Has the EasyCard been hacked by a genius high school student? Cybersecurity expert: The MIFARE Classic vulnerability was disclosed 15 years ago!

A 17-year-old high school student used an NFC reader to tamper with the balance of the EasyCard, returning it more than 40 times in half a year, making an illegal profit of nearly 700,000 yuan. The incident brought to the fore the MIFARE Classic vulnerability, which had been dormant for years, forcing authorities and the security community to re-examine the security vulnerabilities faced by smart payment infrastructure. (Synopsis: Adam Back anti-quantum computer "cracks Bitcoin": it is recommended to integrate Taproot with SLH-DSA) (Background supplement: Shentu Qingchun: I cracked a 1350 BTC Trezor wallet) Taiwan recently broke that a 17-year-old suspended high school student used an NFC reader to tamper with the balance of the Youyou card, returning more than 40 times in half a year, making an illegal profit of nearly 700,000 yuan. This incident brought to the fore the MIFARE Classic vulnerability, which had been dormant for many years, and forced the authorities and the security community to re-examine the "old problems" of payment infrastructure. MIFARE Classic has long been cracked Information security expert Hu Li Huli saw this incident and posted that Zheng Zhenmou, a professor in the Department of Electrical Engineering at NTU, had demonstrated the CRYPTO1 used to crack MIFARE Classic as early as 2010 HITCON and CCC's lecture "Just Don't Say You Heard It From Me: MIFARE Classic is Completely Broken" The algorithm, which is also the specification used by the current Youyou card, has been completely cracked 15 years ago. CRYPTO1 Encryption vulnerabilities, side-channel attacks (SPA, DPA) and the open-source tool Proxmark3 form a "trilogy" that greatly lowers the threshold for copying, tampering and Clone processes of Youyou Card. Expert Hu Li Huli pointed out: "The value-added record is stored on the server side, and the amount will eventually be found; The real risk is that the chip is too easy to change, and the cost of detection and law enforcement is forced to be outsourced to the police." Looking back at the 2011 case in which an information security consultant surnamed Wu cracked the Youyou card and was arrested in supermarket consumption, the information security consultant cashed out directly through consumption, and this time the high school student switched to the refund mechanism, "Since the MRT company does not directly apply for payment with the Youyou card after the refund, there will be a time lag in the middle, and it will not be discovered immediately." According to news reports, it seems that it took several months to notice the anomaly during the reconciliation? And this time the amount is full, there are actually hundreds of thousands." But in essence, it is all about modifying the information on the card side. Hu Li Huli added: "The new version of the Youyou card has replaced the underlying technology, but as long as the old card is still in circulation in the market, it will not be possible to completely eradicate similar incidents. If you want to solve it, you should only have to take back all the cards that used the old system and eliminate them, right?" The police investigation found that the high school student purchased a Chinese-made NFC reader on the Internet, mastered the modification of the amount field of the card in the chip through self-education, and repeatedly wrote the card amount to 1,000 yuan, and then went to the MRT station for unswiping, and the whole single cycle process took less than 3 minutes. At the end of 2024, the company discovered the abnormal situation through back-office reconciliation and arrested the student in February this year. The company said that it has strengthened the logic of monitoring, but because the case has entered the judicial process, it is not convenient to disclose more details at present. External Further Reading: "Paper: Mifare Classic's Card-Only Attack" "NFC Information Security Practice – Xingda Information Society Course" Related Reports DeFi protocol ResupplyFi was hacked and lost $9.6 million, and the native stablecoin reUSD once deanchored to $0.969 Cold wallet Trezor warns: Hackers fake official letters for phishing attacks, do not share wallet private keys 〈Youyou card cracked by talented high school students? Security expert: MIFARE Classic vulnerability made public 15 years ago! This article was first published in BlockTempo's "Dynamic Trend - The Most Influential Blockchain News Media".