top | item 41270333

(no title)

I've been involved with carding for 10+ years and issues with MIFARE Classic cards have been around and known for at least that long. Anyone in the carding industry will (should at the very least) tell you not to use them and move on to DESFire or some other newer safer chips. The introduction even says as much "By 2024, we all know MIFARE Classic is badly broken." If you're still deploying MIFARE Classic cards you reap what you sow.

discuss

znpy|1 year ago

Yup… the vending machines at my university used to use mifare classic tokens with credit on such tokens… in like 2014 i was a student and ran out of money in the middle of july and barely had the money to buy a train ticket to go home for vacation… but thanks to mommy mifare i managed to survive on sandwiches from said vending machines for like two weeks.

Oh, to be young again.

DaSHacka|1 year ago

My university had something similar, but with ID numbers correlated to each person in a database that recorded how many credits they had left.

Tapping the vending machine with your card sends the ID in plaintext over the wire to the upstream server, which responds in plaintext for the machine to either accept or reject the transaction.

Tomfoolery may or may not have been performed by a bunch of bored, hungry college students at 1AM one night...

dfox|1 year ago

The main point from that is that you should never do a system with stored value on a smart card. The vendors will show you various methods for that, but well it is 2024, just do that online (and the card is just an ID, which optionally can produce ECC signature of some challenge).

adontz|1 year ago

MIFARE Classic are cheap and reliable, only their encryption is broken. One can use them as simple storage and encrypt/authenticate data by different means. Nothing wrong with that. I did that, ECC signatures are small enough to fit in 2K/4K cards.

nullc|1 year ago

A signature fits but what good does it do you? The cards can't sign a challenge, and so someone with access to a valid card can just clone it. (or access to a card and reader, in the case encryption is used)

astrobe_|1 year ago

Yes, and more generally I've been baffled by the fact that manufacturers - including ARM-based SoCs with SecureBoot (or similar); you know, those PDF spec docuements that disable copy-paste and a nice "confidential" watermark - put their cyber-security stuff under NDA. As if it security-by-obscurity was still a thing.

minkles|1 year ago

Yeah TFL killed them off starting 2010 in London due to this. I'm surprised this is even a thing now.

lxgr|1 year ago

Oyster has been using MIFARE DESfire, and stopped using MIFARE Classic, for over a decade now.

They're stopping it for completely unrelated reasons (primarily convenience – people don't like having to buy and top up a card – and not having to maintain a vending machine and top-up infrastructure).

stefan_|1 year ago

These cards have hardware backdoors. Their generation or type doesn't matter.

jtriangle|1 year ago

"carding" is also colloquially used to refer to people involved in credit card fraud online. Just FYI in case you get weird looks when you say that.

inopinatus|1 year ago

To an Australian, the only allowable response is "that'll buff out".

unknown|1 year ago

[deleted]

pajeets|1 year ago

also attracts 3 letters when they see "carding" on clearnet