533
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 11 Aug 2023
533 points (98.2% liked)
Technology
59623 readers
1057 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Reading the article it seems they made two mistakes. The first was to make the card authoritive instead of having a account data to ensure the information matched. The second was to use a proprietary checksum algorithm instead of using an open secure signature method.
I'd put money on the information they're holding back being details on the checksum algorithm.
Doesn't having an account require an online system? By making the card authoritive you can build and offline system.
It wouldn't need an account. The card can have all the data (in case it is used in an offline situation) but also have a unique serial number.
So when an official ticket machine charges the card, it also logs the balance/tickets on the card with that ID in a central database too. Yes, it needs to be "online" within their own network. But, I'd be concerned if a large city transit didn't have their own network already.
Whenever it is used, provided the ticket reader has a connection it would be verified against the stored record. If the connection is offline then it uses the local stored information.
I do wonder in a transit system like this what the advantage to an offline system is. If someone works out your "CRC32 except I xored the result with 1337" algorithm, then you're boned and a lot of kit is "offline" and thus cannot easily be upgraded too.