Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Audit Of The Charlie Ticketing System

1,009 views

Published on

Published in: Education, Technology, Business
  • Be the first to comment

Audit Of The Charlie Ticketing System

  1. 1. Audit of the Charlie Ticketing SystemFor the Massachusetts Bay Transportation Authority<br />Team China Auditing<br />Luke, Dylan, Scott, and Craig.<br />
  2. 2. The Incident<br />Three MIT students explored the obvious weaknesses at the MBTA.<br />The MBTA’s fare-collection system named the Charlie Card was “hacked” to show false values.<br />The entire MBTA facility was shown to be lacking security in general.<br />
  3. 3. What Happened?<br />The students got into the building through unlocked doors.<br />Many locks were unlocked on rooms, phone boxes, and networking systems. <br />They also found a key and other physical identification that should not have been laying around.<br />They also eventually hacked the Charlie card’s mag-stripe value and then explored the RFID cards.<br />They documented their entire experience with photos and assembled a slideshow. Link Here<br />
  4. 4. Recommendations<br />Risk Assessment (Internal & Third-party)<br />Improve Physical Security<br />Access Control Hardware & Software<br />Visitor Management System<br />
  5. 5.
  6. 6. Risk Assessment<br />Regularly scheduled (Internal & Third-party)<br />Management, Security and end-user involvement<br />Reports to identify risk areas and levels<br />CounterMeasures® – Risk Analysis Software $14,500 (CounterMeasures®, n.d.)<br />RFP’s to be reviewed for vendor selection<br />
  7. 7. Physical Security<br />Access Control Hardware & Software<br />Increase security by eliminating keys<br />Provide management, audit tracking and incident response<br />Typical installations $1500 - $2500 per door (Access control, n.d.)<br />RFP’s to be reviewed for vendor selection<br />
  8. 8. Physical Security<br />Visitor Management System – Lobby Track™<br />Increased control and security of visitors in MBTA facilities<br />Security desk, on-line or self-registration kiosk check-in available<br />$1800 per location (Edition Comparison, n.d.)<br />
  9. 9.
  10. 10. Questions?<br />
  11. 11. Thank You<br />Team China Auditing<br />Luke, Dylan, Scott, and Craig.<br />
  12. 12. References<br />Access control system pricing. (n.d.). Retrieved May 6, 2010, from BuyerZone: http://www.buyerzone.com/security/access_control/buyers_guide6.html<br />Ahlers, M. M., & Quijano, E. (2009, May 20). National Archives loses hard drive with Clinton era records. Retrieved March 10, 2010, from <br /> CNN Politics:http://www.cnn.com/2009/POLITICS/05/20/lost.hard.drive.clinton/<br /> <br />Baxter, C. (2008, August 12). MIT students' report makes security recommendations to T. Retrieved April 20, 2010, from The Boston <br />Globe:http://www.boston.com/news/local/articles/2008/08/12/mit_students_report_makes_security_recommendations_to_t/<br /> <br />B., B. (2008). CRACKING THE CHARLIE CARD. CSO Magazine, 7(8), 17. Retrieved from Risk Management Reference Center database. <br /> <br />COBIT Student Book. (2004). COBIT in Academia. Rolling Measows, IL: IT Governance Institude.<br />  http://alarcos.inf-cr.uclm.es/doc/Auditoria/Cobit_Student_Book.pdf  <br /> <br />CounterMeasures®Enterprise Platform 8.1. (n.d.). Retrieved May 10, 2010, from CounterMeasures Risk Analysis Software: http://www.countermeasures.com/enterprise_platform_product.htm<br />Edition Comparison. (n.d.). Retrieved May 10, 2010, from Jolly Lobby Track: http://www.jollytech.com/products/lobby_track/systems/edition_comparison.php<br />Lewis, D. (2008, 8 20). MIT CharlieCard Hackers Gag Free. Retrieved April 6, 2010, from LiquidMatrix Security<br />Digest:http://www.liquidmatrix.org/blog/2008/08/20/mit-charliecard-hackers-gag-free/<br /> <br />McGraw-Herdeg, M. (2008, August 14). Public Documents Seem to Show Free T Fare. Retrieved March 10, 2010, from The Tech, Online<br />Edition:http://tech.mit.edu/V128/N30/subwayvulnerabilities.html<br /> <br />
  13. 13. References Cntd.<br />McNamara, P. (2008, 8 11). Exclusive: 'MBTA vs. MIT' lawsuit really about Charlie, not CharlieCard. Retrieved April 6, 2010, from Network<br />World:http://www.networkworld.com/community/node/30940<br /> <br />Mills, E. (2008, Decemer 23). MIT students to help Boston secure subway fare system. Retrieved March 10, 2010, from CNET<br /> News:http://news.cnet.com/8301-1009_3-10128632-83.html?tag=mncol;title<br />National Archives Offers Reward of Up to $50,000 for Return of a Missing Clinton Administration Hard Drive. (2009, May 29). Retrieved March 10, 2010, from The National <br />Archives:http://www.archives.gov/press/press-releases/2009/nr09-89.html <br /> <br />Pesaturo. (2007, 3 05). MBTA Transit Police Charge Retiree with Theft. Retrieved April 6, 2010, from<br />MBTA:http://www.mbta.com/about_the_mbta/news_events/?id=11063&month=&year=<br /> <br />Russell, R., Zack, A., & Alessandro, C. (2008, August 8). Anaomy of a Subway Hack. Retrieved March 10, 2010,<br /> from http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf<br /> <br />Szaniszlo, M. (2008, August 10). MIT students barred from exposing MBTA security flaws. Retrieved March 10, 2010, from Boston Herald: http://news.bostonherald.com/news/regional/general/view.bg?articleid=1112081&srvc=home&position=emailed<br /> <br />Szaniszlo, M. (2008, 8 14). Board member demands MBTA audit. Retrieved April 6, 2010,<br /> from http://www.bostonherald.com:http://www.eff.org/files/filenode/MBTA_v_Anderson/Exhibit%207.pdf<br /> <br />Szaniszlo, M. (2008, 8 15). MIT students must turn in CharlieCard data today. Retrieved April 6, 2010, from Boston<br />Herald:http://www.bostonherald.com/news/regional/general/view.bg?articleid=1113095<br /> <br />Vijayan, J. (2008). Flap Over Transit Flaws Exposes Disclosure Divide. (Cover story). Computerworld, 42(33), 10. Retrieved from Academic Search Premier database.<br />

×