The Leap Card Thread

Inniskeen · 14-02-2012, 10:00

Ok, lets assume its not a photocopier, but something else that grabs the contents of your E-purse. Imagine the hassle of getting a refund !

Maybe it is not much an issue, but it might indicate a deficient design in respect of security and if so, it may well be serious. It may be serious anyway as it indicates a poor system of authentication. The Leap card should only share info with an authenticated and authorised device.

Remember electronic voting, if Joe Public thinks its a substandard system then your system might end up in long term storage !

Maybe a simple ticket valid for a specfied period of time, say 90 minutes might have covered off most of the requirements from a user point of view.

markpb · 14-02-2012, 10:02

Quote:

Originally Posted by Inniskeen

Ok, lets assume its not a photocopier, but somethink else that grabs the contents of your E-purse. Imagine the hassle of getting a refund !

There's absolutely no proof that a) it happened, b) the photocopier managed to get his name from his card (which doesn't store your name) or c) that there's any security implications at all.

Quote:

Remember electronic voting, if Joe Public thinks its a substandard system then your system might end up in long term storage !

The difference here is that an expert group proved beyond proof that the electronic voting machines were unaditable and had security issues. All we have here is Joe Duffy and a mind reading photocopier.

Inniskeen · 14-02-2012, 10:18

I have no idea whether it happened or not, maybe its the photocopier's fault - it could have had Joe Duffy's details in its buffers and rather than reject the Leap card simply dispayed the contents of the buffer.

A few simple tests should be enough to establish whether there is an issue or not.

Locky · 14-02-2012, 11:40

Quote:

Originally Posted by markpb

There's absolutely no proof that a) it happened, b) the photocopier managed to get his name from his card (which doesn't store your name) or c) that there's any security implications at all.

b) When you register your card it stores your name and
c) I personally feel there are huge security implications if the photocopier can garner data from your Leap Card! Am i on my own here with these concerns?

James Howard · 14-02-2012, 11:52

It is also quite possible he had the RTE card close enough to be read and it just appeared that it was reading his leap card.

I keep my Dublin Bikes card in the same wallet as my train pass and oddly enough I can take a bike using my train pass.

plant43 · 14-02-2012, 16:37

Quote:

Originally Posted by Locky

b) When you register your card it stores your name and
c) I personally feel there are huge security implications if the photocopier can garner data from your Leap Card! Am i on my own here with these concerns?

It's my understanding that the card does not have your name, only the card number and the credit. The linking between the card number and the personal only happens at the frontend (i.e the website). The backend systems have no personal details. I'd be interested if I'm wrong though.

Mark Gleeson · 14-02-2012, 18:36

The card hold no names, addresses etc.

You need a special encryption key to read the card, however a very small amount of information is publicly available in read only mode, basically the card type and serial number

The access control in my office will beep as normal if I present an Irish Rail card instead of my staff card won't open the door though.

Charlie Hungerford · 03-03-2012, 10:36

There's a thread on another forum (http://www.boards.ie/vbulletin/showt...p?t=2056564768) stating that Irish Rail has given up on maintaining the validator at Broombridge and is telling Leap customers to buy old-style tickets for it. Is this really true??

Mark Gleeson · 03-03-2012, 12:56

There never was a working validator at Broombridge, ever

For Irish Rail smart cards there is a resolution for this issue, but you must contact Irish Rail and they will set your card up slightly differently

Leap does not have that ability

robdrysdale · 14-02-2012, 12:25

Quote:

Originally Posted by Inniskeen

Ok, lets assume its not a photocopier, but something else that grabs the contents of your E-purse. Imagine the hassle of getting a refund !

This is Troll Duffy rubbish. Leap Cards are secure encrypted cards in a similar way to SIM cards on your mobile. You'd need the key to decrypt and communicate with the epurse. RTE do not have the key so cannot possibly communicate with the epurse.

14-02-2012, 10:00	#1
Inniskeen Really Regular Poster Join Date: Oct 2010 Posts: 951	Ok, lets assume its not a photocopier, but something else that grabs the contents of your E-purse. Imagine the hassle of getting a refund ! Maybe it is not much an issue, but it might indicate a deficient design in respect of security and if so, it may well be serious. It may be serious anyway as it indicates a poor system of authentication. The Leap card should only share info with an authenticated and authorised device. Remember electronic voting, if Joe Public thinks its a substandard system then your system might end up in long term storage ! Maybe a simple ticket valid for a specfied period of time, say 90 minutes might have covered off most of the requirements from a user point of view. Last edited by Inniskeen : 14-02-2012 at 10:07.

14-02-2012, 18:36	#7
Mark Gleeson Technical Officer Join Date: Dec 2005 Location: Coach C, Seat 33 Posts: 12,669	The card hold no names, addresses etc. You need a special encryption key to read the card, however a very small amount of information is publicly available in read only mode, basically the card type and serial number The access control in my office will beep as normal if I present an Irish Rail card instead of my staff card won't open the door though. __________________ Unhappy with new timetable - let us know

03-03-2012, 12:56	#9
Mark Gleeson Technical Officer Join Date: Dec 2005 Location: Coach C, Seat 33 Posts: 12,669	There never was a working validator at Broombridge, ever For Irish Rail smart cards there is a resolution for this issue, but you must contact Irish Rail and they will set your card up slightly differently Leap does not have that ability __________________ Unhappy with new timetable - let us know

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

14-02-2012, 10:18	#3
Inniskeen Really Regular Poster Join Date: Oct 2010 Posts: 951	I have no idea whether it happened or not, maybe its the photocopier's fault - it could have had Joe Duffy's details in its buffers and rather than reject the Leap card simply dispayed the contents of the buffer. A few simple tests should be enough to establish whether there is an issue or not.

14-02-2012, 11:52	#5
James Howard Really Really Regluar Poster Join Date: Aug 2009 Location: Sligo Line Posts: 1,115	It is also quite possible he had the RTE card close enough to be read and it just appeared that it was reading his leap card. I keep my Dublin Bikes card in the same wallet as my train pass and oddly enough I can take a bike using my train pass.

03-03-2012, 10:36	#8
Charlie Hungerford Regular Poster Join Date: Aug 2009 Posts: 37	There's a thread on another forum (http://www.boards.ie/vbulletin/showt...p?t=2056564768) stating that Irish Rail has given up on maintaining the validator at Broombridge and is telling Leap customers to buy old-style tickets for it. Is this really true??