What are the security risks in Barclaycard OnePulse?

[Roland Perry]

In article <4A2D7D6F.6010207 at iosis.co.uk>, Peter Tomlinson 
<pwt at iosis.co.uk> writes

>My understanding is that the standard method for contactless bank 
>payment is that, every 10 transactions or so, or if the total payment 
>over a batch of transactions exceeds a particular limit, the card has 
>to be used via the contact interface with the PIN.

"Contact" - that is more secure. Although it potentially rules out use 
at tube barriers (not to be confused with the Oyster functionality) as 
they don't have a contact mechanism.

>But there is an alternative procedure where the merchant and the issuer 
>have a risk sharing agreement (e.g. as is expected to be the case with 
>low value public transport payments), such that the requirement to use 
>PIN and contact interface is waved.

Waived :) You wave the card!

OK so, maybe it will be OK at tube gates one day.

>Oyster Pay-as-you-go is different, because it has pre-paid tokens 
>loaded onto the card in a separate section of the One Pulse card's chip 
>(technically a Mifare Classic emulation area) - you can purchase tkens 
>when you wish, or you can arrange for auto top-up when the balance 
>drops below a specific value.

Yes, mine [Barclaycard Pulse, but it could also be a plain Oyster] is on 
auto top-up - when the balance falls below a certain amount it 
automatically gets £20 added, charged to the CC half of the B/C Pulse, 
but not as a result of the paywave part (it's all a bit complicated to 
unpick).

>As an occasional user, I purchase Oyster tokens at a ticket vending 
>machine in London when I find that the balance of tokens is low, but I 
>could purchase on-line and nominate a particular tube station where the 
>gate will load the tokens that I have purchased.

You need to make such a purchase to validate auto-topup as well.

>TfL is widely expected to add a direct payment function for using bank 
>contactless payment at tube station gates rather than the PAYG tokens, 
>but there is some way to go before the software is ready (e.g. it has 
>to be able to cope with the daily fare capping method used in London).

It needs there to be a "virtual Oyster card" in a computer somewhere, 
that logs all the transactions for a day, does the calculations of 
capping and unresolved/over-time journeys, then charges one fee to the 
credit card account overnight.

>There is clearly a move within some sections of govt to push now for 
>upgrading London's Oyster scheme in time for the Olympics, but how far 
>this will get is uncertain.

I'm sure I've heard that Olympic tickets will include a bundled travel 
element. They could deliver that as an Oyster Card with a one-day 
travelcard (-type -thing) loaded, which allowed any sensible travel in 
the general direction of the venues.

> DfT has been repeatedly over-optimistic in its predictions of 
>deployment of improved ticketing and payment technology, and I have no 
>reason to expect that at the most senior level or up to three levels 
>below they have learned any lessons over the last 12 years or gained 
>any understanding of the management of the deployment of secure ICT 
>transaction technology (despite them occasionally paying me and my 
>associates for advice, although not recently - they want the advice for 
>free now). Maybe Adonis will have some effect as Sec of State...

The objective sounds both simple and complex.

They should bite the bullet and have something that works during the 
games, even if it's a kludge. After all, almost everyone heading for the 
venues will have paid [for an entrance ticket and bundled travel], so do 
they really need to prove it?

Two examples from today - they've recently [last week] installed 
barriers at St Pancras mainline and I accidentally used the wrong 
ticket, which proved all they are apparently doing [at the moment] is 
making sure each passenger has a ticket, not a valid ticket.

And arriving in Nottingham the bus home had a defective smartcard 
reader/ticket machine, so the driver was taking "donations" and waiving 
anyone with something that looked like a smartcard or a bus pass. A less 
pragmatic alternative would have been to take the bus out of service.
-- 
Roland Perry