What are the security risks in Barclaycard OnePulse?

Peter Tomlinson pwt at iosis.co.uk
Mon Jun 8 22:06:55 BST 2009 

Roland Perry wrote:
> In article <MsdWfoDYtTLKFwZV at tigers.demon.co.uk>, Mary Hawking 
> <maryhawking at tigers.demon.co.uk> writes
>> I have been sent a combined credit and Oyster card.
>> Is there a security risk in having them combined?
>> I.e. how much can be read by a contact-less reader about the credit 
>> part of the card?
>> I don't really have a use for the Oyster part - yet.
>
> I think the credit card and Oyster are disjoint.
>
> But it also has "whatever they are branding the 'paywave' facility on 
> this card" - which is the ability (if you can find a retailer, which I 
> never have) to make an up-to-£10 contactless CC charge.
>
> That must send at least the CC number [or a pseudonym], and if it's 
> one of the transactions which then requires a PIN [apparently a random 
> small number of transactions do] then I don't know if you have top 
> insert the card  to do that, or whether it's also contactless (which 
> would imply they also send some sort of hopefully cryptographically 
> obscured version of the PIN).
My understanding is that the standard method for contactless bank 
payment is that, every 10 transactions or so, or if the total payment 
over a batch of transactions exceeds a particular limit, the card has to 
be used via the contact interface with the PIN. But there is an 
alternative procedure where the merchant and the issuer have a risk 
sharing agreement (e.g. as is expected to be the case with low value 
public transport payments), such that the requirement to use PIN and 
contact interface is waved.

Oyster Pay-as-you-go is different, because it has pre-paid tokens loaded 
onto the card in a separate section of the One Pulse card's chip 
(technically a Mifare Classic emulation area) - you can purchase tkens 
when you wish, or you can arrange for auto top-up when the balance drops 
below a specific value. As an occasional user, I purchase Oyster tokens 
at a ticket vending machine in London when I find that the balance of 
tokens is low, but I could purchase on-line and nominate a particular 
tube station where the gate will load the tokens that I have purchased.

TfL is widely expected to add a direct payment function for using bank 
contactless payment at tube station gates rather than the PAYG tokens, 
but there is some way to go before the software is ready (e.g. it has to 
be able to cope with the daily fare capping method used in London).

There is clearly a move within some sections of govt to push now for 
upgrading London's Oyster scheme in time for the Olympics, but how far 
this will get is uncertain. DfT has been repeatedly over-optimistic in 
its predictions of deployment of improved ticketing and payment 
technology, and I have no reason to expect that at the most senior level 
or up to three levels below they have learned any lessons over the last 
12 years or gained any understanding of the management of the deployment 
of secure ICT transaction technology (despite them occasionally paying 
me and my associates for advice, although not recently - they want the 
advice for free now). Maybe Adonis will have some effect as Sec of State...

Peter

More information about the ukcrypto mailing list