Delete comment from: Ken Shirriff's blog
Ultimately the problem is trust - data stored in a phone can be tampered with much more easily than a plastic card, which increases the attack surface (however cost ineffective it is to hack your transit card...). Your example still abides by this principle - when you charge your card with your phone, I bet that what's happening behind the scenes is that the app opens a websocket to a server owned by the transit operator, which emulates a terminal. Your phone is just a dumb tunnel for NFC traffic. At least it works this way in my country.
Anyway, even though this is more difficult, some transit operators still did it. In Paris you can pay using your phone directly, and I haven't taken the time to research it throughly, but it works even when you're on airplane mode and it was heavily implied that it's a direct emulation of the Navigo card.
Jun 23, 2024, 4:12:22 PM
Posted to Inside the tiny chip that powers Montreal subway tickets