{"id":215,"date":"2008-03-16T21:14:18","date_gmt":"2008-03-17T05:14:18","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/16\/security-review-taspo-rfid-cards-for-cigarette-vending-machines\/"},"modified":"2008-03-16T21:14:18","modified_gmt":"2008-03-17T05:14:18","slug":"security-review-taspo-rfid-cards-for-cigarette-vending-machines","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-taspo-rfid-cards-for-cigarette-vending-machines\/","title":{"rendered":"Security Review: &#8216;taspo&#8217; RFID cards for cigarette vending machines"},"content":{"rendered":"<p>Being a frequent visitor to Japan and thus knowing its people and culture fairly well, I thought it&#8217;d be appropriate for me to conduct a review on the new &#8216;taspo&#8217; RFID cards which\u00a0<a href=\"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/09\/in-the-news-this-week\/\">Yoshi also mentioned a while back<\/a>.\u00a0 The &#8216;taspo&#8217; cards are being introduced in Japan in an attempt to reduce underage smoking.\u00a0 They are to be used with cigarette vending machines.\u00a0<\/p>\n<p><!--more--><\/p>\n<p>\u00a0\u00a0For those that have never been to Japan, vending machines are abundant there and are used for many, many things besides just drinks or snacks.\u00a0 (I&#8217;ve also seen alcohol vending machines).\u00a0 To attain a &#8216;taspo&#8217; card, a person of 20 or older must apply via a process which I assume to be similar to as getting a driver&#8217;s license here.\u00a0 The card is printed with the member&#8217;s picture and the membership number.\u00a0 Also, it has the optional feature of being able to store money on the card and making payments to the vending machines through that.\u00a0 Since I didn&#8217;t research these cards too heavily and don&#8217;t know EXACTLY how they work, I&#8217;m going to make a few assumptions about how the they work.\u00a0 There&#8217;s a good chance that they work just like the new RFID credit cards since it has the ability to make purchases.\u00a0 Which means the vending machines themselves will probably be hooked up to &#8216;taspo&#8221;s\u00a0 main systems so that it can do the account balance logic (checking for sufficient funds, purchasing).\u00a0 I&#8217;m guessing the membership number is also sent either in the clear or after being encrypted.<\/p>\n<p>\u00a0<\/p>\n<p>Assets\/Security Goals<\/p>\n<ul>\n<li>\n<p>To prevent the unauthorized usage of the members&#8217; funds in the cards<\/p>\n<p>&nbsp;<\/p>\n<\/li>\n<li>To prevent the purchases of cigarettes from vending machines from minors.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u00a0<\/p>\n<p>Potential Adversaries\/Threats<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>A non-technical minor wanting to bypass the age requirement.<\/li>\n<li>A non-technical person wanting to buy cigarettes without paying.<\/li>\n<li>A technical person with the ability to read cards and duplicate them.\u00a0\u00a0This person could also setup a market to sell illegitimate cards to minors.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>Weaknesses<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Perhaps easy to lose, since this is yet another card people will have to carry around.<\/li>\n<li>The account number being transferred could be intercepted if it&#8217;s not encrypted.\u00a0\u00a0Even if it is, a person with the right tools could duplicate the card, unless the cards also use something like the time to encrypt with the number.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Potential Defenses<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>The nice thing is that the cards are tied only to your money account that can be used to buy only cigarettes so hopefully the amount of money you keep in there will be somewhat small.\u00a0 Also, I&#8217;m sure the company will enable canceling of the cards when they are reported lost\/stolen.<\/li>\n<li>When making purchases with the card, they could make it so that the user would have to type in a PIN number as well.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>I think that, for this circumstance, the risks are fairly small, especially since (at least to me) it seems like theft is extremely low in Japan.\u00a0 A person finding a card will most likely report it to the area&#8217;s lost and found or the &#8216;taspo&#8217; company.<\/p>\n<p>&nbsp;<\/p>\n<p>Here&#8217;s the link that contains info on these cards.\u00a0<\/p>\n<p><a href=\"http:\/\/www.taspo.jp\/english\/taspo\/Introduction.html\">http:\/\/www.taspo.jp\/english\/taspo\/Introduction.html<\/a><\/p>\n<ul><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Being a frequent visitor to Japan and thus knowing its people and culture fairly well, I thought it&#8217;d be appropriate for me to conduct a review on the new &#8216;taspo&#8217; RFID cards which\u00a0Yoshi also mentioned a while back.\u00a0 The &#8216;taspo&#8217; &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-taspo-rfid-cards-for-cigarette-vending-machines\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":22,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-215","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=215"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/215\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}