When the Mobib card was launched last year, we asked ourselves if that card wouldn't have the same problems that the same cards had in other cities and that dutch researchers had shown in newsmaking research. But oh no, some specialists close to the project told us in a meeting, it was totally different, they had used other codes and norms and they had particulary paid attention that the same mistakes wouldn't be made in Brussels that were being made in London and Holland. We had our doubts, but if they were so persistant, than we only had to stand by and hope that some-one had the guts to test it and proof us wrong.... or right.
Luckily the security researchers of the UCL are beginning to have a knack at critical research - where are those bright flemish researchers except losing themselves in cryptographic games ? So they did it again. Yes, they did the RFID chip research on the Belgian passport.
They even have developed a free software which you can use to extract the travel information from a mobib card. Seems like another reason not to use it if you are a bit paranoid. You could use it to extract also that information from people nearby that have such a card. You will receive their last three travel and their identity, birth and zipcode. Anyone can do this without any encryption or protection. Interesting for thiefs or harassment I would think.
It makes also thinks that our national commission for the protection of our privacy was informed about the card but didn't found it necessary to investigate more. A question that remains is what happens with all the other travels ? how are they retrieved or suppressed from the card ?
The other question is naturally why the card leaves anoyone read so much information. There are RFID chips on the market that are much more protective, but they are more expensive.
It is the intention of the transport company to change all the regular use cards with this one Mobib card. Question is if that will be still possible with the same technology or that the STIB will have to handout privacyprotective cardholders with them.
The STIB also said that itself seperated the travel information from the information about the client. This way it would have two databases. One about its clients and another one about the global travels that were done by their users. Both wouldn't be linked or connected. But with the interception of the card this is exactly what has happened. The card is the connection between the two kinds of data.
And if that ain't enough, the Stib is also at the center of an European financed project projet « Triangle ». that wants to make a commun ticketing for the three transport systems in Paris, Londres et Bruxelles. And this would become the basis for an international ticketing system that could be used anywhere in Europe.
And to make it even more interesting because there is much more mission creep and privacyloss in the future of this card. They have/had plans to integrate it with traintickets and other means of transport or even events. They question that now arises is how much information will stay on the card (three events, three traintickets, three brussels transports and a taxi for example ?). Before you know it, you are carrying all your travelinformation in one card. Seems simple and scary at the same time.
As a customer you can also buy a wallet with a small metal plate in it in which you can put the card. You have to get the card out each time to validate it but nobody else will be able to read ti without your agreement. The same goes for your passport.
The responses from the STIB are also totally wrong. They say that the information that is on our ID and SIS card can also easily be read. Yes but you need to do it at home and you need to have the card in your possession. Here we are talking about walking around in a metro with the RFID card reader and reading without telling anyone the travel and some identity information from anyone near you, if he or she agrees to that or not. This is the difference.