Department of Computer Science

Vrije Universiteit

Scientists advise over problems with public-transit card

Meeting between security researchers and Trans Link Systems at Radboud University

In reaction to the cracking of the single-use public transit card by computer science student Roel Verdult at the Radboud Universiteit in Nijmegen, a meeting took place between all the parties. In addition to employees from the designers of the chip card Trans Link Systems (TLS) and the researchers at Nijmegen, RFID security expert Melanie Rieback from the Vrije Universiteit in Amsterdam was present at the meeting about the technical details of how the chip was cracked. These people will also be present at a hearing held by the Dutch Parliament today about the security of the public transit card.

During the meeting, Roel Verdult began by explaining his attack. With an RFID reader, the contents of the single-user card were copied to a laptop, then the information was transferred to an electronic device Roel built, the "Ghost." The Ghost can repeatedly act as a transit card, allowing unlimited free transit on the public transit system.

The TLS employees expressed their concern at this attack, in particular, because the necessary equipment to carry it out is easy to obtain. Possible countermeasures were also discussed. The conclusion was that all proposed countermeasures were either very expensive or difficult to implement.

The researchers emphasized the need for openness and transparency as necessary conditions for adequate security and public trust in the system. What this means is that the specification and implementation details should be public from the very beginning so that researchers, hackers, consumers' groups and other interested experts can try to find design errors and propose solutions. The TLS employees agreed that this is the best method for getting a secure system.


For more information about this topic you can contact Peter van Rossum T 024 3652077 or the science public relations officer of Radboud Universiteit Nijmegen T 024 3616000 E

For more about openness and transparency:

Infrastructuur voor Openbare Diensten Vereist Veiligheid en Transparantie.
Nederland Open in Verbinding, Ministerie van Economische Zaken, september 2007