Octopus smart card used in Hong Kong (contactless smart card)


Example:

Paying for the metro ticket in Hong Kong with an octopus card

Area of Impact:

2.1 Business & Employment - Transportation
2.4 Home & Leisure - Data logging

One Minute Summary

flashvars='config=http://media.wab.edu/flv_player/data/playerConfigEmbed/6810.xml' align='middle' allowscriptaccess='always' allowfullscreen='true' type='application/x-shockwave-flash' />




IT System Components

Input: Uses the touch and go system meaning the card doesn't have to make contact. Put the card over the sensor on the toll gate at the metro station when you either enter and exit. This takes 0.3 seconds for the machine to process.
Processing: When entering on the metro station that station gets saved on your card. When you get off at another station the sensor on the toll gate calculates the amount of money you have travelled and substracts the initial value of your octopus card.
Output: The toll gate opens and a beep sound plays to show that your allowed in, if you have money on the card. If you don't have enough your card will go into minus and you won't be allowed out at the exit station without recharging the card.
Communication: Communicates with radio frequency using a Sony 13.56 MHz FeliCa radio frequency idenfication (RFID) chip. Transfers data at the rate of 212 kb/s , which is the maximum transfer speed of the Sony chip, between the card and the card sensor placed on the toll gate.
Storage: Data stored on the card and in the toll gates. The card has a capacity varying from 1 KB to 64 KB. There is no connection to a computer with a databased needed. Instead
the transaction may be transmitted by network after hours, or in the case of offline mobile readers may be retrieved by a hand held device, for example a Pocket PC.


Additional Information

There are different types of octupus cards. For example, the Octopus mini. Also there are some cell phones that were build about four to five years ago with the octopus chip build inside.

Unfortuantly, it is possible for the card to be hacked. This happens with a RFID. In the video below it is shown how, though with an Oyster card. The Oyster card uses the same system though.
‚Äč


The Octopus comes not only in a card. Before you were able to get some older Nokias with the Octopus chip build in. Now though, it is possible to get covers for iPhone's with the chip. At this point it is only the iPhone 4 and 4s.



Sources

http://www.octopus.com.hk/customer-service/faq/en/index.html
http://www.it.iitb.ac.in/~tijo/seminar/Case_Studies_and_Profiles_Report.pdf
http://www.kmb.hk/en/
http://web.archive.org/web/20070210015251/http:www.octopusrewards.com.hk/works/en/index.jsp
http://web.archive.org/web/20071015170810/http:www.info.gov.hk/digital21/eng/knowledge/smarttech.html
http://www.legco.gov.hk/yr06-07/english/sec/library/0607in08-e.pdf
http://www.engadget.com/2008/03/14/oyster-cards-vulnerable-to-rfid-hack-lots-of-other-systems-too/
http://www.youtube.com/watch?feature=player_embedded&v=NW3RGbQTLhE
http://www.rthk.org.hk/rthk/news/englishnews/20070204/news_20070204_56_376306.htm
http://gbcode.rthk.org.hk/TuniS/app2.rthk.org.hk/pda/news/content.php?id=379458
http://www.rthk.org.hk/rthk/news/englishnews/20070727/news_20070727_56_419225.htm



Issues


1.1 Reliability & Integrity
1.2 Security
1.5 Authenticity

There may be the wrong amount subtracted or added on your Octopus card when leaving the subway. There was a case of this in 2007 where value was added even though the payment on the bank account of user was cancelled. Though this doesn't hurt the user, it is possible that an error similar to this one can occur the other way around.

As above in the video it is possible for the card data to be hacked. It gets distributed to other cards and therefor the so called hackers can use the credit and data of the owners card. You cannot compare this to a wallet being stolen since your still able to use your own card and the values of it. But at some point the data of the toll gates will be collected and the Octopus company will lose money since the hackers haven't paid. Though it seems this hasn't happened with the Octopus card, it has happened to the similar card called Verizon card in England.

If a person loses their Octopus card they are able to get their amount of money on it restored on a new card. A 50HKD fee will be charged for the new card. Due to the toll gate not being able to identify the user of the card all the money on the card can be used if the loser of the card is not able to report the loss fast enough. The Octopus company therefor has a policy saying that it has to be reported within three hours for them to take care of the amount the thief has used.

All three of these issues are rather significant. While issue one and two are a problem for the Octopus company. Issue three is completely a user issue. I would say that issue number two is the worst since there is no solution to the problem yet. They cannot prevent hackers from abusing the system. A solution to the hacking problem would be to add something special to the Octopus cards so only those types of cards are readable. Cause as for example with the hack all the hackers card are blank whites and different in design but not in technology. Therefor if the card could be changed to something that only the Octopus company has that would solve the problem.

Biggest issue is that the card can be hacked