Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Paying for the London Underground with a dissolved, naked Oyster card

Cory Doctorow at 12:07 am Mon, May 5, 2008

— FEATURED —

THE LATEST

Guatemala: Archive of documents from Rios Montt genocide trial, overturned 10 days after guilty verdict

THE LATEST

Guatemala: Nation's highest court throws out Ríos Montt genocide trial verdict and prison sentence

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

Book Review

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle
In this video, Flickr user Chriswoebken dissolves one of the London Underground's RFID-based Oyster cards with nail-polish remover, leaving behind nothing but the chip and its antenna -- and then gets on and off the tube using nothing but a flimsy bit of electronics, sometimes in his hand, sometimes taped to a sheet of paper.

I've been trying to come up with a good Oyster killing method since Transport for London made Oysters near-mandatory (you can't get a week-long pass without any Oyster anymore, and the buses are incredibly expensive if you don't pay by Oyster). In my ideal world, I'd pay cash for an Oyster card, use it for a couple weeks, trash it, and get a new one, so that there would be no long-term ride history for me on file.

Unfortunately, the ticket-agents have started to charge £3 for replacement Oyster cards, which I'm sure they'd waive if the card was malfunctioning. Microwaving the card leaves behind some unfortunate burn-marks.

The nice thing about this video is that it hints at the location of the RFID chip in the Oyster, which appears to be one of the corners. Anyone know which? Link (via Beyond the Beyond)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Civlib • Gadgets • Happy Mutants • maker

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • KeithIrwin

    From the pictures, it’s clear that there are two wire loops which serve as quad antennas. You could likely make the card not usable by breaking the antenna wires. You should be sure not to do it in the middle (which would be the opposite corner from the chip), since that could just make it into a double dipole antenna of appropriate size. However, if you chose a random spot along the rim of the card and snipped it, then you’d likely make the antennas nearly useless.

  • arkizzle

    My Oyster is unregistered..

    London Underground has been able to track travelcard movements (season and single) in detail for decades. Now I suppose it’s easier to associate specific information to that card, like Chip&Pin or CC info.

  • Jeff

    I’ve used these things. I thought they were nice. But then agian, I think my implant is nice too.

  • elevenwatt

    Thanks for the short-term tinnitus. And the dose of paranoia.

  • mikeryz

    Unless you replace your cellphone every few weeks as well (and pay cash for minutes, which I realize is probably easier over there in Europe than here in the States), they’ll have way better information on your movements than they’ll get from your Oyster card.

  • Bugs

    @NIL

    The card works out cheaper than paper tickets because they want everyone to use Oyster. It isn’t some innate feature of the card, it’s a deliberate policy to get as many people on the database as possible. The only advantage of the card for users is reduced queues at the ticket machines. Admittedly, this is a biggie.

    As for “they’re not a form of ID”: many thousands of them actually are. All student, “young person” and other discounted oyster cards bear the owner’s name and photo and must be registered to their home address. I have a student card, so it’s registered to my parents’ address (despite the fact that I’m in my mid-20s and haven’t lived there for years), my address and my college.

    Additionally, if you buy a season ticket (monthly or annual) you’re strongly encouraged to link the card to your bank account and to register the card to your name and address in case it’s lost or stolen. I’ve been told that registration is compulsory for annual tickets, but I’ve never looked it up.

    This could all be perfectly benign, but does mean that anyone with access to the Oyster system can type my name into a computer to produce a list of everywhere I’ve been on public transport during the last three years, accurate to the minute. Similarly, anyone who happens to get hold of my card can take it to a top-up machine and see the same information. The only way to break this trail is to forfeit my discounted travel, which I can’t currently afford to do.

    Anti-terrorism stuff: Recently, there has been talk of systematically trawling the Oyster database for “suspicious behaviour”. They’re making the step from the police needing a warrant to access a specific suspect’s details to automatically watching everyone who uses the system. Of course, if you want to get up to something illegal all you need to do is swap to an unregistered card or pay extra for a paper ticket.

    The comparison with the CCTV cameras is meaningless. CCTV cameras can’t yet automatically recognise someone and follow them around a city (although big money is going into this). Monitoring someone on CCTV takes expensive investment of man-hours. Monitoring people’s movements on the Oyster system can be totally automatic. Or, if they’re after you specifically, your travel records can be retrieved within seconds. This makes i much more likely that a given innocent person’s movements will be monitored.

    Besides, just because the govt already have one way of watching us all doesn’t mean we should be happy to give them another one.

    As for why I object to this stuff: it ranges all the way from worries about Big Secret Conspiracies (you may trust this govt, but what about when some nutter gets in charge of this surveillance infrastructure in 20 years’ time?) down to the simple fact that what I do and where I go is none of their damn business.

  • Felix Mitchell

    Could you expand the copper loop antenna with more wire? e.g. make your whole jacket into an oyster card

  • Bugs

    @JONATHAN V

    Good point, I hadn’t thought of that. Here in London though, there is a huge and growing gap between the prices of paper and Oyster tickets. Paper tickets have been climbing steadily in price since the introduction of Oyster cards; it’s now at the stage that a single Tube journey costs 1.50 on Oyster or 4.00 for a paper ticket.(http://www.ukstudentlife.com/Travel/Transport/London/Underground.htm#TicketPrices2008) This does seem to be a push to get peopl to switch to Oyster as an Oyster card costs 3.00 (refundable). As you say though, I guess it’s wrong to guess their motives without without knowing how much money the Oyster system saves them.

    @MINAMISAN
    Oyster cards are unregistered by default. You can pick them up for 3.00 pounds from ticket offices or little vending machines. You also have the option to top up using cash at a vending machine or in some shops. You’re encouraged to register the card to protect against loss or theft, but it isn’t compulsory.

    I don’t know about the Tokyo system, but our Oyster system is exactly like the Octopus system in parts of China, if you’ve ever used it.

  • MITTZNZ

    I’ve been able to ride Heathrow Express for “free” with an Oyster card before (still don’t know why, but hey, it’s a “free” ride). I wonder how the agents would deal with a bunch of wires attached to a chip.

  • Scary_UK

    Cefeida-

    Yes they need to know where you’ve ‘touched in’ and ‘touched out’ in order to work out how much money to deduct from the card… if any.

    I’d assume they’re also really good in terms of planning for the future, Transport For London could use statistics from the data to determine travelling trends and then put on more buses and adjust timetables as necessary.

    As Jonathan V says, there are many other advantgaes in terms of maintenance, wear and tear etc… also it takes cash out of the buses and tube stations which is always a good thing

  • billc9829

    Unfortunately, the ticket-agents have started to charge £3 for replacement Oyster cards, which I’m sure they’d waive if the card was malfunctioning. Microwaving the card leaves behind some unfortunate burn-marks.

    CIVLIB, you are not charged for getting a replacement card if your old one fails. You need to go to a Tube Station and they will replace the card free of charge for you, ticket agents CANNOT transfer the funds from a failed card to a replacement card.

  • Kickyfast

    I don’t really understand the paranoia, but I liked the Alva Noto…

  • dainel

    Perhaps we are wrong to fight for privacy? Perhaps we should give it all up. Completely. But fairly (more on this below). Chip every single person at birth. Sensors all over the country track your every movement down to the nearest cm. Every single second, every single day. The police will like this. Makes it much easier to solve crimes, you can narrow down the suspect list.

    However it must be fair. If the government can track my every movement, I should have access to all this information too. I should be able to see the movement history of the PM, every politician, every police officer, my neighbours, every one. No exception. All these data should be publicly available to everyone. No filtering because of “security”. It’s either all or nothing. Or else you end up with a police state. Anyone who fudges the data gets their head chop off for treason. That will make a truly open society.

    BTW: #24 Nil should read Cory’s short story, Scroogle. http://www.radaronline.com/from-the-magazine/2007/09/google_fiction_evil_dangerous_surveillance_control_1.php

  • Baldhead

    I can see movement tracking as being a useful thing for police. Someone uses the tube after killing someone, or to verify someone (or at least their card) was on ethe tube at the time of the murder.

    as for using it to harrass/ track random innocent people… well if their database has only the amount of info that DHS’ no- fly list has then maybe, but if it has any amount more… like age…

  • Fee

    I have a pay as you go oyster card my aunt picked up when she was in town. As far as I know it wasn’t registered with anyone.

    it is possible to use an unregistered oyster and get most benefits; it may not be possible to buy longer term tickets with an unregistered one.

  • Phanx

    The aim in the video seems merely to be to find out how much you can mess with the layout of your card before it stops working, and the answer seems to be; not all that much. Rather dull news, really.

  • arkizzle

    #43

    The whole point of the precise tracking is so that it can calculate your fare, no? Call me naive but I doubt there’s an ulterior motive.

    As mentioned above, the ability to track and log movements through the system, and tie them to an individual through ticket identity (season or not) or bank details was in place long before the Oystercard system. Further, it was a direct response to the terrorism that the rail and tube networks had seen over the years.

    So yes and no.

  • Cefeida

    The whole point of the precise tracking is so that it can calculate your fare, no? Call me naive but I doubt there’s an ulterior motive. I love the Oyster card system, it saved me a bunch when I was in London.

    My first Oyster card wore out in a week. The chip was showing through the plastic. I kept it in my pocket. But the friendly bus driver still let me get on and ride to the next underground station where I asked for a new card. Much love for that bus driver.

  • jonathan_v

    @BUGS-

    “The card works out cheaper than paper tickets because they want everyone to use Oyster. It isn’t some innate feature of the card, it’s a deliberate policy to get as many people on the database as possible. The only advantage of the card for users is reduced queues at the ticket machines. Admittedly, this is a biggie.”

    Actually, it is some innate feature of the card – and has nothing to do with building a database. Bringing people onto electronic systems means less paper ticketing waste, less mechanical parts, less machine maintenance, and less lines as you said.

    Take NYC as an example: when we were on tokens, the turnstiles jammed nonstop and had to be dissected for maintenance. When the system went to metrocards, maintenance is mostly swapping out a cardreader for another. Instead of waiting on lines forever, vending machines pop cards out – and they fired most of the station personnel. The more that people buy with credit-cards, and not cash, the less maintenance the vending machines need: its mostly part swaps and stocking receipt paper, not taking cash out (which requires multiple guards). They’re still dealing with tons of paper waste — discarded cards littering the platforms and turnstiles — so they began a pilot program with RFID chips. If that takes off, 1/2 the trash in the stations would be gone – and they can lay off more workers to save cash.

    So yes, it is an innate feature of the card — as more people use electronics and credit, they need less humans to manage the system and drive costs down.

    also: chances are the chip stopped working in the video because the antenna got too bent. RFID chips are VERY sensitive to antennae configuration.

  • minamisan

    I was wondering what the deal with Oyster cards was… do you have to show ID to get one in the first place? I wouldn’t like that much.

    they sound a lot like the Suica or Pasmo cards we use in Tokyo (Suica cards have been around for many years now). You can pay for them in cash, and while they do ask you for your name and address, it’s only to return it to you should you lose it. Meaning, it’s not compulsory to enter your name and address to obtain one. I have about five of them, only one of which has a name attached to it (they’re for friends when they visit me here).

  • Skeptobot

    For the sake of science I repeated the experiment, using a timelapse camera to record the card dissolving.

    I’m not going to hack the antenna into a magic wand.

  • Takuan

    more and more, I see the need to insist on the right to pay cash for everything, everywhere.

  • Egypt Urnash

    Now I kinda want to try doing this to my Charlie card (Boston’s metro card; somewhat badly implemented because you can only get the furshlugginer things at about four stations in the whole system – otherwise you generate tons of paper ticket waste). It’d be cool to have the chip and antenna stuffed into a bracelet or something!

  • bxrguy

    Gee, Cory, paranoid much? Use an unregistered card and pay cash to top it up. All they’ll know is card ######## went everywhere in the city.

    I’d love to see a map of our 3 day mad dash about London a few months back. What with the disembarking near the Eye and reappearing in Greenwich (thank you River Rover) and don’t even mention how I managed to take two different buses from the same stop 3 minutes apart. (“No, sir, you want the NEXT #13, this one doesn’t go all the way to …”)

  • Antinous

    From the Wikipedia article:

    The police have used Oyster card data as an investigative tool, and this use is increasing. Between August 2004 and March 2006 TfL’s Information Access and Compliance Team received 436 requests from the police for Oyster card information. Of these, 409 requests were granted and the data were released to the police. Additionally, in 2008 news reports indicated that the security services were seeking access to all Oyster card data for the purposes of counter-terrorism. Such access is currently not provided to the security services.

  • greenplum

    Why is there the need to destroy these? If you have privacy concerns and want to mess up their data, wouldn’t it work just as well to trade cards frequently with other Oyster-haters?

    On a completely different note, it’s neat that the guts of the card are so tiny – it would be easy to embed into a scarf or jacket, perhaps with a switch in the antenna loop to turn it on and off.

  • Dave Rattigan

    The sound effects at the beginning of the video scared the shit out of me. Thought my laptop was getting ready to blow up.

  • charleswj

    I believe I’ve heard hitting it with a hammer will destroy do it.

  • Agent 86

    So, quick question…

    What is to stop someone from copying/spoofing the signal from your card, and using it themself? You could copy a large number of accounts, and randomly choose one every time you ride. No one would be the wiser… so, what is stopping this from happening?

  • charleswj

    And here’s the link: http://www.instructables.com/id/S3KSGULFE1M4V4P/

  • Cory Doctorow

    Charleswi: that only works if you know where in the card the chip lives.

  • Mike Scott

    That £3 is a deposit, not a purchase. You should be able to take your old Oystercard into a ticket office and get the £3 back, then get a new one somewhere else. Also, as far as I can see from the website, if you get an Oystercard with a seven day Travelcard loaded onto it, you shouldn’t have to pay the deposit in any case.

  • Spork

    I don’t get the privacy issue people have with Oyster cards.

    The only useful information they could mine from your usage habits is roughly where you live and where you work. Guess what? Government agencies already have much more precise information about that than they could get from an Oyster.

  • davotoula

    You think you are stealthy for using cash to buy or top-up your Oyster card but only until you realise that money can be traced due to their unique serial number.

    Did you get the cash from an ATM using your card? Did you get the cash from a bank from your account?

    Where is my tinfoil suit when I need it!

  • hongyan

    http://www.lptpbttrync.cm

  • fotherington

    What Mike Scott says. I have done this myself – the card started malfunctioning, so I returned it, got my £3 and bought a new one. Use cash, replace once in a while .

  • jim.cowling

    Wikipedia reveals the chip to be in the lower-right corner as viewed from the front:

    http://en.wikipedia.org/wiki/Image:Oyster_card_partially_destroyed.jpg

    Of course, you don’t need to know this to disable it by hammer. You only need to smash the card a bunch of times.

  • rebdav

    While I agree that a well place hammer strike would probably shatter the silicon RFID chip and packaging I am curious why this is almost universally considered the magic “stealth” way to knock out a RFID device. A strike strong enough to break the chip would likely also leave a telltale mark or dent even if you were to use some sort of mask over the oyster card or passport(try lightly hitting a notebook cover with a hammer). Microwaving seems to be the best method remembering that the microcircuits only need a few milliseconds to burn, lets say a second (if that is enough time to energize the magnetron caps) in your microwave oven where the burning would not show on the outside. Failing that popping it a few times with the piezo sparker from a butane lighter or propane BBQ grille might do the trick and leave only microscopic burn holes. The posts I see all over the net declaring “sure” methods for stealth destruction of RFID tags by hammer etc should be accompanied with links to experimental results showing both destruction of the RFID device and high quality macro shots of the known location of the RFID chip and antenna. This video is one of the best involving RFID experimentation.

    BTW trading oyster cards would likely give useful social interaction data if the proper filters were in place, especially if combined with mobile phone location and credit card usage data, any unique tracking can have trend filters applied unless there is a truly random shuffling involved.

    For the true tinfoil hat crowd especially in the US where incoming calls are not free a one way pager and a mobile phone and all RFID devices inside a RF blocking foil lined case or belt pouch would be the ideal way to be always available in the modern world but untrackable unless you want to be seen. As always though tinfoil hats must remember that a dark object shows up well against a light background, no electronic trail is a very suspicious activity to investigators.

  • spazzm

    I have never seen an oyster card in first person, but a sure-fire way to destroy thin plastic objects with thin embedded wires are to sit on them.

    Keep them in your back pocket and they would rarely last two weeks. After a little while, fine cracks will appear in the plastic, disconnecting the copper wire.

    I go through several ATM cards a
    year for this reason, and magnetic stripes are a lot hardier than embedded copper wires in this regard.

    Another method, which I have not tried, would be to repeatedly subject the card to alternating freezing and boiling. Plastic and copper have wildly different coefficients of thermal expansion, so this should, in theory, dislodge and snap the copper antenna.

    But then again, why on earth would anyone want to destroy something so useful?

  • Julian Bond

    This sounds like an excuse for Oyster card swap parties. Drop your new cash paid card into the bucket by the door as you arrive. Collect a random one on the way out.

    Mine’s the hoodie with the tinfoil lining.

  • Lastaii

    You can locate the RFID just by shining a bright torch behind it. The on on my card is located just NW of the Underground symbol.

  • spazzm

    Addendum to my previous post:
    If you not only want to destroy your own property, but also prevent any possibility of anyone recovering your travel history, try this:
    Break off the corner (or part of the corner) holding the microchip. Dispose of the corner holding (part of) the microchip, e.g. in a garbage disposal.

    Then demand a refund. If anyone asks why the corner is missing, simply claim that your dog/cat/ferret ate it.

  • drivenstorm

    If your pay as you go oyster is broken it should be noted that they make you fill out a long form and ask for proof of id before they will transfer the money to a new card.

    For 50p it certainly wasn’t worth it, even before I considered the contradiction in supplying personal information re a pay as you go card.

  • Crystaltips

    I’m tempted to do this if only to be able to tape the wire coil n’ chip to my palm, allowing me to do an hand wave at the oyster reader, and thereby opening the gates with a jedi mind trick. This could entertain me for *weeks*.

  • Evil Jim

    Neat trick but the audio on the vid is horrible… Unless I’m the only one getting bass rumbling & clicking from it.

  • Matt Volatile

    None of these plans work, because when you replace a broken card, they port your account to the new one.

  • Argon

    #4 Agent 86: Simple replay attacks are prevented because there is no unique signal that can be copied. http://en.wikipedia.org/wiki/Challenge-response_authentication – The reader sends the chip a cryptographic challenge. The chip takes this data, processes it with its own secret key, and sends it back. An attacker cannot reproduce the protocol without knowing the embedded information on the chip.

  • Takuan

    How good does the ID have to be when getting a card?
    Perhaps it’s become a fact of life that you must have several identities established, of varying levels of “authenticity”

    Or if the privacy purpose is bigger than just you, put all the energy into a propaganda campaign to convince the general public that smart cards are costing them money. Then wait for the elected cowards to react. Assuming they still have elections.

  • drblack

    So terrorists traveling in London should be prepared to spend more cash.
    These so called security measures never make anyone more secure, but they sure make everyone less free.

  • Branfeast

    I purchased a replacement Oyster card from the ticket office in Mile End station. I didn’t need to fill out any forms or anything. Also, wont smashing the chip just leave you with a useless plastic card? Let us know when a way to “cheat” the system comes around (i.e free rides).

  • chradcliffe

    The biggest problem with the Oyster card with regards to privacy is that it stores data on the card itself (how much data, I’m not sure, but they have to store enough to perform transactions on a bus), and, on top of that, the cryptographic algorithm they use, crypto-1 (proprietary) has been broken. This leaves your data open for access by anyone with the desire and know-how.

    On the bright side, there might be a scheme to add money to your card.

    For the cryptographically-inclined, the Cryptocracy podcast had an episode with an interview with one of the crackers of the crypto-1 algorithm, including some interesting talk about the privacy implications of the vulnerability.

  • Nil

    Maybe I’m just not paranoid enough to understand this blog.

    Why on Earth would you destroy a perfectly good Oyster Card? I use my Dad’s sometimes, and they’re really handy.

    Whoever posted about “terrorists” and “security measures” obviously doesn’t understand what these cards are for. You put money on them before travelling, so that you don’t have to buy a ticket everytime you make a tube journey, and the price works out cheaper than buying TravelCards all the time.

    They’re not a form of ID, don’t have a picture on them, and you don’t have to provide fingerprints to get one.

    I have no problem with anyone knowing where I go when I visit London. Hell, if “they” really wanted to know what I’d been up to, I’m sure all those CCTV cameras would be enough to provide that information.