Again, this problem wouldn't exist if we can optimize WFH methods. We don't need to solving "physical problems" from start to finish. Making, distributing, and recycling all those ticket papers.

No matter how advanced your transportation tech is, moving people long distances is still really costly. Sorry to "steer" this conversation into WFH and WFO topics.

(The optical scanning argument makes sense, however.)

Last year I bought a friend a ticket from Avon (just south of Paris) to Charles de Gaulle. I rode along and we stopped for lunch in Paris.

He carried on to the airport, met mr. Ticket man, and got a €100 fine for taking the route printed on his ticket, but too slowly.

I can’t understand what they’re trying to incentivise by doing this to tourists.

IMHO, if you have fare gates they need to be tied into a parent control system so that parents to limit where their kids are allowed to go alone. I've never seen the implemented and the details are important to get right.

I'll likely mangle the explanation but this sort of policy does not fair well when there is a large divide between have/have-not and little/no social safety net.

If you are poverty level you will be forever stuck in this cycle: Ticket/fine, court, loss of income, etc. What might work is simply granting free access below a certain income threshold.

Also a program for free rides to places like abuse shelters (for all genders - battered women is sexist talk!), voting booths and others similar locations should be in place - if you are going to one of them the checker verifies that are on the direct route to such a place and gives you a ticket - once you get there they validate your ticket - while if you don't arrive they send the police looking for you (in the case of abuse not arriving is a sign of urgent trouble, in other cases the police can arrest you when they feel like it)

Differentiate nomal daily sales rates within the test day, observe the trend year by year. Sounds naive, would be lovely if it works.

It's not necessarily a matter of education: just the feeling of "not worth freeloading (at the price), I'm likely to get caught anyway" is sufficient.

Of course that'd mean having two recognition mechanisms, so the operator might opt for NFC and chips for single-use tickets anyway to make the system simpler. But somehow having single-use tickets with chips on them does seem wasteful to me.

The OPUS is also super interesting because it's a stored value card that holds the tokens on the card as opposed to a simple ID. The system was developed when cellular connectivity was still spotty, so they needed a card that would work on buses without internet access. It's pretty bad from a UX point of view though: you can only store a few different kind of fares, you can't recharge the card online (until recently you had to go to a terminal to do it, now there is a NFC phone app), you can't declare a card stolen, etc.

There are even semi permanent ones you can buy, which are good for say 1 day, 1 weekend, or contain 10 passes.

See how London deals with toob stations for pride, for example, by closing and controlling some, exit only periods close to the event, open ticket gates, etc.

i think you can buy a transit payment card if you need one.

no paper tickets. cool ephemera but pretty wasteful.

would be pretty cool if/when we see a day where provably private cryptocurrency microtransactions allow for both real privacy and the 7 day fare cap feature.

Really leaves a good impression, knowing that they could have gouged you but chose not to.

Anyway with OMNY.

You just buy a OMNY card and load it with cash if you want privacy. They are being slow to roll the vending machines for these out due to vendor issues but it's growing and they can't discontinue the MetroCard until they have all the vending machines in place.

Meanwhile, the integrated subway/overground/bus network in London supports direct payment with NFC smartphones, without the need for an intermediate "smart" paper ticket; the infrastructure for vending those; or the (not insignificant) cost of producing the tickets. Not sure what Montreal was thinking!

The only advantage to having Oyster is if you’re travelling enough to justify a monthly pass (daily and weekly caps are respected on bank card taps), or longer.

I travel a lot across North America and EMEA, always glad to get home and deal with London’s transport network: it’s the only one that is really designed around, built for and feels invested in the passenger experience.

30 years ago you could kill ducks with the NES guns instantly and it worked by detecting pixels.

I'm sure we can figure out how to analyze black squares and turn them into a number under 50ms.

I'm all for the "we have technology why tf don't we use it, why aren't we better at it" argument, but the truth is that a lot of tech/systems in transport & other areas are retro af and new stuff gets shoe-horned in with all the caveats of a shoe-horning in.

Stuff doesn't get upgraded often, because it's expensive, because all of us vote for politicians that grant expensive/overpriced gov contracts putting money into them and their mates' back pockets. We'd be able to refresh public use tech all the time if it was non or low profit, never gonna happen tho.

Look at how much it cost Wales to change 30mph signs to 20mph: 34m£! And that's just for a few small areas, not everywhere they wanted to do. How in the f u c k, do you spend 34m taking down and putting up some signs? Those are ludicrous prices & all of us just completely ignore it bc we're too busy arguing about skin colour, which sex the person I sleep with is, or trans people being in the bathroom they want to be in, etc. Honestly.

None of that matter. QR code can be read on any angle because of the 3 position detection patterns it comes with, by design.

Lighting conditions are not a problem on tickets (which is what the article is about) because you can illuminate the paper from the camera.

QRCode were fast on assembly lines two decades ago. They were invented in the nineties, at a time where we had slow processors and shitty cameras.

Assembly lines give you GREAT control over where the code is located, how it's lit (consistently), and what you do on read error (can't shunt off the passenger to a read error bin, so they don't hold up the line). Rotational angle doesn't matter, perspective skew does. And then - it's a leaf of paper, so you get folds and obscured parts (yes, correctable...up to a point).

No variance.

People can then use nfc with their phone, which doesn't have the pollution problem.

I don't think people realize how limited the hardware was at the time.

They think because their phone is slow at scanning QR codes, that's how it must be. But the phone is not a dedicated device for QRCode scanning.

It's like someone saying they get blurry pics of cars on the highway so clearly speed limits are not possible to check automatically.

It’s kind of the same, though. The physical communication layer is different, but the higher protocol layers are basically identical. Smart cards with contacts follow ISO 7816. These MIFARE contactless cards are ISO 14443 Type A cards, and their protocol follows ISO 7816-4.

This shouldn’t be terribly surprising — the entire ecosystem built for smart cards with contacts wants to support contactless cards with minimal changes, and this includes the host software, the readers, and the logic in the cards. There are even plenty of devices where the same device supports contact and contactless uses — plenty of credit cards, bank cards, and FIDO devices are like this.

This is analogous to WiFi and wired Ethernet. They’re have very different physical layers, but they are logically compatible, and the same software supports both.

One of the things you could do was pay certain types of widely used paper invoices. When I was brought on, the UI for this was just a standard HTML table with labels and input boxes. I decided to build a prototype with a paper invoice image as the background and a textboxes places where the numbers appearred on the paper invoice.

When people paid the invoice, they would have the paper version they had received by postal mail next to them. Now, their mission was to enter the numbers so they would end up with a visual one-to-one copy of the paper invoice on the computer screen. It made it easy for everyone to figure out which numbers to enter.

People embraced this immediately, and all forms were changed to follow this principle. All banks implemented it in their banking apps and still use it today.

They were designed to be machine-readable from the start for easy processing at the bank, and one of the ways they did this was by having all the fixed data encoded in a special font. When we started using smartphone banking apps, you'd just be able to scan a bill with your phone and it'd immediately read out all the data, fill in the missing stuff, and you'd only have to tap "confirm" to do the actual payment.

MIFARE Ultralight does not actually implement 14443-4/7816/"smartcard"-style APDUs; it's significantly simpler, since the ICs are much less powerful.

To make things more confusing, some MIFARE ICs really do implement ISO 14443-4 (e.g. their fixed-function MIFARE DESfire cards, and their programmable smartcard ICs like SmartMX), but not all of them.

This is like a 100 bytes, a qr code can be over 2kb

This is a cheap plastic substrate with ink printing over the top. A qr code is just ink - or some other even cheaper printing process if you prefer.

This needs a specific ticket technology supplier over the next 10’s of years. QR codes can be drawn on screens or printed on paper and you can change suppliers for every component - from mobile phone apps to paper type to physical printer and reader devices - until your heart’s content over the next years. That flexibility can’t be underestimated in a space like public ticketing over decades.

Issuing replacement tickets needs physical presence to collect the ticket, vs qr code which can be emailed, sent on whatsapp, shared as a screenshot or photo if you need to, but of course you can still exchange physical paper qr codes if you prefer.

The rfid reader for these are cheap and durable, the optical reader for qr codes can be almost as cheap and almost as durable but not quite, the rfid wins this one point by a small margin.

The problem with QR codes:

1. If they're printed, they can be copied.

2. "Dynamic" QR codes can be screenshot.

3. They're read-only (by definition)

4. Readers are slow, require good orientation by the user.

NFC is good because it's read/write, has a ~10cm range, the larger cards can hold up to 4K of data, the ultralights can replace single journey tickets and can be recycled like magnetics being captured at exit.

The huge disadvantage of NFC in this context is the electronic waste necessarily produced.

2. As per 1, no issue

3. That’d be a great feature if true, I’m all for immutability. However , qr codes can be defaced easily, hopefully the built in checksum defend against that. a more likely threat your system needs to defend against is that new qr codes can be generated extremely quickly

4. Both systems are the same speed, both systems require accurate targeting by the user, an rfid token slightly askew of the reader will not read since it won’t be able to influence / absorb the generated rf - most of these systems work by providing power to the rfid token and it communicates back not by transmitting its own signal but by exerting influence on the signal it’s receiving. It’s a very very low power interaction and very sensitive to positioning

A better problem than 4 is that you entail staff overheads with a visual system to keep them clean.

Read / write is a bad feature, you will lose ticket sales.

Recycling these is not practical. Direct reuse risks jamming the vending machine (used tickets end up subtly bent, very hard to reliably deal with), actual recycling isn’t viable, the energy required and emissions produced exceed that of creation of a new card from raw materials.

Yes, the question is not whether such system would be abused, but how much. But this is in the end what businesses care about.

Will QR codes be abused more than NFC chips? Likely yes.

Will it produce a larger financial loss than the cost of the NFC chips?

Can I mitigate these losses by a centralized validation system (each terminal needs a network connection with low latency guarantees)? Sure, but how much will it cost?

You make it sound like less moving parts are a bad thing :-)

I know what you're getting at though - the decentralized tolerance of network partitions and the ability to provide higher availability and faster decision speed at the entry barrier.

The system design constraints are hard but not impossible, my back of napkin maths says 5k/ticket scans per second with 99th percentile latency < 1000ms not only satisfies every use case that exists today but allows for 3x population growth beyond!

There's a few things in your favour when designing this system though. For example, in the case of network partition, you have geographic locality so a pen drive delivered a couple of times per day is likely feasible.

I don't know about Montreal, but Moscow public transport uses similar paper tickets, also Mifare Ultralight, except you can get them for different number of trips. When you use your ticket, the turnstile or validator would increment those one-way counters so that the next one would know how many trips you have left. You can't do that with a QR code without either the reader or the user's device having a persistent internet connection to some sort of central server that would keep track of all tickets, which is impractical.

So the solution is the transportation card is writable, and each train station acts like a small data center. They sync the data periodically to the main data center.

I think the syncing tech is getting better, Japan train companies are going to experiment with QR code soon. So read only is feasible.

That's also how the two subway systems I'm most familiar with do it here in Russia. In both Moscow and St Petersburg, the data stored on the refillable tickets (Troika and Podorozhnik respectively) was thoroughly reverse engineered. People who did it, of course, tried to write them too — for example, you'd make a dump, enter a station, then restore the dump with your old balance. It worked, but only for a day or two, after which the card number was added to a blacklist that all turnstiles check cards against. The conclusion was that there's a server on each station that turnstiles talk to, that syncs with some central server each night (when the subway is closed), where all system-wide transactions for the day are collated, and if anything is off, the card is blacklisted.

The bulk of the ticket will still be the Felica card though, because as far as I know neither the QR code or EMV open-loop system can handle required throughput of 60 persons/minute/gate.

To support the above, they did away with multi-trip tickets like you describe. It instead tracks and discounts once you hit a weekly limit (yes, you have to give up your privacy for this with an account or use your credit card directly). Not great for intermittent travel.

For systems like this the question is: if the internet is down and a few people get a free trip, does it really matter? You don't always need 100% accuracy if it makes everything else simpler, like removing paper tickets, printers, litter, etc.

So the central server model is practical. The user's device has to have an internet connection at some point to activate the ticket within a reasonable period before using it but the connection doesn't have to persist after that. I don't know how their handheld scanners work in the Hudson River tunnels where there is no cell service but they do, so long as the user activates their ticket before the train departs.

Do you mean it would be hard for staff to scan cards? Here in the Netherlands both qr and cards (travel cards + bank cards) can be used at stations, and are read by the staff on the train.

Slightly tangential, but when I was in Montreal, I was blown away that you just purchase a ticket from a machine and you get a printed out ticket with an NFC chip inside. Not my favourite part of the trip (Montreal is beautiful!) but definitely a cool piece of technology to see being put to such a mundane use.

The thing with plane and long-distance train tickets is that you buy them for a specific route. So all the checking only needs to be done at your departure station/airport, the code for which is encoded in the ticket, and the rest of the system doesn't need to know anything about it. But you can't do that with city transport. When there aren't multi-use tickets, people would often buy multiple single-use ones at a time and use them as the need arises, without knowing in advance when, where, and from where they'll be going.

Now this one time ticket needs to generated before entering the metro station and the qr code is scanned at * both entry and exit*.

I think the entire system works on daily rotating ticket id validated using unique hashes where a ticket validity period is tracked. I think this should be enough to ensure non-reuse of same ticket.

The caveat is, I have always only bough one time ticket which is the only mode allowed in qr. For daily traveller's, they need to buy token/card which is NFC based.

We actually have this for suburban trains, it's just a receipt with a 1D barcode on it. You use the barcode to open the turnstile (on some stations where they are installed), but otherwise the tickets are checked by controllers that occasionally go through trains.

For getting around a city though, I don't see much of a good use case. In my city, if you're here for at least several days, you're expected to buy the refillable card. If you're only here briefly and only need to use the metro a couple times, it's 1.5x more expensive but you'd buy tokens or tap with your bank card.

The ticket itself just has to encode an ID, and then the central database contains an entry for that ID that is checked by the gate in real time. When the ticket is scanned at a gate, the database gets updated.

This is literally how all of the UK Mobile Train Tickets work. The ticket is a 2D barcode either on screen or on paper. Every gate / scanner operated by a guard records when the ticket has been scanned. They are synchronised and a ticket from being scanned twice. It's not that deep

The ticket vending machines print your monthly transit passes right onto the face of your card at the beginning of the month, and erase it after it expires.

It's not a QR code though. Just human readable text for bus drivers. (Turnstiles in the subway still read the pass via NFC.)

I would have said that make it much more resilient, but I have seen so many buses that couldn't accept fares... I'm not so sure if it's the case.

Contactless ICs are more powerful in every other aspect: They're rewritable (allowing reusable tickets), they can support challenge-response authentication (allowing secure offline usage, which in turn makes for faster transactions at the gate), and they're much less finicky to scan in my experience.

But for subway/metro, during rush hour throughput it is important to able to tap an RFID almost instantly. QR is too slow and error-prone for subway/metro.

The world (including Montreal - these tickets are going away) has converged on credit card / phone / top-up charge card for that reason.

Getting those QR code readers to read the QR code was a nightmare. Almost all the cameras have heavily scratched protective windows in front of them, which makes the reading process a struggle of trying to find a working angle. Of course the scratching is vandalism, but subway systems must be robust against vandalism, cause it's something that happens and must be expected.

I switched to per-transit payment via NFC after using one of the time-limited tickets and realizing that you need to consider yourself lucky if you find just one working QR code reader at most stations. NFC worked like a breeze.

A better application for QR codes is scenarios where it doesnt matter that its slower. Airline checkins, concert tickets, etc work well, a busy subway where people are queueing to get through a barrier as quickly as possible is one of the worst places to use it.

The paper tickets can hold many fares, including unlimited evening fares or two day fares. I believe this would be hard to pull off with QR codes without having to keep track centrally.

If course duplication is probably a bigger risk for these tickets as they case be simply locked to one use server side.

If it was a short-lived QR code generated on your phone, then maybe. But the whole point of MIFARE Ultralight EV1 cards is that they can't be cloned. It's for repeated use, not for printing and using once.

My wife, on the other hand, who is not at all technical, took it for granted that you would tap them and immediately figured it out intuitively.

The same thing with IKEA: I always rely on the manual and just blindly follow the instructions, and gets very frustrated if the instructions miss one step.

Thing I figured out assembling IKEA stuff in the past few years: if it seems like they skipped a step, look carefully at the details in pictures. Perhaps use a magnifying glass. There's going to be only one way to get from step N to step N+1, and all the information to figure it out is there. The drawings of all the pieces, from major parts to tiniest of screws, have accurate details, and there's enough of them to disambiguate the situation.

Basically all other flat pack furniture I’ve ever bought has, but none of the dozen or so ikea items I’ve assembled. It’s part of why I only buy flat pack if it’s ikea, now.

One left out details in the diagrams in each step that they had deemed irrelevant to that step. This apparent attempt at simplifying the instructions stumped me for ages because I kept thinking I'd oriented pieces wrong due to the number of holes in the picture differing from the number of holes in the physical thing.

The other had switched some parts since the instructions were made, and hadn't bothered to update the instructions. This was a bit more obvious, but still kinda irritating for someone like me who is uncomfortable with uncertainty when I believe certainty should be attainable.

Whatever else can be said of IKEA, their manuals and quality control are excellent. I think of them as the McDonald's of furniture — it's never the best product, but it's damn good for the price, and you know exactly what you're going to get.

Following instructions is a good thing. Plenty of people damage stuff when putting it together since it looks obvious, but they usually miss critical details. I would imagine that the people who designed the card scanners had to put a lot of thought into their design simply because they know many people won't read instructions and would do as you suggest: figure out a way to insert [the card] somewhere.

Transit has different considerations though. It is critical that doing the right thing is obvious without reading instructions. Someone might have an important meeting to make and the time to read the instructions (or wait for the person in from of them to read the instructions) means they are late. Or (worse?!?) that time spent in line is annoying enough that someone decides to buy a car. You can somewhat get around this with more fare machines - but they are expensive and take up a lot of space. Fortunately we have human-machine interaction specialists who can tell you how to make a fare machine that is easy to use correctly without needing any instructions.

But why do people make incomplete manuals? If I have a step by step guidance and it doesn't work, because some steps were left out, than this is just a wrong manual!

(I share your frustration)

Ikea, on the other hand, prides itself on user experience. Everything is Ikea-branded, so any complaint will come back to Ikea because the buck stops there. Everything is sold internationally, and they don't want to translate it into a dozen languages, so they have to make clear assembly diagrams. Their entire brand is built around having great assembly instructions!

The logo you mention (four arcs actually) is owned by EMVco though, and they let people only use it for credit and debit card contactless payment cards.

There’s also an NFC logo, but as mentioned elsewhere, these cards aren’t really NFC cards, so that would also not be the right thing to use (I believe the NFC forum wants something to happen when you touch anything bearing that logo with your phone).

Trains in the UK still have a certain amount of "Which of these tickets/receipts go where?" while a line of irritated locals is building up behind you. Fortunately, also being the UK, someone will help you if you're struggling with something sooner rather than later.

The above assumes you know you will be there and so can look things up. I wasn't planning to leave the airport in one city so I didn't look up what locals do - then weather made me miss the connection and I was stuck in a city for a day.

Locals going to a new part of their own city often have the same problems trying to read the map and time tables. They are faster than tourists, but still need extra time because they don't know what is going on.

In the end assholes designing it hid the payment terminal in such way that you can't see it from usual angle of use.. Amazingly hostile user design for those that rarely use that transport system...

Some transit systems are just inherently more confusing than others. It doesn’t matter to the locals who know the quirks, but that doesn’t mean something can’t be improved. NYC has a great subway system, but I find the signage and general wayfinding quite lacking. Tokyo’s system is on a similar level of complexity but has excellent wayfinding and is generally much easier for a tourist to use.

£150 from London to Leeds?! I can fly halfway across Europe for less…

The unofficial BR Fares[1] website does a lot to untangle the complexity, although it can only do so much to mitigate the expense.

[1]: https://www.brfares.com/

I used to work with someone who, even on an expense account, would roll their eyes if someone wanted them to do a last minute trip to London.

Probably because it's around the size of a credit card and has fake smart card contacts printed on it. That being said, I would probably get confused myself too.

Two common ways of getting around that is to either sandwich a plastic part containing the antenna to a metal one, or to punch out a circular part in the middle of the metal card and put the antenna in there (and close it all up using more plastic).

One card that doesn’t do either is the Apple Card – and as a result, you can’t tap it!

Well it's really annoying: the "metal" card (maybe as you say a mix of metal and plastic) is harder to swipe, so I got use to present it face down instead of face up, for I noticed that that way I get a better percentage of success on the first try.

I don't have the problem with my full plastic credit/debit cards.

For vision-impaired people, NFC tags can be attached to objects and the phone can read an audio description when the object is tapped against phone.

Nowadays, I suppose most consumers do have RFID tags (debit cards, transport cards, building keys, e-Passports), they just might not be aware of the underlying technology.

If you buy any standard NFC forum tag, chances are pretty good that it'll work with any Android or iOS device. The Ntag series has worked pretty well for me on both OSes and across various phones; I have one that instantly and cross-platform rickrolls everybody tapping it.

I used this knowledge to replace the QR code membership card to my friend's bar with an NFC card version, it looks really cool in your wallet compared to all the flimsy paper stamp cards from the other bars.

My understanding is that they are one time use?

In New Delhi metro, India, they used to use plastic tokens with these chips, but at the end of the journey, to exit the station you have to give the chip back.

Nowadays, they use a printed QR system, and they have even gone paperless. I can buy the ticket with my mobile app, pay using UPI instant payment, and show the qr code on the phone to the scanner and then travel.

For monthly card holders, rfid chip based cards are issued.

Lifetime of a plastic opus card may even be more wasteful, by mass of plastic and chip, if not used extensively. For example, one time use is often for tourists, where a full chip opus would be very wasteful indeed.

That's just whataboutism: If there's an alternative way of solving the same problem that generates less waste, why not use it?

I find the contactless coin form factor for single rides quite clever personally, and I don't see any downsides compared to paper single-use tickets (other than that validators and gates need some storage container to collect them, which could be tricky in buses).

Airline is not just whataboutism. It illustrates the absurdity of scale in your point. Imagine someone who is spending 20 minutes to save themselves 4 pennies on their electrical bill, but they are running 8 air conditioners with their windows open during a heatwave. Yes, that's whataboutism, but it's an informal fallacy, meaning I may still have a good point.

The antenna isn't, however. In any case, I think there's a pretty high chance these tickets will not end up in a dedicated recycling facility that can properly separate antenna from paper and recycle both, disregarding the chip.

For similar reasons, Japan is phasing out even magnetic stripe single-ride tickets out of recycling concerns (in favor of QR code based ones).

> Imagine someone who is spending 20 minutes to save themselves 4 pennies on their electrical bill

That's not an appropriate comparison, though. Buying a reusable token doesn't take 20 minutes more than buying a paper ticket.

Imagine instead a device manufacturer spending some months of R&D to help every single household in a large country save 4 pennies on their electrical bills, and it doesn't seem so absurd anymore.

In the app that is used by me, the brightness of the screen is automatically increased by the app as soon as I open the ticket QR, and then reduces to its previous state, once the QR code display is removed.

Contactless tickets work both ways, and in addition to that usually have a larger, more forgiving "landing area". On top of that, they can usually read through a wallet (but that's more relevant to regular commuters, arguably; tourists and infrequent riders will likely have purchased the ticket just moments before using it).

Do you have any insight into the economics of this in general compared to other disposable solutions. Are manufacturing old school magnetic stripe tickets, or just optical scanning/barcodes a lot cheaper?

I imagine magnetic stripes have a higher failure to read rate at the turnstile causing issues, while both them and optical scanning requires the ticket to be inserted into the machine, adding complexity and moving parts.

The cool thing is that their thing doesn't work with all Android phones for an unknown reason (various people from the transit agency said "oh Android? Yeah it doesn't always work with Android"), which you have no way of knowing before topping up money and trying to use your phone.

If anyone is curious, it was a Xiaomi Redmi phone, a midrange one that has no issues paying over NFC. A OnePlus next to it with the same Android version worked just fine.

They've been trying to get contactless bank card payments going on the same turnstiles but roll-out has been bogged down by other transit agencies apparently.

Surely they're not using 75µm/120µm wafers throughout the entire production process - that's literally the thickness of a human hair! Can a 200/300mm wafer of that thickness even support itself, let alone all the stresses in the production process?

What is the actual mechanism behind the DESFire and other secure NFC chips that prevents cloning?

The DESFire and other secure chips contain a cryptographic key that you can't access. Without the key, you can't make a clone of the chip. The cryptography provides authentication and encryption that you don't get with the cheap Ultralight chip.

I think this is all market segmentation; they don't put more security into the Ultralight chip because they don't want to cannibalize their higher-end sales.

I can't think of a much worse way to do security. That feels like trying to flood the market with lockpicks that don't work instead of making a more pick-resistant lock.

Ultralight C does support actual cryptographic authentication.

Also, many of these transit systems are eventually consistent (they're usually offline-capable for resilience, but usually manage to send all validation transactions to a backoffice system within at most a day, and often minutes).

This allows detecting duplicate usage fairly quickly. In systems where you need to tap out as well as tap in to leave the turnstile, that's where ticket inspectors might take a sudden interest in you if you tap out with a cloned ticket.

In the end, as with most security systems, the goal is not to make fraud absolutely impossible, but to make it economically non-viable.

How does this fit into the broader NFC ecosystem? What do other big metro systems like Omny, Clipper, Smartrip etc use? Apple and Google seem to implement some NFC protocols in their devices but in a much more programmable way, how does that work? Is the protocol used in credit cards related at all? And how do these relate to Felica, the system used everywhere in Japan (which was in the news for a while because the factory where they made the chips burned down and they had a chip shortage - giving Apple an opening to move into the market with iPhone NFC)?

As far as I can tell, the NFC ecosystem is a mess of competing, incompatible protocols from different companies, as well as incompatibilities for historical reasons. For example, Clipper uses MIFARE DESFire, which is the more secure sibling of the Ultralight chip that I examined. Washington's SmarTrip cards use MIFARE Plux X. New York City's OMNY, on the other hand, is apparently built on top of the Mastercard payment network using EMV. Montreal's rechargeable OPUS card (not the disposable one I examined) uses the completely different Calypso standard. FeliCa was developed in Japan along a different path and has a different standard (NFC-F vs NFC-A) with different modulation, protocol, and data rates. The NFC chips used in phones try to be compatible with as much as possible. These NFC systems all use the same 13.56 MHz frequency, so the radio hardware is compatible across them.

Theoretically Felica is a different stack from ISO 14443, but it's close enough that it almost got specified as a variant of ISO 14443 as well (C; MIFARE and most other systems use A). NFC does specify Felica as one possible official tag type (then called NFC-F, as opposed to NFC-A and NFC-B), so practically, most mobile devices can just also read it.

For anybody wanting to experiment a bit, I can highly recommend getting any Android device and installing NFC tag reader by NXP; it'll show you what technology exactly a given card uses, and in some cases can show you other interesting information as well. There's also an app that lets you read the current balance of various transit cards.

Google just has an Android API for it called HCE (Host Card Emulation), and anybody can write an app that implements it (i.e. Google Pay has no special position compared to competitors). In a nutshell, you just get a callback for every APDU (protocol message) the phone receives from the reader and get to respond as you wish.

Apple embeds a secure element in their devices, which is a chip almost identical to that you'll find in actual physical cards, but with an additional interface that connects it to the application processor, so that the OS and (privileged, i.e. Apple Wallet only) apps can interface with it and load new card applications. That's why the storage in Apple Wallet is limited to 50-ish cards, but Google Pay allows many more :)

Felica is not part of the ISO 14443 family, but closely related and also an official physical layer of NFC (NFC-F), so many devices practically support it as well. To my knowledge, there is no software-based emulation for it though (that's always a bit risky for stored-value cards), so Suica etc. only work on Japanese phone models that have the necessary secure element, as well as on all iPhones (Apple installs a Felica applet into their secure element on demand).

In e.g. London and the Netherlands, the readers were upgraded to support tapping in and out with a debit/credit card or Apple/Google Pay.

However, Apple also seems to have an ‘Express’ mode, which even works when the battery is empty (‘Power Reserve’).

It seems to me that there must be three protocols: the one for the disposable and stored-value tickets (ISO 14443?), EMV for debit/credit/Apple Pay/Google Pay, and Apple Pay Express.

Apple Pay Express is just Apple Pay without the need for the full system UI: "If iOS isn’t in use because iPhone needs to be charged, there may still be enough power in the battery to support Express Card transactions." it interacts the same way as the physical card equivalent (otherwise they would need a reader upgrade).

An AirTag can operate on a CR2032 for two years. An Energizer datasheet says that’s 235 mAh. An iPhone 13 Mini has a 2438 mAh battery (~10x). It makes sense the phone could do it for at least a day or two with the left over charge.

(I don’t know how long it would actually keep working)

EMV is an account-based payments protocol, and the card only confirms its presence in a transaction; balances are managed on the backend. The reader does not authenticate itself to the card at all.

MIFARE is a stored-value service and as such keeps track of the card's balance on-chip. This requires another smartcard on the reader side, holding the necessary keys for mutual authentication, but allows two-sided offline transactions, which is quite useful for transit applications (e.g. buses dropping out of network coverage, allowing higher volumes even during short server outages etc.)

MIFARE cards are used in all kinds of applications and not all of them require the reader to authenticate itself. And even in authenticated uses the keys don't neccessarily need to be stored in a smartcard (SAM) depending on the security requirements. For the simpler MIFARE cards a secure enclave for the keys doesn't even provide any additional security since they key is transmitted to the card anyway - and the simplest ones don't have any authentication at all.

I'd assume that the keys (more accurately passwords, since a key would never be transmitted to the card over an unencrypted interface) are diversified by card serial number though? In that case, it would still be useful to have an SAM to hold that diversification key. You could further store some MAC authentication tag on the password-protected tag that the SAM needs to see before revealing the password over the radio.

I'm not saying that this is how every transit system practically does use MIFARE Ultralight, but based on the design, it's definitely possible.

In the footnotes you said:

> One complication is that the counters have an "anti-tearing" feature for additional security

Two questions:

1. Why is it a "complication"? Is it just that it makes the counters more complicated, or is there something frustrating about the counters? 2. I would love to learn more about how the anti-tearing feature works!

Specifically, I use an AmScope ME300TZB-2L-10M microscope, which my friends consider an entry-level microscope, but it works for my needs.

MIFARE Ultralight C and larger/more expensive chips allow challenge-response authentication, making them pratically uncloneable. These are usually used for reloadable and monthly passes.

I imagine those can use even simpler chips that are completely read-only over the air and only have a UID programmed.

I found myself in Paris having to cross the other day and forgot how terrible the old way of buying tickets was, amazed that it’s still the norm in so many cities

You can also store only an ID in a QR code, but you could also fit more information and a digital signature of it in there.

However oyster really is in its way out for most uses. contactless and especially a phone is far more convenient for non season use, and far less wasteful.

The only ones that I came across that are not Mifare, and not even readable by Android (but readable by the Flipper Zero), are the paper tickets used in Brussels. Then, of course, there are non-NFC tickets. For example those that use magnetic stripes, like the cute tiny ones in Paris or NYC's MetroCard.

It's conceptually very similar to MIFARE – a fixed function IC implementing a fully offline stored value purse – but uses a stack that differs from ISO 14443 A on pretty much all layers. (It was planned to possibly become ISO 14443 C, but that never happened.)

Yes: Felica was developed by Sony in Japan, but was actually first adopted in Hong Kong, then later in Japan. It's far better than other standards, because it's so fast.

I'm looking forward to not having to choose one trade-off over the other.

Wrong. With the traffic volumes normally seen in Tokyo, those few hundred extra milliseconds will cause huge delays at the fare gates. There's a reason the systems here use the Felica card which processes in 100ms: it's really needed for this kind of pedestrian volume.

In Japan credit card transactions routinely take a couple seconds. Imagine each person taking 5 seconds to go through the gate! I think what trials for credit card payments in transportation services there are doing is simply not processing the transaction inline, and just doing it after the fact (assuming it will go through).

If you try to use a card that is valid but has no available balance/credit, it might work for the first ride but then be blocked when you try to use it for the return trip.

Fares are batched throughout the day and you are charged once, overnight, for all rides that day (after applying any multi-ride discounts, etc).

This is different from some other cities where I’ve used contactless payments and they’d charge you immediately for each ride, giving you lots of annoying little charges on your bank statement!

Don't ask me how though

The Japanese transit cards that are supported by Apple Pay have that option, and it's arguably the best of both worlds.

It is, there’s even an auto top-up option that adds credit automatically if your balance drops below a certain level.

But there’s no “digital” Oyster card, only physical ones. If you want to use a device to pay you have to use contactless.

And either way, it’s still kind of a pain to have to maintain a balance - especially if you’re a tourist or visitor and don’t know exactly how much credit you’re going to need.

I agree that being able to load a transit card into Apple Pay etc is also a good solution. The convenience of not having a physical card that can be easily lost or forgotten is probably the biggest benefit for me.

Octopus (used in Hong Kong) is the one that supports virtual cards in Apple Wallet.