The poor implementation specifically relates to the Mifare Ultralight card. It is meant to be self-contained, so there is no connection to a central control server that can monitor its use. Instead, a number of ‘rides’ are pre-loaded onto the card, and a counter on the chip decreases with each ride until they are all used – and the disposable card is disposed.
The problem, according to researchers Corey Benninger and Max Sobell from Intrepidus Group, is that at least the two transit systems tested (New Jersey and San Francisco) had incorrectly implemented a one-way counter on the Mifare card. In the researchers’ own words, the cards “support a feature called a "One Way Counter" (which was named One Time Programmable or "OTP" in previous documents). These bits are in page 3 of the card’s data and once a bit is turned on, it can never be turned back off. This way, a card could be limited to being used only a limited number of times. These bits are left unchanged by the two transit systems we looked at which used Ultralight cards.”
That is, a switch on the cards that would ensure that the usage counter could only decrease had been left untouched – allowing the researchers to reset it to the original number of available rides. They developed an Android app that can both read and write to the card via NFC, and demonstrated its use on a video presented at EUSecWest last week. After using the fare card to gain a ride, they simply tapped the card against a smartphone (in this instance a Nexus S, but it could be any phone running Android 2.3.3 or later) and reset the card to its original state.
This is not a flaw in either the Mifare Ultralight card, nor NFC per se: it is a flaw in the way the card is used on these two particular transit systems. Not all transit systems use the Mifare card, nor are they likely to all have the same implementation weakness. Nevertheless the researchers have placed a doctored version of their app on Android Play. It won’t allow you to cheat the system, but it will tell you if your local transit system is vulnerable.
Then, as Sophos comments, “if you find Ultralights implemented insecurely, please pester your transit authority to get on the ball and fix it. After all, it's we the transit riders who pay for slip-ups like this.”