FareBot is an open-source application written by Eric Butler for Android phones to read the NXP Semiconductor MIFARE DESFire and display balance and trip history information.
Each card has a unique 7 Byte serial number (UID) locked in NV memory. It uses 3DES hardware on the RF-channel with replay protection, and has a 4 Byte message authentication code (MAC) for data authenticity. However, it relies on the application to provide the authentication.
FareBot parses the unencrypted data on the Seattle ORCA and dumps others (e.g. San Francisco’s Clipper). According to the ORCA Card privacy statement…
In order to keep the processing time to several milliseconds when an ORCA Card is tapped, the information on the card is generally not encrypted. However, date of birth or passenger type expiration date, if present, is encrypted.
Would you wait a second if you knew it would mean your transit data was protected?
An update was just released for Android 2.3.3.
…no longer needs internal APIs!