Wednesday, August 20, 2008

MBTA admits ticket not secure

The MBTA acknowledged in court
yesterday that its CharlieTicket system is vulnerable to fraud,
validating a key finding of three MIT students who drew attention to
the security problems as part of a class project.

admission came during a hearing at which a federal judge lifted a
10-day order barring the students from talking about their findings and
denied the MBTA's request to keep them silent about the most sensitive
parts of their research for five months.

The Massachusetts Bay
Transportation Authority had previously declined to say whether its
fare system was vulnerable, and one of the students who raised the
issues said they were treated like pranksters for their attempts to
unmask the problems.

"It's good that they've at least
acknowledged that," Zack Anderson said in a telephone interview after
yester day's hearing. "The issues really do need to be fixed."

10-day order was granted by another federal judge earlier this month
just before the students were scheduled to give a talk called "anatomy
of a subway hack" at a hackers convention in Las Vegas. In an online
advertisement for their presentation, the students said they could
provide hackers with "free rides for life."

The lawyer
representing the MBTA, Ieuan G. Mahony, and T general manager Daniel A.
Grabauskas said the agency will now try to meet with the students in
hopes of learning more about their research - a much more conciliatory
approach than it had taken over the previous two weeks. Civil liberties
groups and Internet technology buffs have been watching the case
closely for its possible ramifications on the limitations of free
speech as it relates to electronic security.

"I hope it gives
people comfort that they can do security research . . . without fear
that they're going to be dragged into federal court and gagged," said
Cindy Cohn, legal director for the Electronic Frontier Foundation,
which is representing the students.

At the same time, MBTA riders have been wondering how vulnerable the electronic fare system is.

officials and Anderson say the problems with the paper CharlieTicket
are correctable and do not require scrapping the system.

to the MBTA, fewer than a third of riders use the CharlieTicket - a
paper ticket sold at most T stations. The card's magnetic strip is not
encrypted and is possible to clone using easily available equipment,
according to the MIT students.

The MBTA did not acknowledge any
security flaws with the more popular plastic CharlieCard, used by 70
percent of riders, though the MIT students argue that the card may be
vulnerable, too. The CharlieCard contains a Radio Frequency
Identification chip that provides a higher level of security, but still
can be cloned or forged, according to the students.Continued...