The Translink Go Card is the preferred choice for public transport in South East Queensland. An RFID touch-on/touch-off card and a series of card readers on train station platforms, buses, City Cycle and ferries.
Originally plagued with implementation issues that almost saw provider Cubic sued for the delays and widespread problems the Go Card rollout faced, the network is in a much more stable state these days.
With paper tickets for some zones almost costing double the price in comparison to a Go Card fare, the incentive to own and use a Go Card is very high.
As you will read the Go Card is actually quite interesting, especially from a security perspective.
Details on the card itself
The card itself is a rebranded MIFARE Classic 1K smart-card created by a company called NXP Semiconductors. It just so happens that the MIFARE Classic 1k is incredibly insecure and susceptible to numerous security issues.
Almost every major transportation network in the world that has an RFID reader/card setup uses an NXP Semiconductor RFID card, mostly the MIFARE series of cards. However, not all MIFARE cards have been “cracked” like the 1k variant has.
To quote Wikipedia’s information on the card:
The MIFARE Classic 1K offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. Each key can be programmed to allow operations such as reading, writing, increasing value blocks, etc. It uses an NXP proprietary security protocol (Crypto-1) for authentication and ciphering.
As you can see the Go Card is nothing more than a dumbed down USB key. The readers on at the train station, on the bus or ferry can read and write to your Go Card when they need too.
The encryption that secures your balance, trips and other pieces of information like where you tap on and off is apparently only protected by a key that is 50bits. This means the card can theoretically be cracked by a modern PC in a matter of minutes (we’ll get into that later too).
Presumably the Go Card uses the cheaper MIFARE Classic 1k because it was cheaper and they’re willing to take the risk of potentially small amounts of fraud over replacing all of commuters cards or buying the more expensive and fancier MIFARE cards that NXP produce.
Given my card doesn’t expire until 2022, issuing new cards would be impossible for the moment at least. Although some of the more secure MIFARE cards do offer backwards compatibility.
Strangely enough Sydney’s Opal card uses the much more secure MIFARE DESFire EV1 as does the Adelaide Metro metroCard and in Victoria the Myki card uses the MIFARE DESFire (non EV1 variant).
Go Card’s infrastructure
The Go Card uses a distributed settlement network meaning all transactions take place between the card and the reader. To contrary belief, when you tap on and off, the information is not being communicated instantly with Translink’s servers.
Rather the readers store the data and sporadically communicate with the servers to ensure they are up-to-date. This is how London’s Oyster Card network works as do most RFID transportation networks like the Go Card system.
This means for a brief period of time, the only entity that knows what your balance is, is just your card. For a small window of time, the reader trusts the balance on your card (at least until the reader syncs with the network).
The benefits of a sentiment network are obvious and similar to how credit card transactions are processed. Have you ever noticed that when you purchase something using your credit card, the money doesn’t always come out of your account?
The cost of a secure and stable realtime network just wouldn’t be worth the amount of money it would take to maintain & scale such a large network like the Go Card system would require for tracking realtime reader communication.
The downside however with this kind of network and manually topping up online is it can take up to 48 hours for your payment. But it usually only takes a couple of hours
The best time to topup your Go Card?
If you need the funds on your Go Card for the same day and you topup online, do it in the morning. In most cases the funds will be added to your account by the end of the day.
When you touch on at a reader, the balance is written to your cards chip and stored temporarily until the network syncs up and compares balances are legitimate
This is a handshake that is performed between the network and the card. Basically the readers are notified of your transaction once they are updated within the period of time the network syncs itself and the balance is written to your cards memory.
Hacking the Go Card
I do NOT advise under any circumstances that you attempt to hack the Go Card network or the Go Card itself. You might find yourself in serious trouble if you do, while the network might be settlement based, there are ways you can be caught (CCTV footage, etc). A cheap fare isn’t worth jail time.
If you want to try this stuff out, do it at home. Don’t attempt to attack a Go Card reader or use a modified Go Card.
For less than $50 you can actually buy a MIFARE compatible reader/writer off of eBay which can read the Go Card. You can buy a stack of blank MIFARE Classic cards off of eBay as well (5 for around $5). Duplicating a Go Card would be a fairly easy task, but NOT recommended.
There are details on how to perform the attack on the Go Card here at this link.