Audit Of The Charlie Ticketing System

  • 561 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
561
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Audit of the Charlie Ticketing SystemFor the Massachusetts Bay Transportation Authority
    Team China Auditing
    Luke, Dylan, Scott, and Craig.
  • 2. The Incident
    Three MIT students explored the obvious weaknesses at the MBTA.
    The MBTA’s fare-collection system named the Charlie Card was “hacked” to show false values.
    The entire MBTA facility was shown to be lacking security in general.
  • 3. What Happened?
    The students got into the building through unlocked doors.
    Many locks were unlocked on rooms, phone boxes, and networking systems.
    They also found a key and other physical identification that should not have been laying around.
    They also eventually hacked the Charlie card’s mag-stripe value and then explored the RFID cards.
    They documented their entire experience with photos and assembled a slideshow. Link Here
  • 4. Recommendations
    Risk Assessment (Internal & Third-party)
    Improve Physical Security
    Access Control Hardware & Software
    Visitor Management System
  • 5.
  • 6. Risk Assessment
    Regularly scheduled (Internal & Third-party)
    Management, Security and end-user involvement
    Reports to identify risk areas and levels
    CounterMeasures® – Risk Analysis Software $14,500 (CounterMeasures®, n.d.)
    RFP’s to be reviewed for vendor selection
  • 7. Physical Security
    Access Control Hardware & Software
    Increase security by eliminating keys
    Provide management, audit tracking and incident response
    Typical installations $1500 - $2500 per door (Access control, n.d.)
    RFP’s to be reviewed for vendor selection
  • 8. Physical Security
    Visitor Management System – Lobby Track™
    Increased control and security of visitors in MBTA facilities
    Security desk, on-line or self-registration kiosk check-in available
    $1800 per location (Edition Comparison, n.d.)
  • 9.
  • 10. Questions?
  • 11. Thank You
    Team China Auditing
    Luke, Dylan, Scott, and Craig.
  • 12. References
    Access control system pricing. (n.d.). Retrieved May 6, 2010, from BuyerZone: http://www.buyerzone.com/security/access_control/buyers_guide6.html
    Ahlers, M. M., & Quijano, E. (2009, May 20). National Archives loses hard drive with Clinton era records. Retrieved March 10, 2010, from
    CNN Politics:http://www.cnn.com/2009/POLITICS/05/20/lost.hard.drive.clinton/
     
    Baxter, C. (2008, August 12). MIT students' report makes security recommendations to T. Retrieved April 20, 2010, from The Boston
    Globe:http://www.boston.com/news/local/articles/2008/08/12/mit_students_report_makes_security_recommendations_to_t/
     
    B., B. (2008). CRACKING THE CHARLIE CARD. CSO Magazine, 7(8), 17. Retrieved from Risk Management Reference Center database. 
     
    COBIT Student Book. (2004). COBIT in Academia. Rolling Measows, IL: IT Governance Institude.
      http://alarcos.inf-cr.uclm.es/doc/Auditoria/Cobit_Student_Book.pdf  
     
    CounterMeasures®Enterprise Platform 8.1. (n.d.). Retrieved May 10, 2010, from CounterMeasures Risk Analysis Software: http://www.countermeasures.com/enterprise_platform_product.htm
    Edition Comparison. (n.d.). Retrieved May 10, 2010, from Jolly Lobby Track: http://www.jollytech.com/products/lobby_track/systems/edition_comparison.php
    Lewis, D. (2008, 8 20). MIT CharlieCard Hackers Gag Free. Retrieved April 6, 2010, from LiquidMatrix Security
    Digest:http://www.liquidmatrix.org/blog/2008/08/20/mit-charliecard-hackers-gag-free/
     
    McGraw-Herdeg, M. (2008, August 14). Public Documents Seem to Show Free T Fare. Retrieved March 10, 2010, from The Tech, Online
    Edition:http://tech.mit.edu/V128/N30/subwayvulnerabilities.html
     
  • 13. References Cntd.
    McNamara, P. (2008, 8 11). Exclusive: 'MBTA vs. MIT' lawsuit really about Charlie, not CharlieCard. Retrieved April 6, 2010, from Network
    World:http://www.networkworld.com/community/node/30940
     
    Mills, E. (2008, Decemer 23). MIT students to help Boston secure subway fare system. Retrieved March 10, 2010, from CNET
    News:http://news.cnet.com/8301-1009_3-10128632-83.html?tag=mncol;title
    National Archives Offers Reward of Up to $50,000 for Return of a Missing Clinton Administration Hard Drive. (2009, May 29). Retrieved March 10, 2010, from The National
    Archives:http://www.archives.gov/press/press-releases/2009/nr09-89.html 
     
    Pesaturo. (2007, 3 05). MBTA Transit Police Charge Retiree with Theft. Retrieved April 6, 2010, from
    MBTA:http://www.mbta.com/about_the_mbta/news_events/?id=11063&month=&year=
     
    Russell, R., Zack, A., & Alessandro, C. (2008, August 8). Anaomy of a Subway Hack. Retrieved March 10, 2010,
    from http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
     
    Szaniszlo, M. (2008, August 10). MIT students barred from exposing MBTA security flaws. Retrieved March 10, 2010, from Boston Herald: http://news.bostonherald.com/news/regional/general/view.bg?articleid=1112081&srvc=home&position=emailed
     
    Szaniszlo, M. (2008, 8 14). Board member demands MBTA audit. Retrieved April 6, 2010,
    from http://www.bostonherald.com:http://www.eff.org/files/filenode/MBTA_v_Anderson/Exhibit%207.pdf
     
    Szaniszlo, M. (2008, 8 15). MIT students must turn in CharlieCard data today. Retrieved April 6, 2010, from Boston
    Herald:http://www.bostonherald.com/news/regional/general/view.bg?articleid=1113095
     
    Vijayan, J. (2008). Flap Over Transit Flaws Exposes Disclosure Divide. (Cover story). Computerworld, 42(33), 10. Retrieved from Academic Search Premier database.