Three undergrads from MIT working with Professor Ron Rivest (the R in RSA!) have cracked the Boston T's CharlieCard and CharlieTicket systems. The insane thing is they show how the stored value of the card is actually stored in plaintext encoding right there on the magnetic stripe. Isn't that basically the most absurdly insecure way to make a magstripe ticketing system work? I would have guessed at least they would have considered a basic cipher. Better yet, just make your card really a token that maps to some value you retrieve from the MBTA secure fare database.
Now MBTA is going after these white-hat hackers with an injunction and lawsuit (Wired Blog). A commenter on Wired mentions: "Why go after the people who are obviously on their side? Do they want more of smart chaps wandering to the black market, where the chances of this bullshit is low, and the pay is high?" MIT's The Tech has published the banned slide deck of the talk on their site:http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf Hat tip to Hacker News... HN rocks, you don't readily see news like this break anywhere else.
