Want to hack Oyster cards? Easily! Just read the instructions on the Internet

Details of how to hack into identity cards that give millions of people access to secure buildings and public transport networks have been published online. 

Dutch academics had previously demonstrated weaknesses in the smartcard system, but publication of detailed information on the vulnerability had been delayed by legal action from the card’s manufacturer. Full details of how to hack the cards were released at a security conference earlier this week and have now been published online. 

Scientists at Radboud University in the Netherlands hacked into the Mifare system, which is used to control access to thousands of schools, hospitals and government departments around Britain. It also provides the technology behind 17 million Oyster cards for travel in London. 

Bart Jacobs, of Radboud University, told a BBC documentary that will be broadcast on Saturday that he and his colleagues discovered a flaw in the chip’s design, making it easy to copy the cards. 

"Once we knew how the system worked and what the vulnerabilities were, it turned out to be very simple to actually clone cards, steal someone's identity and enter a building as someone else," he said. 

As part of the research, Professor Jacobs used a laptop to clone a card used to access a public building in the Netherlands. His team then travelled to London, where they used the same technique to travel on the Underground for a day without paying. 

The chip Manufacturers NXP Semiconductors said that they sought an injunction to delay the information being released to allow time for their clients to update their security systems. 

When The Times first revealed the security flaws in the cards, the Dutch Government posted armed guards outside its buildings and postponed the introduction of a new €1 billion transport payment system similar to the Oyster card until the security issues had been addressed. 

Transport for London, which runs the Oyster card system for access to public transport in the capital, said it took the security of its cards “extremely seriously” but said they were confident that the system remains secure. 

A Tfl spokesman said: “There is no evidence of the widespread cloning of Oyster cards, the system has not been hacked and there is no risk to card holders’ personal data as none is stored on the card."