What does your Clipper card say about you? Image: Devin Carraway
If you pay attention to tech news, you’ve probably heard about the increasing ubiquity of RFID devices — small chips attached to antennae and embedded inside plastic housings, capable of simple storage and a little limited computation. Chances are you’re carrying a few around with you — RFID is used in card keys to open doors and key fobs to unlock cars. Companies use them for inventory, supply chain management, and theft prevention. Car-sharing companies use them to let you into the cars you’ve rented. FasTrak uses them to charge bridge tolls, and transit agencies use them in fare cards, like Clipper.
If you pay a little more attention to computer security news, you’ve probably also heard concerns over RFID’s security when it comes to your private information. Cards like Clipper are meant to be readable only with a tap, but as you probably know, usually a few inches will do. That’s with the power levels and antennae in the readers that SFMTA/BART are deploying.
With more power and a larger antenna, the range increases; the practical limits vary with the frequencies and chips involved. At Clipper’s 13.56MHz, you can read the card from a few feet with an antenna that can fit in a backpack. The most common concern is that RFIDs can then be read by anyone who can mount a reader on something that you walk past, without your knowledge or control.
When an RFID device is being read, most do nothing but announce a long number — but it’s a unique number, and it’s enough to recognize you next time. There are some innocuous uses for that, and some malicious ones.
Clipper is a fancier beast — Clipper cards contain MMIFARE DESFire chips. They have a
rudimentary operating system, with a file system capable of reading and writing data and simple cryptographic authentication. That’s pretty much all you need to implement a contactless fare system. They implement a standard protocol, part of a range of technologies emerging in portable gadgets. Some Android phones support it now, and the next iPhone is rumored to be adding it too. You might have heard of MIFARE one other place — the MIFARE Classic chip was used in London’s Oyster cards, and was badly flawed in ways that could be exploited to evade fares, clone cards, etc. NXP Semiconductor, who devised the chips, unsuccessfully sued to stop publication of research demonstrating those flaws.
To date there have been no published attacks against the DESFire in Clipper cards. Chances are there are still flaws — most software is like that. The Associated Press reported that an employee of Cubic Transportation Systems, the same vendor that makes and distributes Clipper cards, had a cottage industry selling perfectly usable forged fare cards in Boston, though not enough details have come out to know whether the methods involved could affect Clipper (the MBTA, meanwhile, terminated Cubic’s contract and plans to seek reimbursement for $5M in suspected losses).
I’ve been interested in what’s actually stored on these cards, and what could be read from it. So, I did a bit of experimenting. I paid cash for a fresh Clipper card. I ran up some trips on it, and then scraped it out using FareBot for Android. Here’s what you can read from my Clipper card, with equipment no more sophisticated than a cellphone:
- Various unique card IDs, manufacturing dates, batch numbers, versioning data, etc.
- Card balance
- Passes loaded (which I didn’t test, but it’s in there)
- What trips you’ve taken. For Muni, it’s when you tagged the reader. For BART, the card records every station you visited and when. Caltrain, Golden Gate Transit, and the ferries record fare zone and time at either end of the ride.
- History of cash reloads. This includes the amount, the agency and the specific machine you visited.
Looking over the raw data a bit, the designers allocated themselves enough space to record 16 trips and six refill histories. There’s also a large (1280 byte) buffer of no documented purpose, but my sample card did have data with some clear patterns written there.
The good news, I suppose, is that Clipper isn’t storing very much about Muni trips — it’s pretty much nothing but what time you tagged to board the vehicle. On the other hand, BART is storying a large amount of information, especially on a card that can be read by anyone who can hold a phone up to your pocket. Records of past trips are useful for all sorts of nefarious parties and of no use to legitimate fare inspectors. Payment history really shouldn’t stored on the card either — all a fare inspector really needs is a fare balance, not a history of my financial transactions.
Clipper’s privacy policy doesn’t distinguish what they store on the card versus on their own servers. On the subject of security, the policy says that Clipper “will take all reasonable steps to safeguard personal information through physical, electronic and procedural means.” For me, it’s hard to interpret a universally readable card as meeting that standard.
How accessible is the data on your Clipper card? It depends. If you’re using it to stalk someone on BART using nothing but a cellphone, you’d have to get within a few inches of their pocket or purse when they’re not looking. Doable, if you’re motivated. Embarassingly easy on packed trains or buses, really, where it’s hard not to get close. If you wanted to scan a dozen people on a 38-Geary to see who just refilled their card and is likely to be carrying cash, you might have to do some conspicuous squirming around. To scan everyone coming out of Montgomery BART in the morning to see what station they live near, you might build a larger antenna and reader into a briefcase or newspaper box.
Would you? Enh.
The good part about technological crime is that those with the skills and equipment to do it usually have no motivation for petty crimes. The bad part is that it tends to facilitate major complex ones, and economies tend to generate around vulnerabilities these days. Security researchers worry about RFID because it enables clandestine spying on people’s activities, which I think Clipper certainly makes easier. Use of RFID in fare systems is also worrisome because transit systems are usually run by government agencies and built by contractors, which is an environment prone to fallible design and poor security design decisions.
At any rate, it was an interesting little tour. With NFC chips moving inside cellphones and controllable from software, I hope to see transit fare cards replaced with on-phone equivalents that are properly backed up against loss and only allow the data to be read when I authorize it.
how is this guy only paying $1.75 fare?
Like or Dislike:
0 
0
The $1.75 Muni fare happens because there’s an automatic 25 cent discount when transferring from BART to Muni within one hour, and returning from Muni to BART within 24-hours.
This policy was in place prior to Clipper with the paper transfer machines inside BART stations.
Like or Dislike:
0 
0
Actually, fare history is very important to POP officers. If you get pinched on the train and claim you tag in every morning but the reader was broken, they can look at that history. If you really do tag on every morning at 8:15, they can view that and take into account your claim that the clipper card reader didn’t work. They know the clipper readers are iffy sometimes… Helps them make fare evasion decisions.
Also, SFMTA uses clipper data on a larger scale to study traffic patterns and scheduling of vehicles. More data is important in figuring out how many buses the 22 needs next week.
Like or Dislike:
0 
0
I’ve thought about ride history as a tool for PoP enforcement, and while it adds some value to anotherwise unbalanced cost/benefit tradeoff, I’m unconvinced. It’s essentially trading a readily-stealable record of your movements for the possibility that you get a forgiving fare inspector. To its credit, Muni is recording almost the correct minimum level of detail to facilitate that forgiveness by recording only time & agency and not the coach number or terminal ID (there’s space on the card for it, but all the readers I’ve seen record a “1″ there.)
The value of aggregate ride data to SFMTA isn’t even an argument. Recording on the card cannot achieve that goal.
Like or Dislike:
0 
0
you’re assuming that the Fare Inspector is either smart enough or inclined to (depending on his or her mood) actually look at that data and make an active decision to let that individual go, based on his assertion that he tags his card every morning.
I think that most fare inspectors are SFPD rejects, and frankly are not smart enough to arrive at a reasonable conclusion. They recite a script when they board the vehicle, and when they issue a citation. I don’t think they’re gonna look at some data and make a reasoned, calculated conclusion from it.
Like or Dislike:
0 
0
I don’t know about MUNI, but CalTrain has some pretty smart conductors. They actually DO look at trip history in making decisions. Now, policy requires them to kick you off the train if you don’t have a ticket (and they are probably supposed to fine you), but I do see them being very lenient sometimes — at the very least, helpful.
It doesn’t happen all of the time, but I have seen monthly pass riders forget to tag on, or double tag (invalidating their pass). The conductor was able to see their history and indicate the correct behavior. Typically in these instances, the conductors will be more than happy to hold the train for an extra few seconds so that the rider could re-tag.
Also, this has been beneficial for me, as well, so that I can see my own tagging history.
BUT! I would prefer to see proper NFC implementation using a smartphone over RFID using a dumb-card. It’d be nice to be able to authorize a transaction (and wouldn’t add too much inconvenience to the process).
Like or Dislike:
0 
0
I think the reason the BART stations you start from and end at are recorded is for your fare payment. You don’t pay when you enter a BART station, your payment is deducted from your card when you exit a station since the fares increase depending on how far you go. If the scanner doesn’t read correctly and doesn’t let you exit, you have to go to the station agent. They used to have to ask you what station you started at (when using a paper ticket), now the clipper cards can just show where you started from.
I think that makes the most sense, especially since it doesn’t record what muni line you’re on; no need – same fare throughout.
Other thoughts?
Like or Dislike:
0 
0
Bella, Devin knows this about how BART collects payment. It’s in his post, but it’s not the point of the post.
The point is that there is other data stored on your Clipper card that is potentially readable by someone a few feet away with a cellphone.
Like or Dislike:
0 
0
I wonder two things:
1. Will the police use them to catch Nefarious Lawbreakers like they use NYC Metro cards on Law & Order?
2. Can you just record the *BEEP* with your phone, then sloppily slide your empty-ass Clipper against the reader so it won’t read, and beep yr phone? (I’m 100% sure I’m about the 957th person to come up with this, but, ya know.
Like or Dislike:
0 
0
Here’s what I don’t understand.
http://en.wikipedia.org/wiki/MIFARE#MIFARE_DESFire
Of course, Wikipedia could be mistaken, but the DESFire card is supposed to be cryptographically secure. There is one documented attack that (according to the manufacturer) takes a controlled lab environment to carry out.
Did they turn off the security features? How is a device (presumably without the encryption key) able to read the data in the first place?
Guess I’ll have to look more into how FareBot works.
Like or Dislike:
2 
0
The most obvious use of the trip history of fare cards is by private investigators. Your whereabouts may be useful during a messy divorce, for the other side that is.
I think there are open questions that need to be addressed as well, like whether or not law enforcement can pull your trip history without a warrant. If the questions are answered, can anyone point me to them? I can’t find much info on it.
Like or Dislike:
0 
0