Paper presented at the 33rd Annual Southern African Transport Conference 7-10 July 2014 "Leading Transport into the Future", CSIR International Convention Centre, Pretoria, South Africa.
South Africa embarked on a world first when it promulgated legislation to ensure that it
future proofed fare revenue collection for its public transport system. The legislation did
not get promulgated without resistance from local and international fare collection
product suppliers. The promulgation is technology agnostic, and only refers to a bank
issued fare medium that must be based on the Europay MasterCard Visa (EMV)
standard that should contain the Automated Fare Collection (AFC) Data Structure (DS).
The AFC DS in turn is defined as electronic tags that are used for recording and
retrieving public transport-related data.
Herein lays the vulnerability of the legislation. Card Associations (CAs), such as
MasterCard, Visa, and American Express to name but a few, create bank issued media
implementations that authenticate financial transactions that comply with the strict EMV
specification. These CAs also provide AFC DS mechanisms that provide access to the
electronic tags that are referenced within the legislation. These AFC DS access
mechanisms are not governed by EMV. These mechanisms are not governed,
reviewed, or audited for “fit-for-purpose” within the public transport domain either. They
are provided as is and do not come with any warranty and/or guarantee that “farecalculations”
will be secure, reliable, and consistent. How could they, they are not part
of the calculation process.
If the AFC DS electronic tags can be compromised, meaning the manipulation of the
public transport data on the fare medium, then the CA have a direct impact to the
correct and/or incorrect calculation of the fares.
All the provided AFC data structure mechanisms provided to date can be compromised
to some extent. Additional legislation that was promulgated also inhibits the use of the
AFC Data Structure to its full extent as originally envisaged. This paper will briefly
provide detail on some of these issues, their impact, mitigation measures, and a
recommendation for a more secure implementation.
This paper was transferred from the original CD ROM created for this conference. The material was published using Adobe Acrobat 10.1.0 Technology. The original CD ROM was produced by CE Projects cc. Postal Address: PO Box 560 Irene 0062 South Africa. Tel.: +27 12 667 2074 Fax: +27 12 667 2766 E-mail: firstname.lastname@example.org