bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

moreOnThisArticles

urlAlias

commentCount

authorLocations

authors

corrections

sponsorType

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

socialHeadline

headline

flag

firstTopic

glossary

flattenTypeIds

publishedDate

additionalInfoBoxes

quizIds

images

image

relatedLinks

relatedNewsletters

__typename

createdDate

sponsor

paywallTypes

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Liz Heron

The Octopus card is fraud-proof, the smart card's provider has said after researchers hacked into a similar system in the Netherlands.
Octopus Cards, the company that runs the electronic payment system, said it was not using the chip the researchers had worked on.
'Multiple levels of security controls and active monitoring processes' were also in place to ensure customers and merchants were protected, the company said.
It would not be doing 'any special checks in response to this incident'.
The card - used by millions of people in Hong Kong to pay for travel on the MTR, buses and ferries, and to make purchases at more than 1,000 outlets - relies on a Radio Frequency Identification (RFID) chip to record journeys and transactions.
The Dutch government issued a  warning about an RFID smart card produced by NPX Semiconductors called the Mifare Classic, after a research team at Radboud University in Nijmegen identified a 'serious security flaw'  and demonstrated how the card could be hacked.
The attack was verified by the Dutch Signals Security Bureau  and a video of the hacking exercise has been posted on YouTube.
Dutch minister of interior affairs Guusje ter Horst  informed the country's parliament  this month that government agencies were planning to bring in  more security measures to address the flaws in the Mifare chip.
The smart card is used in 2 million building-access passes in the Netherlands and is the chosen technology for an Octopus-style travel pass now being introduced nationwide.
A  billion smart cards using  Mifare  chips are used  outside the Netherlands. Mifare cards are used as travel passes in cities including Beijing, Taipei, Seoul and London.
Bart Jacobs,   who led the investigation, said it took just 'a few competent people with good ideas and insight plus about two months' work' to break the Mifare chip's encryption algorithm and secret key. Criminals could clone the smart card.
At the technical level, there are no known counter-measures.
A spokesman for Octopus Cards said it used the Sony FeliCa card - not the Mifare Classic.
'We are confident that our security control measures and active monitoring processes are effective in protecting our customers and merchants,' he said.  'We conduct regular reviews to ensure that all our security controls and monitoring processes work as required.'
Richard Stagg,  of information security consultancy Handshake Networking, said: 'Nothing is impossible but nobody has yet been able to hack the FeliCa cards, so it is certainly a lot stronger than the Mifare card.'



Octopus card not vulnerable to hacking, system operator says