David Oswald and Christoph Paar, both expert hackers at the Ruhr University Bochum, who work to uncover flaws in hi-tech security systems, made the announcement in a study published this week.
In the study they said they managed to crack the DESFire MF3ICD40 RFID cards, used in transportation systems including in the Czech Republic, United States and Australia, using non-invasive and non-detectable measures.
Their discovery could mean unscrupulous hackers could duplicate the data on the cards and ride transportation networks for free, or even break into buildings being protected by the cards.
In a statement in response to the study, the cards’ manufacturer NXP confirmed the study’s results, but said an attack on smart cards would be complex and difficult to replicate, but it said customers should switch to a different version.
It added it was discontinuing the MF3ICD40 by the end of the year and recommended customers use a more secure version.
This is just the latest in a series of hacks on security systems by researchers affiliated with the Ruhr University, which runs one of the largest IT security institutes in Europe.
In 2008 they were able to crack keyless security systems that are used to protect many cars and buildings, leading companies to invest millions of euros in security upgrades.