, (a version of Linux for completely open, low-cost, high-volume phones) and the netfilter/iptables project (the core firewall mechanism in Linux-based firewall computers and routing devices). He has also won a range of awards in crypto software engineering.
What am I trying to say? I’m trying to say he’s freaking brilliant.
And he went on to prove this at the 27th annual German Chaos Communication Congress hacker conference (“27C3”) in 2010. Following threats, and after pointing out to Taipei Smart Card Corp, he showed that during a 2 day trip to Taiwan, he was able to alter the account on classic chips using a usb-RFID reader and a laptop with open-source software.
He told this conference:
“I made just one attempt and I was very lucky to find such an extremely welcoming system. RFID readers are not expensive, all the documentation is out there, the protocol stacks, the implementations of the various MIFARE Classic attacks. There’s no magic involved.”
The 24 year old Welte was then arrested in suspicion of using his fraudulent card. Following his “attack,” Taipei Smart Card Corp would go on to increase security, update their chips, and pretty much just sit around with their fingers crossed that Harald doesn’t take another trip to Taipei.
The technology has improved in the past four years though. With the addition of a children’s and student card to the standard (now “adult”) card, and steps taken in networking technology, Taipei Smart Card Corp has a better grasp on who uses their cards.
“Your daughter is safely at school,” reads the text message sent to parents of children who use the children’s card and opt for tracking. On the fly, mom can add money to their kid’s account, see what station they have checked into most recently, even access terminals at school to ensure that their child actually attended class that day.
To answer the paranoid American’s next question… No, it can’t track you. Well. Sort of. I’ll get to that in a second. As of now, it does not submit a radio signal, just contains a small code which upon entrance to a terminal, will read the code and see your account. Students require a photo ID to create their account, but other than your massive number referring to your account number, no other information is stored, and I seriously doubt that trending of purchases would yield any realistically usable data.
Starting next year, student cards will require registration. Adult cards are expected to follow after. That means that in order to get your card, you will have to register it to your name. And instead of your card just popping up a number in the database, it will be attached to a profile. If this were in America, the pending outrage would be palpable. You can’t have a facebook app that mentions it allows you to send a picture and because of that, requires storage of said picture, without a populace branding pitchforks for battle. Imagine, if you will, that New Yorker’s daily commute and purchases were tracked on a personal profile.
Oh the humanity.
So what does this mean for my wayward EasyCard? Well, it’s a student card. But it’s not registered, so that’s good (for me.) It’s one that only required proof of enrollment to an educational facility to create. It has $100 NT ($3 USD) on it, so it’s useful for getting a coffee or something.
I know what you’re thinking. How dare I use this poor kid’s card. In reality though, this is just one of millions upon millions of RFID strips out in the world, and like a $5 bill that fell out of someone’s pocket, I will treat it as such, grab a donut and a milk tea, and toast it to the poor sap who left their EasyCard in a baggy pocket.
Thanks for the donut, kid. Now go buy a wallet.