An independent security researcher says New Zealand’s Snapper electronic travel and purchase card is secure against the hack perpetrated by a group of Dutch academics on related cards, known in the Netherlands as MiFare and in the UK as Oyster.
The hackers managed to duplicate the data on the cards and add credit to them free of charge. Oyster card maker NXP took out an injunction to prevent details of the exploit being published, but a Dutch judge has ruled that the details can be published as legitimate research results under freedom of information laws.
Snapper is based on a later-generation chip than the version of the card that was cracked and has more secure encryption, says a spokeswoman for Snapper Services, the Infratil subsidiary which distributes the Snapper card in New Zealand.
“Snapper is a new generation smart card, based on NXP’s Infineon, Smart MX and is highly secure,” she says. “Snapper uses a triple DES encryption with a 168 bit key, compared to the MiFare Classic card that was cracked. This uses a single 48-bit key.
“The triple DES security is standard in financial cards and has been approved in New Zealand as a secure mechanism for connection through to the Eftpos network.”
Cryptography expert Peter Gutmann of the University of Auckland, says Snapper’s confidence is probably justified. “As far as I know the Snapper card is [equivalent to] the Korean T-Money, which apart from its use of the SmartMX doesn’t have much in common with the MiFare (or at least the closest equivalent would be a MiFare DESFire, not a MiFare Classic). So it won’t be affected by the MiFare Classic attacks,” he says.
The Snapper card can be reloaded with cash using credit card payment, either at a card-seller or online using a USB-attached reader.