In my university all vending machines use a Mifare Classic NFC tag to save users' credit. It has almost become a tradition that each year at the beginning of the second semester some freshmen find out how to read and modify their credit and mess up the vending machine system for some days just for the lulz and for (a very modest) profit.
Sadly no detail on how to find the keys, which is the hard bit.
Vulnerabilities in the protocol make it relatively trivial to discover the keys if you have the correct hardware (e.g. a Proxmark3), but as far as I know nobody has done this with a phone – all these writeups conveniently only clone tags with keys in the list of common keys distributed with MifareClassicTool.
These are mostly used exclusively in areas with high-rise residential flats. In low-rise neighbourhoods households usually have a grey bin¹ that needs to be wheeled to the curb for collection (often also a separate bins for organic waste and paper, although this varies per municipality).
Aren't most mifare carding systems hooked up so transactions are logged, so to detect fraud? Like the australian gocard system for example, isn't every legitimate transaction on the card recorded on an online database somewhere? To exploit a gocard, or similar technology, wouldn't you also need to hack their system database? Eg. taps on to pay; records total transaction value and balance on card; taps off records total transaction value and balance; user rewrites card data; balance on the database isnt updated because a direct payment wasn't recorded; fraudulent card detected; idk correct me HN if I missed anything
The chief advantage of the more expensive cards over the ID-only MIFARE cards is that you can store data securely on the card, so it can be used without a network connection. This helps if there's a network outage and reduces transaction time.
That said, it's super common to see recording done on both the card and on the network -- as you note for GoCard and Opal.
7 comments
[ 18.9 ms ] story [ 52.0 ms ] threadVulnerabilities in the protocol make it relatively trivial to discover the keys if you have the correct hardware (e.g. a Proxmark3), but as far as I know nobody has done this with a phone – all these writeups conveniently only clone tags with keys in the list of common keys distributed with MifareClassicTool.
1: https://proxy.duckduckgo.com/iu/?u=http%3A%2F%2Fwww.sign2you...
That said, it's super common to see recording done on both the card and on the network -- as you note for GoCard and Opal.