![Page 1: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/1.jpg)
Audit of the Charlie Ticketing SystemFor the Massachusetts Bay Transportation Authority
Team China ConsultingLuke, Dylan, Scott, and Craig.
![Page 2: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/2.jpg)
The Incident• Three MIT students explored the obvious weaknesses at the
MBTA.• The MBTA’s fare-collection system named the CharlieCard was
“hacked” to show false values.• The entire MBTA facility was shown to be lacking security in
general.
![Page 3: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/3.jpg)
What Happened?• The students got into the building through unlocked doors.• Many locks were unlocked on rooms, phone boxes, and
networking systems. • They also found a key and other physical identification that
should not have been laying around.• They also eventually hacked the CharlieCard mag-stripe value• They also Hacked the MIFARE cards RFID security encryption
allowing cards to be cloned. • They documented their entire experience with photos and
assembled a slideshow. Link Here
![Page 4: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/4.jpg)
Recommendations
• Risk Assessment (Internal & Third-party)• Improve Physical Security– Access Control Hardware & Software– Visitor Management System
• Improved Ticketing Hardware– CharlieTicket– CharlieCard
![Page 5: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/5.jpg)
Risk Assessment• Regularly scheduled (Internal & Third-party)• Management, Security and end-user involvement• Reports to identify risk areas and levels• CounterMeasures® – Risk Analysis Software $14,500
(CounterMeasures®, n.d.)• RFP’s to be reviewed for vendor selection
![Page 6: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/6.jpg)
Physical Security
• Access Control Hardware & Software– Increase security by eliminating keys– Provide management, audit tracking and incident response– Typical installations $1500 - $2500 per door (Access
control, n.d.)– RFP’s to be reviewed for vendor selection
![Page 7: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/7.jpg)
Physical Security
• Visitor Management System – Lobby Track™– Increased control and security of visitors in MBTA
facilities– Security desk, on-line or self-registration kiosk
check-in available• $1800 per location (Edition Comparison, n.d.)
![Page 8: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/8.jpg)
CharlieTicket
• Improved Card security• Use a md5 checksum• Implement central server to track card value
• Implement an exchange program to remove insecure cards from being used
• Cost – $0.60 each card (Standard HoloMark, n.d.)– $5,000 for each new server (Dell PowerEdge, n.d.)
![Page 9: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/9.jpg)
CharlieCard• Original CharlieCards are “Classic MIFARE”• MIFARE Plus = Improved security over regular
“MIFARE”– Better encryption• AES-128 bit keys instead of 48 bit encryption (The MIFARE
Classic Card is Hacked, 2008)– Harder to crack
• $6.00 per card (Charlie's Devils, 2008)
![Page 10: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/10.jpg)
Thank You
Luke, Dylan, Scott, and Craig.Team China Consulting
![Page 11: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/11.jpg)
ReferencesAccess Control System Pricing. (n.d.). Retrieved May 6, 2010, from BuyerZone: http://www.buyerzone.com/security/access_control/buyers_guide6.html Ahlers, M. M., & Quijano, E. (2009, May 20). National Archives loses hard drive with Clinton era records. Retrieved March 10, 2010, from CNN Politics:http://www.cnn.com/2009/POLITICS/05/20/lost.hard.drive.clinton/ Baxter, C. (2008, August 12). MIT students' report makes security recommendations to T. Retrieved April 20, 2010, from The Boston Globe:http://www.boston.com/news/local/articles/2008/08/12/mit_students_report_makes_security_recommendations_to_t/ B., B. (2008). CRACKING THE CHARLIE CARD. CSO Magazine, 7(8), 17. Retrieved from Risk Management Reference Center database. COBIT Student Book. (2004). COBIT in Academia. Rolling Measows, IL: IT Governance Institude.
http://alarcos.inf-cr.uclm.es/doc/Auditoria/Cobit_Student_Book.pdf CounterMeasures®Enterprise Platform 8.1. (n.d.). Retrieved May 10, 2010, from CounterMeasures Risk Analysis Software:
http://www.countermeasures.com/enterprise_platform_product.htm Dell PowerEdge R510. (n.d.). Retrieved May 17, 2010, from
Dell: http://configure.us.dell.com/dellstore/config.aspx?c=us&cs=555&l=en&oc=MLB1197&s=biz Edition Comparison. (n.d.). Retrieved May 10, 2010, from Jolly Lobby Track:
http://www.jollytech.com/products/lobby_track/systems/edition_comparison.php McGraw-Herdeg, M. (2008, August 14). Public Documents Seem to Show Free T Fare. Retrieved March 10, 2010, from The Tech, Online Edition:http://tech.mit.edu/V128/N30/subwayvulnerabilities.html
![Page 12: Audit of the Charlie Ticketing System For the Massachusetts Bay Transportation Authority](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815f18550346895dcde49f/html5/thumbnails/12.jpg)
References Cntd.McNamara, P. (2008, 8 11). Exclusive: 'MBTA vs. MIT' lawsuit really about Charlie, not CharlieCard . Retrieved April 6, 2010, from Network World:http://www.networkworld.com/community/node/30940 Mills, E. (2008, Decemer 23). MIT students to help Boston secure subway fare system. Retrieved March 10, 2010, from CNET News:http://news.cnet.com/8301-1009_3-10128632-83.html?tag=mncol;title National Archives Offers Reward of Up to $50,000 for Return of a Missing Clinton Administration Hard Drive . (2009, May 29). Retrieved March 10,
2010, from The National Archives:http://www.archives.gov/press/press-releases/2009/nr09-89.html Russell, R., Zack, A., & Alessandro, C. (2008, August 8). Anaomy of a Subway Hack. Retrieved March 10, 2010, from http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf Standard HoloMark Card Silver (On UltraCard III w/ High-Coercivity Magnetic Stri. (n.d.). Retrieved May 17, 2010, from Alvio inc: http://www.alvio.com/product_view.aspx?product_ID=374049&source_ID=froogle The MIFARE Classic Card is Hacked. (2008, March 19). Retrieved May 12, 2010, from Burton Group Blogs: http://identityblog.burtongroup.com/bgidps/2008/03/the-mifare-clas.html