A lot of blog posts already covered the security issue which affected the STIB (The public transportation company in Brussels). I”ll not rewrite the facts here.
The Belgian French television made a story [in French] about this problem. The journalist interviewed the STIB spokeman. During the interview, he said:
“Il y a des données qui peuvent apparaître en clair, à condition d’avoir les logiciels et le matériel approprié, mais ce n’est pas en clair, il faut avoir un terrible matériel.†[Translation: “Using appropriate software and hardware, there are data that may appear not encrypted. But it’s not the case, your must use a strong infrastructure to read them.“]
What do this guy mean by “strong infrastructure”? A RFID reader is available for only a few Euros and the source code is available for free.
This is a good example of security by obscurity. There is a real risk is to see geeks performing war-driving with RFID readers like they started to do a few years ago to find unsecured Wi-Fi access points. Only the encryption of data stored on the RFID chip could solve this issue!