Licensing, Not Security, Drives New Transit ‘Standard’

The vendor group planning to launch a contactless transit-ticketing offer to compete with world-dominating Mifare technology is selling its initiative as a much-needed move to open standards and one that also provides security transit operators can trust.

But make no mistake about it: This initiative is mainly about licensing–Mifare licensing.

Introduced in 1994, Mifare has been wildly successful for its owner, NXP Semiconductors, formerly known as Philips. The chip maker estimates that more than 1 billion Mifare chips have been shipped over the years and are used in cards in nearly 700 cities for transit fare collection. Mifare accounts for three-quarters of the yearly market for contactless transit cards–a market that will top 200 million cards in 2010, forecasts vendor trade group Eurosmart. All this makes Mifare the most used contactless-card technology of any kind.

And that has made a nice living for NXP, even after taking into account the millions of cloned Mifare cards produced every year in China.

While the well-publicized hacks of Mifare Classic cards in 2008 tarnished the brand, it’s still going strong. And the attacks created more demand for NXP’s more secure Mifare products: DESFire, which had been largely ignored by transit operators after NXP introduced it in 2002, and Classic replacement Mifare Plus. So, it’s perhaps not hard to see why NXP is guarding its Mifare franchise closely.

In 2008, NXP opened up its licensing of Mifare to other chip vendors for the first time in many years, granting a license for the “entire Mifare family” to Renesas Technology of Japan, then another last year to Switzerland-based STMicroelectronics. But these licenses only permit Renesas and ST to produce Mifare chips for SIM cards or other secure elements in NFC phones and for Mifare applications on dual-interface chips in banking cards.

These are promising markets for Mifare but account for very few shipments so far. What the chip makers cannot do with the licenses is produce chips for the voluminous market for standalone Mifare transit cards.

About the only chip maker besides NXP that can legally ship Mifare chips for transit cards is Infineon Technologies, which is anchoring the new vendor group challenging Mifare.

Infineon has done all right by Mifare, as well. When it was spun off by Germany-based Siemens group in 1999, Infineon took with it a grandfather arrangement from an old Mifare licensing deal between Siemens and Mifare creator, Mikron, which Philips acquired in 1998. The deal allows Infineon to produce low-end Mifare compatible chips royalty-free. Among its contracts, say sources, is supplying chips for the large, high-profile, Oyster fare scheme in London.

Unfortunately for Infineon, the owner of the scheme, Transport for London, was one of the transit agencies publicly shamed in 2008 by hackers demonstrating how easy it is to crack Classic’s aging Crypto1 encryption scheme.

TfL decided to upgrade to more expensive DESFire, NFC Times has learned. But Infineon doesn’t have a license to produce DESFire cards–or DESFire SIM chips, for that matter. The SIMs will come into play when TfL puts Oyster on NFC phones, as the transit authority has promised to do.

Infineon probably saw the handwriting on the wall for Mifare Classic more than two years ago, when it began developing the technology for its new transit chip. And it knew it would probably be blocked from supplying chips for higher-end Mifare cards.

Meanwhile, NXP’s archrival in the budding market for NFC chips, Inside Contactless, can’t get any Mifare license at all.

Inside said it was turned down for a license on “multiple occasions” between 2007 and 2009. NXP is locking Inside out of Mifare so that mobile operators will order NFC phones packing NXP chips, in anticipation of commercial Mifare m-ticketing projects, Inside believes.

Card vendors involved in the vendor group planning the Mifare alternative, Oberthur Technologies and Giesecke & Devrient, also have a problem. Rival Gemalto has a Mifare license, which would help it supply DESFire-based SIM cards or other secure elements for NFC phones. That would give Gemalto a leg up on Oberthur and G&D if transit operators start asking for higher-end Mifare applications on NFC phones.

All this sheds light on reasons the vendors want a Mifare alternative. But they would say that NXP's restrictive licensing policy and the Mifare "monopoly," as Inside Contactless put it, the policy has created, is the very reason the industry needs "open standards" and greater attention to security for transit cards and applications.

Still, while open standards for chips in transit cards and NFC phones might sound good on paper, observers doubt the vendors will be able to pull off even a simple open-standard scheme, let alone something similar to the EMV standard for bank cards, as some have suggested they try to do.

The vendors would either have to form their own standards body or enlist one already in operation; no mean trick on either score.

As for higher security the new transit offer would provide, NXP’s has offered the same level and type of encryption technology on DESFire cards since 2007, but few transit operators have bought it. Mifare Plus, launched in late 2009, also offers the AES 128-bit encryption scheme.

Many operators and their consultants seem content to go on ordering cheap and plentiful Mifare Classic cards, despite the low security. The operators can guard against widespread cloning on the backend of the fare-collection system, while accepting the risk of a few pilfered rides here and there by fraudsters.

Yet, besides their desire to get around restrictive Mifare licensing, perhaps the new vendor group sees an inviting target in NXP, which group members say was unprepared to respond forcefully to the inevitable Mifare hacks in 2008 and the bad publicity they caused.

Whether that is enough to crack NXP’s dominant share of the transit fare-collection market remains to be seen.

Dan Balaban is editor of NFC Times.


Australian Transit Agency to Launch Mobility-as-a-Service Trial as It Pursues Long-Term MaaS Strategy

Plans by Transport for New South Wales, Australia’s largest transit agency, to launch a trial enabling users to plan, book and pay for multimodal rides is the next step toward the agency’s long-ter

Updated: U.S. Transit Agency Seeks to Reduce–Though Not Eliminate–Cash Acceptance with New Fare-Collection System

Updated: The Spokane Transit Authority in Washington state confirmed that its new fare-collection system will include contactless open-loop payments–with a beta test planned for next October, a spokesman told NFC Times' sister publication Mobility Payments.

UK Government Seeks to Bring London-Style Contactless Fare Payments System to Other Regions

The UK government’s plan to equip 700 rail stations over the next three years to accept contactless open-loop payments is a major initiative, as it seeks to replicate the success of London’s contactless pay-as-you go fare payments system elsewhere in the country–a goal that has proved elusive in the past.

More Cities in Finland Expected to Move to Open-Loop Fare Payments

A fourth city in Finland is beginning to roll out contactless open-loop payments, with “more in the pipeline,” according to one supplier on the project, making the Nordic country one of the latest hotspots for the technology.

Moscow Metro Expands Test of ‘Virtual Troika’ in Pays Wallets, as It Continues to Develop Digital-Payments Services

Moscow Metro is recruiting more users to test its “Virtual Troika” card in two NFC wallets, those supporting Google Pay and Samsung Pay, as one of the world’s largest subway operators continues to seek more ways for its customers to pay for rides.

Ohio Transit Agency Expects Significant Revenue Loss as it Builds Equity with Fare Capping

The Central Ohio Transit Authority, or COTA, officially launched its new digital-payments service Monday, including a fare-capping feature that the agency estimates will cost it $1.8 million per year in lost fare revenue, the agency confirmed to Mobility Payments.

Special Report: Interest Grows in ‘White-Label EMV’ for Closed-Loop Transit Cards

As more transit agencies introduce open-loop fare payments, interest is starting to grow in use of white-label EMV cards that agencies can issue in place of proprietary closed-loop cards for riders who don’t have bank cards or don’t want to use them to pay fares.

Swedish Transit Agency Launches Express Mode Feature for Apple Pay, though Most Ticketing Still with Barcode-Based App

Skånetrafiken, the transit agency serving one of Sweden’s largest counties, announced today it has expanded its contactless open-loop payments service to include the Express Mode feature for Apple Pay.

Major Bus Operators in Hong Kong Now Accepting Open-Loop Payments–Adding More Competition for Octopus

Two more bus operators in Hong Kong on Saturday launched acceptance of open-loop contactless fare payments, with both also accepting QR code-based mobile ticketing–as the near ubiquitous closed-loop Octopus card continues to see more competition.

Moscow Metro Launches Full Rollout of ‘Face Pay;’ Largest Biometric Payments Service of Its Kind

Touting it as the largest rollout of biometric payments in the world, Moscow Metro launched its high-profile “Face Pay” service Friday, as expected, and predicted that 10% to 15% would regularly us

Indonesian Capital Seeks to Expand to Multimodal Fare Collection and MaaS

Indonesia’s capital Jakarta, whose metropolitan area is home to more than 30 million people, is notorious for its stifling traffic congestion. In response, the government metro and light-rail networks and now it is funding an expansion of the fare-collection system to enable more multimodal payments and to build a mobility-as-a-service platform.

Exclusive: NFC Wallets Grow as Share of Contactless Fare Payments and Not Only Because of Covid

Transit agencies that have rolled out open-loop contactless payments are seeing growing use of NFC wallets to pay fares, as Covid-wary passengers see convenience in tapping their phones or wearables to pay.