OV-chipcard still crackable

By Jeroen van der Ham 

At the computer magazine PC Active research has been done with software to modify anonymous OV-chip cards. A digital copy (image) made from the card, and that copy is put back on the card's chip after a journey. That means no payment was then made by the traveller.
With another application, it is also possible to raise the balance without paying. In principle, this kind of fraud should be automatically detected by Trans Link Systems (TLS). TLS monitors all transactions and would be able to detect fraud through the card's identifications and anomalous travel behaviour. It was agreed with the transport companies that fraud would be detected within 24 hours. However, this did not always prove effective. In only two cases, the card was blocked from checking in at NS. In bus, tram and metro, the cards functioned as usual. The blockage proved removable by reusing the software. And controllers could not see anything strange about the cards either.
On Friday 28 January, PC Active will come out with a report on the hack. However, the software to change the maps will not be made available. According to PC Active, however, it won't be long before it will still be available. The hacker had written the software within two hours. The SP was also able to try out the software and requested an urgent debate. More can be read at Webworld and nu.co.uk.

Update 26-01-2011: Trans Link Systems informs that they were aware of the misuse of the cards throughout the trial. One did not block the cards in the interest of the investigation. Meanwhile, other hackers have also discovered that it is possible to "check in" with a PC itself. One uses an application on the PC to indicate at which station and time to check in and then uses the card to travel without using the gates. This is undetectable by the conductor. Unlike the hack above, it is not possible for TLS to detect it because no transactions are made that involve TLS.