Skip Links

Card makers hope to upset transit card security status quo

Cipurse, a new specification for securing public transit payment cards, will challenge existing systems from NXP

By Peter Sayer, IDG News Service
December 07, 2010 03:11 AM ET

IDG News Service - Two smartcard makers and two chip makers hope that a new specification for securing contactless card transactions will upset the status quo in the public transit card market.

Chip makers Infineon Technologies and Inside Secure hope to challenge the dominance in this field of systems developed by NXP Semiconductors, and to this end they are working with smartcard makers Oberthur and Giesecke & Devrient to create an open specification with which multiple manufacturers can secure contactless transactions between transit passes and physical access controls such as turnstiles.

The four, now calling themselves the Open Standard for Public Transport (OSPT) Alliance, plan to reveal more details of their specification, now named Cipurse, at the Cartes smartcard show near Paris on Tuesday. They first spoke of their project at the Transport Ticketing conference in London in January.

Cipurse defines only the way in which contactless transactions are secured, and is independent of the radio frequencies used or the physical form of the token, according to Charles Walton, chief operating officer at Inside Secure, which until Monday was called Inside Contactless.

Turnstiles with existing contactless systems can be upgraded to use Cipurse, he said, and the system will work with mobile phones containing NFC (Near-Field Communications) interfaces or with smart cards -- although transit authorities will need to issue passengers with new Cipurse-compatible cards as cards cannot be upgraded.

The availability of competing yet interoperable implementations of Cipurse will offer transit operators a greater choice of suppliers than the systems used today, Walton said.

"At the heart of all of today's systems is one technology with one provider defining what it costs," he said. "It's a complete pyramid, with NXP at the top."

NXP licenses Mifare technologies such as Mifare Classic, Mifare Plus and Mifare DESFire to other chip and card manufacturers -- including OSPT Alliance founders Oberthur and Giesecke & Devrient, which both sell products based on Mifare DESFire. To encrypt transactions, Mifare DESFire can use the DES and triple-DES algorithms, as well as the newer AES (Advanced Encryption Standard).

License fees for the OSPT Alliance's Cipurse -- which also uses AES encryption -- will be lower than for comparable Mifare products, said Walton, allowing manufacturers to reduce the cost of compatible cards and readers.

"We believe that this technology will come to market at a lower price," he said.

That proposition alone would probably not be enough to persuade existing Mifare Classic users to upgrade their systems, but in 2008 the encryption system of Mifare Classic was hacked wide open.

There is little evidence yet that the hack is being exploited on a wide scale, said Walton, but some transit authorities have already introduced stopgap measures or replaced their security systems, and others are thinking about doing so.

Transit authorities wishing to protect their revenue by upgrading their systems from the flawed Mifare Classic to something more secure will be prime targets for OSPT Alliance sales staff.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News