Oyster card hack will be published

The process to copy the Oyster smartcards used by transit systems in London and other cities can be published, said a Dutch court. The card was hacked by a team at Radboud University, Nijmegen.

The hack revolves around the MiFare chip found in the smartcard. The researchers were prevented from publishing but, as Bruce Schneier, security expert, notes:

“As bad as the damage is from publishing – and there probably will be some – the damage is much, much worse by not disclosing.”

If a university doesn’t reveal the exploit, ensuring the company will fix it someone else will find it and then no one will be able to stop the exploit or others like it. As Schneier notes: “Assume organised crime knows about this, assume they will be selling it anyway.”