Waiting for NFC (or not)

RATP has been working for a while on the future deployment of their Navigo transport cards over NFC phones. Such a move perfectly makes sense for a utility company, since card issuance is a pure cost for them, so dematerialization sounds good.

One of the promises of such a deployment is over-the-air renewal of monthly passes. Today, this is handled through long lines in the stations, every month. With NFC, you can see at least two ways to improve that.

  • The classical scheme is to load directly the Navigo application on the phone’s SIM card (or any other security element), and to use it through a combination of NFC (for everyday use) and over-the-air SIM Toolkit access (for management over Internet).
  • Another scheme is to use a NFC phone as a Navigo card reader, and to update the card information through a mobile application (Java ME supports that, for instance).

RATP has decided to move on with the second scenario (I have a link, but only in French). Of course, since NFC phones are not available, they are issuing card readers, provided by Gemalto.

They are not waiting for Godot NFC.

The sad part about this news is that the lack of readers in homes was already used 10 years ago to justify why smart cards were not used at home. The good part about the same news is that some major actors like RATP are now deciding that it may be worth investing a few euros in a reader for an interesting service that saves time in lines.

In addition to the obvious benefit of the application, RATP is also using it as a way to slowly ramp up their capacity to manage a large number of online transactions on their card management systems, so they can be ready when NFC devices finally arrive massively.

Another funny part comes from the comments, which range from “Card readers are useless” to “Card readers will be hacked” or “Card readers are too expensive” (15€, apparently). A few good questions, though, like “I already have a reader; can I use the reloading service?”. Some ramblings as well, like the guy who claims that “a card that can be rewritten, that’s the security error, with no authentication”.

I don’t think that these guys will do much harm to the Calypso application used by RATP, which is not as insecure as they think. And having 100,000 more card readers around Paris will not change that. However, having a few hundred million contactless card readers (a.k.a. NFC phones) can definitely make it easy for would-be hackers to try something on their cards. Sprinkle a bit of Internet access, and you’ll better have applications with no blatant security issue.

Well, that should keep us (smart card/security guys) busy for a few years.

No Comments

Leave a Reply

Your email is never shared.Required fields are marked *