• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Audit Of The Charlie Ticketing System
 

Audit Of The Charlie Ticketing System

on

  • 741 views

 

Statistics

Views

Total Views
741
Views on SlideShare
741
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Audit Of The Charlie Ticketing System Audit Of The Charlie Ticketing System Presentation Transcript

    • Audit of the Charlie Ticketing SystemFor the Massachusetts Bay Transportation Authority
      Team China Auditing
      Luke, Dylan, Scott, and Craig.
    • The Incident
      Three MIT students explored the obvious weaknesses at the MBTA.
      The MBTA’s fare-collection system named the Charlie Card was “hacked” to show false values.
      The entire MBTA facility was shown to be lacking security in general.
    • What Happened?
      The students got into the building through unlocked doors.
      Many locks were unlocked on rooms, phone boxes, and networking systems.
      They also found a key and other physical identification that should not have been laying around.
      They also eventually hacked the Charlie card’s mag-stripe value and then explored the RFID cards.
      They documented their entire experience with photos and assembled a slideshow. Link Here
    • Recommendations
      Risk Assessment (Internal & Third-party)
      Improve Physical Security
      Access Control Hardware & Software
      Visitor Management System
    • Risk Assessment
      Regularly scheduled (Internal & Third-party)
      Management, Security and end-user involvement
      Reports to identify risk areas and levels
      CounterMeasures® – Risk Analysis Software $14,500 (CounterMeasures®, n.d.)
      RFP’s to be reviewed for vendor selection
    • Physical Security
      Access Control Hardware & Software
      Increase security by eliminating keys
      Provide management, audit tracking and incident response
      Typical installations $1500 - $2500 per door (Access control, n.d.)
      RFP’s to be reviewed for vendor selection
    • Physical Security
      Visitor Management System – Lobby Track™
      Increased control and security of visitors in MBTA facilities
      Security desk, on-line or self-registration kiosk check-in available
      $1800 per location (Edition Comparison, n.d.)
    • Questions?
    • Thank You
      Team China Auditing
      Luke, Dylan, Scott, and Craig.
    • References
      Access control system pricing. (n.d.). Retrieved May 6, 2010, from BuyerZone: http://www.buyerzone.com/security/access_control/buyers_guide6.html
      Ahlers, M. M., & Quijano, E. (2009, May 20). National Archives loses hard drive with Clinton era records. Retrieved March 10, 2010, from
      CNN Politics:http://www.cnn.com/2009/POLITICS/05/20/lost.hard.drive.clinton/
       
      Baxter, C. (2008, August 12). MIT students' report makes security recommendations to T. Retrieved April 20, 2010, from The Boston
      Globe:http://www.boston.com/news/local/articles/2008/08/12/mit_students_report_makes_security_recommendations_to_t/
       
      B., B. (2008). CRACKING THE CHARLIE CARD. CSO Magazine, 7(8), 17. Retrieved from Risk Management Reference Center database. 
       
      COBIT Student Book. (2004). COBIT in Academia. Rolling Measows, IL: IT Governance Institude.
        http://alarcos.inf-cr.uclm.es/doc/Auditoria/Cobit_Student_Book.pdf  
       
      CounterMeasures®Enterprise Platform 8.1. (n.d.). Retrieved May 10, 2010, from CounterMeasures Risk Analysis Software: http://www.countermeasures.com/enterprise_platform_product.htm
      Edition Comparison. (n.d.). Retrieved May 10, 2010, from Jolly Lobby Track: http://www.jollytech.com/products/lobby_track/systems/edition_comparison.php
      Lewis, D. (2008, 8 20). MIT CharlieCard Hackers Gag Free. Retrieved April 6, 2010, from LiquidMatrix Security
      Digest:http://www.liquidmatrix.org/blog/2008/08/20/mit-charliecard-hackers-gag-free/
       
      McGraw-Herdeg, M. (2008, August 14). Public Documents Seem to Show Free T Fare. Retrieved March 10, 2010, from The Tech, Online
      Edition:http://tech.mit.edu/V128/N30/subwayvulnerabilities.html
       
    • References Cntd.
      McNamara, P. (2008, 8 11). Exclusive: 'MBTA vs. MIT' lawsuit really about Charlie, not CharlieCard. Retrieved April 6, 2010, from Network
      World:http://www.networkworld.com/community/node/30940
       
      Mills, E. (2008, Decemer 23). MIT students to help Boston secure subway fare system. Retrieved March 10, 2010, from CNET
      News:http://news.cnet.com/8301-1009_3-10128632-83.html?tag=mncol;title
      National Archives Offers Reward of Up to $50,000 for Return of a Missing Clinton Administration Hard Drive. (2009, May 29). Retrieved March 10, 2010, from The National
      Archives:http://www.archives.gov/press/press-releases/2009/nr09-89.html 
       
      Pesaturo. (2007, 3 05). MBTA Transit Police Charge Retiree with Theft. Retrieved April 6, 2010, from
      MBTA:http://www.mbta.com/about_the_mbta/news_events/?id=11063&month=&year=
       
      Russell, R., Zack, A., & Alessandro, C. (2008, August 8). Anaomy of a Subway Hack. Retrieved March 10, 2010,
      from http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
       
      Szaniszlo, M. (2008, August 10). MIT students barred from exposing MBTA security flaws. Retrieved March 10, 2010, from Boston Herald: http://news.bostonherald.com/news/regional/general/view.bg?articleid=1112081&srvc=home&position=emailed
       
      Szaniszlo, M. (2008, 8 14). Board member demands MBTA audit. Retrieved April 6, 2010,
      from http://www.bostonherald.com:http://www.eff.org/files/filenode/MBTA_v_Anderson/Exhibit%207.pdf
       
      Szaniszlo, M. (2008, 8 15). MIT students must turn in CharlieCard data today. Retrieved April 6, 2010, from Boston
      Herald:http://www.bostonherald.com/news/regional/general/view.bg?articleid=1113095
       
      Vijayan, J. (2008). Flap Over Transit Flaws Exposes Disclosure Divide. (Cover story). Computerworld, 42(33), 10. Retrieved from Academic Search Premier database.