Dumb Smart Cards fail as e-Cash

An e-Cash (well, sort of) system used for parking payments in San Francisco and other US cities has been analysed and broken. It uses chip cards, but the chip cards do not authenticate themselves and therefore are pretty useless. This particular attack would have been impossible if the chip cards were authenticated properly.

It is a nice example for a scalable attack: If the security has been broken for one parking meter it is broken for all of them. This is a design error in a security application.

On a sidenote, in Germany and many other countries there is an e-Cash system which does not have these problems, it is called 'Geldkarte' (moneycard).