by Mark Prigg
Researchers claim to have broken the electronic security used in the Oyster card and warned the way could be opened for them to be "cloned" using home computers.
German computer engineering students behind the discovery claim any of the 10 million Oyster cards in circulation could now be cloned in under 10 minutes using a standard PC and card reader.
The cloned cards could then be used by fraudsters to travel free.
The discovery has forced the Dutch government, which uses a similar card, to issue a security warning. Government institutions plan to take " additional security measures to safeguard security", said Guusje ter Horst, minister of interior affairs.
The technology used in the Oyster card, called the Mifare Classic RFID (radio frequency identification) chip, is used in a billion passes worldwide and is manufactured by a Netherlands company called NXP, founded by electronics giant Philips. The company said it was "taking these claims very seriously".
A spokesman added: "NXP has established an open dialogue with the researchers and is evaluating possible attacks." Two separate research teams have claimed to have broken the card's security.
German researchers Karsten Nohl and Henryk Pl?tz, who first hacked parts of the chip last December, this week published a paper demonstrating a way to crack the chip's encryption technology. Mr Nohl, a PhD candidate in computer engineering at Virginia University, said: "I don't want to help attackers, but I want to inform people about the vulnerabilities of these cards."
A second team, led by Bart Jacobs, an information security professor at the Radboud University in Nijmegen, has also published hacking details. However, Transport for London said today it was confident it would be able to spot cloned cards. A spokesman said: "All Oyster information is fully encrypted and we have adopted extra security measures on top of that available on the source chips."
Oyster card cloning fears
