MIFARE
MIFARE is the NXP Semiconductors-owned trademark of a series of chips used in contactless smart cards and proximity cards.
The brand name covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type A 13.56 MHz contactless smart card standard. It uses AES and DES/Triple-DES encryption standards, as well as an older proprietary encryption algorithm, Crypto-1. According to NXP, 10 billion of their smart card chips and over 150 million reader modules have been sold. MIFARE is owned by NXP Semiconductors, which was spun off from Philips Electronics in 2006.
Variants
MIFARE products are embedded in contactless and contact smart cards, smart paper tickets, wearables and phones.The MIFARE brand name covers four families of contactless cards:
; [|MIFARE Classic] : Employs a proprietary protocol compliant to parts 1–3 of ISO/IEC 14443 Type A, with an NXP proprietary security protocol for authentication and ciphering. Subtype: MIFARE Classic EV1.
; MIFARE Plus: Drop-in replacement for MIFARE Classic with certified security level and is fully backwards compatible with MIFARE Classic. Subtypes MIFARE Plus S, MIFARE Plus X and MIFARE Plus SE.
; MIFARE Ultralight : Low-cost ICs that are useful for high volume applications such as public transport, loyalty cards and event ticketing. Subtypes: MIFARE Ultralight C, MIFARE Ultralight EV1 and MIFARE Ultralight Nano.
; MIFARE DESFire:Contactless ICs that comply to parts 3 and 4 of ISO/IEC 14443-4 Type A with a mask-ROM operating system from NXP. The DES in the name refers to the use of a DES, two-key 3DES, three-key 3DES and AES encryption; while Fire is an acronym for Fast, innovative, reliable, and enhanced. Subtypes: [|MIFARE DESFire] EV1, MIFARE DESFire EV2, MIFARE DESFire EV3.
There is also the MIFARE SAM AV2 contact smart card. This can be used to handle the encryption in communicating with the contactless cards. The SAM provides the secure storage of cryptographic keys and cryptographic functions.
MIFARE Classic family
The MIFARE Classic IC is just a memory storage device, where the memory is divided into segments and blocks with simple security mechanisms for access control. They are ASIC-based and have limited computational power. Due to their reliability and low cost, those cards are widely used for electronic wallet, access control, corporate ID cards, transportation or stadium ticketing.The MIFARE Classic with 1K memory offers 1,024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. Each key can be programmed to allow operations such as reading, writing, increasing value blocks, etc. MIFARE Classic with 4K memory offers 4,096 bytes split into forty sectors, of which 32 are same size as in the 1K with eight more that are quadruple size sectors. MIFARE Classic Mini offers 320 bytes split into five sectors. For each of these IC types, 16 bytes per sector are reserved for the keys and access conditions and can not normally be used for user data. Also, the very first 16 bytes contain the serial number of the card and certain other manufacturer data and are read only. That brings the net storage capacity of these cards down to 752 bytes for MIFARE Classic with 1K memory, 3,440 bytes for MIFARE Classic with 4K memory, and 224 bytes for MIFARE Mini. It uses an NXP proprietary security protocol for authentication and ciphering.
The Samsung TecTile NFC tag stickers use MIFARE Classic chips. This means only devices with an NXP NFC controller chip can read or write these tags. At the moment BlackBerry phones, the Nokia Lumia 610, the Google Nexus 4, Google Nexus 7 LTE and Nexus 10 can't read/write TecTile stickers.
MIFARE Classic encryption has been compromised; see [|below] for details.
MIFARE Plus family
MIFARE Plus is a replacement IC solution for the MIFARE Classic.Key applications:
- Public transportation
- Access management; e.g., employee, school, or campus cards
- Electronic toll collection
- Car parking
- Loyalty programs
MIFARE Plus was publicly announced in March 2008 with first samples in Q1 2009.
MIFARE Plus, when used in older transportation systems that do not yet support AES on the reader side, still leaves an open door to attacks. Though it helps to mitigate threats from attacks that broke the Crypto-1 cipher through the weak random number generator, it does not help against brute force attacks and cryptoanalytic attacks.
During the transition period from MIFARE Classic to MIFARE Plus where only a few readers might support AES in the first place, it offers an optional AES authentication in Security Level 1. This does not prevent the attacks mentioned above but enables a secure mutual authentication between the reader and the card to prove that the card belongs to the system and is not fake.
In its highest security level SL3, using 128-bit AES encryption, MIFARE Plus is secured from attacks.
MIFARE Plus EV1
MIFARE Plus EV1 was announced in April 2016.New features compared to MIFARE Plus X include:
; Sector-wise security-level switching: The choice of crypto algorithm used in the authentication protocol can be set separately for each sector. This makes it possible to use the same card with both readers that can read MIFARE Classic products and readers that can read MIFARE Plus products. This feature is intended to make it easier to gradually migrate existing MIFARE Classic product-based installations to MIFARE Plus, without having to replace all readers at the same time.
; ISO 7816-4 wrapping: The card can now be accessed in either the protocol for MIFARE, or using a new protocol variant that runs on top of ISO 7816-4. This way the cards become compatible with NFC reader APIs that can only exchange messages in ISO 7816-4 APDU format, with a maximum transfer data buffer size of 256 bytes.
; Proximity check: While the protocol for MIFARE Classic tolerated message delays of several seconds, and was therefore vulnerable to relay attacks, MIFARE Plus EV1 now implements a basic "ISO compliant" distance-bounding protocol. This puts tighter timing constraints on the permitted round-trip delay during authentication, to make it harder to forward messages to far-away cards or readers via computer networks.
; Secure end-2-end channel: Permits AES-protected over-the-air updates even to Crypto1 application sectors.
; Transaction MAC: The card can produce an additional message-authentication code over a transaction that can be verified by a remote clearing service, independent of the keys used by the local reader during the transaction.
MIFARE Ultralight family
The MIFARE Ultralight has only 512 bits of memory, without cryptographic security. The memory is provided in 16 pages of 4 bytes.Cards based on these chips are so inexpensive that they are often used for disposable tickets for events such as the Football World Cup 2006.
It provides only basic security features such as one-time-programmable bits and a write-lock feature to prevent re-writing of memory pages but does not include cryptography as applied in other MIFARE product-based cards.
MIFARE Ultralight EV1
MIFARE Ultralight EV1 introduced in November 2012 the next generation of paper ticketing smart card ICs for limited-use applications for ticketing schemes and additional security options. It comes with several enhancements above the original MIFARE Ultralight:- 384 and 1024 bits user memory product variants
- OTP, lock bits, configurable counters for improved security
- Three independent 24-bit one-way counters to stop reloading
- Protected data access through 32-bit password
- NXP Semiconductors originality signature function, this is an integrated originality checker and is an effective cloning protection that helps to prevent counterfeit of tickets. However this protection is applicable only to "mass penetration of non NXP originated chips and does not prevent hardware copy or emulation of a single existing valid chip"
- Limited-use tickets in public transport
- Event ticketing
- Loyalty
MIFARE Ultralight C
Key applications for MIFARE Ultralight C are public transportation, event ticketing, loyalty and NFC Forum tag type 2.
MIFARE DESFire family
The MIFARE DESFire was introduced in 2002 and is based on a core similar to SmartMX, with more hardware and software security features than MIFARE Classic. It comes pre-programmed with the general purpose MIFARE DESFire operating system which offers a simple directory structure and files. They are sold in four variants: One with Triple-DES only and 4 kiB of storage, and three with AES. The AES variants have additional security features; e.g., CMAC. MIFARE DESFire uses a protocol compliant with ISO/IEC 14443-4. The contactless IC is based on an 8051 processor with 3DES/AES cryptographic accelerator, making very fast transactions possible.The maximal read/write distance between card and reader is, but actual distance depends on the field power generated by the reader and its antenna size.
In 2010, NXP announced the discontinuation of the MIFARE DESFire after it had introduced its successor MIFARE DESFire EV1 in late 2008. In October 2011 researchers of Ruhr University Bochum announced that they had broken the security of MIFARE DESFire, which was acknowledged by NXP.
MIFARE DESFire EV1
First evolution of MIFARE DESFire contactless IC, broadly backwards compatible. Available with 2 kiB, 4 kiB, and 8 kiB non-volatile memory. Other features include:- Support for random ID.
- Support for 128-bit AES
- Hardware and operating system are Common Criteria certified at level EAL 4+
Key applications:
- Advanced public transportation
- Access management
- Loyalty
- Micropayment
MIFARE DESFire EV2
New features include:
- MIsmartApp enabling to offer or sell memory space for additional applications of 3rd parties without the need to share secret keys
- Transaction MAC to authenticate transactions by 3rd parties
- Virtual Card Architecture for privacy protection
- Proximity check against relay attacks
MIFARE DESFire EV3
The latest evolution of the MIFARE DESFire contactless IC family, broadly backwards compatible.New features include:
- ISO/IEC 14443 A 1–4 and ISO/IEC 7816-4 compliant
- Common Criteria EAL5+ certified for IC hardware and software
- NFC Forum Tag Type 4 compliant
- SUN message authentication for advanced data protection within standard NDEF read operation
- Choice of open DES/2K3DES/3K3DES/AES crypto algorithms
- Flexible file structure hosts as many applications as the memory size supports
- Proof of transaction with card generated MAC
- Transaction Timer mitigates risk of man-in-the-middle attacks
MIFARE SAM AV2
MIFARE SAMs are not contactless smart cards. They are secure access modules designed to provide the secure storage of cryptographic keys and cryptographic functions for terminals to access the MIFARE products securely and to enable secure communication between terminals and host. MIFARE SAMs are available from NXP in the contact-only module as defined in ISO/IEC 7816-2 and the HVQFN32 format.Integrating a MIFARE SAM AV2 in a contactless smart card reader enables a design which integrates high-end cryptography features and the support of cryptographic authentication and data encryption/decryption. Like any SAM, it offers functionality to store keys securely, and perform authentication and encryption of data between the contactless card and the SAM and the SAM towards the backend. Next to a classical SAM architecture the MIFARE SAM AV2 supports the X-mode which allows a fast and convenient contactless terminal development by connecting the SAM to the microcontroller and reader IC simultaneously.
MIFARE SAM AV2 offers AV1 mode and AV2 mode where in comparison to the SAM AV1 the AV2 version includes public key infrastructure, hash functions like SHA-1, SHA-224, and SHA-256. It supports MIFARE Plus and a secure host communication. Both modes provide the same communication interfaces, cryptographic algorithms, and X-mode functionalities.
Applications
MIFARE products can be used in different applications:- Automated fare collection system
- Identification cards
- Access management
- Campus cards
- Loyalty cards
- Tourist cards
- Micropayment
- Road tolling
- Transport ticketing
- Event ticketing
- Mobile ticketing
- Citizen card
- Membership cards
- Parking
- Library cards
- Fuel cards
- Hotel key cards
- NFC Tag
- Taxi cards
- Smart meter
- Museum access cards
- Product authentication
- Production control
- Health cards
- Ferry Cards
- Car rentals
- Fleet management
- Amusement parks
- Bike rentals
- Blood donor cards
- Information services
- Interactive exhibits
- Interactive lotteries
- Password storage
- Smart advertising
- Social welfare
- Waste management
Byte layout
History
- 1994 – MIFARE Classic IC with 1K user memory introduced.
- 1996 – First transport scheme in Seoul using MIFARE Classic with 1K memory.
- 1997 – MIFARE PRO with Triple DES coprocessor introduced.
- 1999 – MIFARE PROX with PKI coprocessor introduced.
- 2001 – MIFARE Ultralight introduced.
- 2002 – MIFARE DESFire introduced, microprocessor based product.
- 2004 – MIFARE SAM introduced, secure infrastructure counterpart of MIFARE DESFire.
- 2006 – MIFARE DESFire EV1 is announced as the first product to support 128-bit AES.
- 2008 – MIFARE4Mobile industry Group is created, consisting of leading players in the Near Field Communication ecosystem.
- 2008 – MIFARE Plus is announced as a drop-in replacement for MIFARE Classic based on 128-bit AES.
- 2008 – MIFARE Ultralight C is introduced as a smart paper ticketing IC featuring Triple DES Authentication.
- 2010 – MIFARE SAM AV2 is introduced as secure key storage for readers AES, Triple DES, PKI Authentication.
- 2012 – MIFARE Ultralight EV1 introduced, backwards compatible to MIFARE Ultralight but with extra security.
- 2014 – MIFARE SDK was introduced, allowing developers to create and develop their own NFC Android applications.
- 2014 – NXP Smart MX2 the world's first secure smart card platform supporting MIFARE Plus and MIFARE DESFire EV1 with EAL 50 was released.
- 2015 – MIFARE Plus SE, the entry-level version of NXP's proven and reliable MIFARE Plus product family, was introduced.
- 2016 – MIFARE Plus EV1 was introduced, the proven mainstream smart card product compatible with MIFARE Classic in its backward compatible security level.
- 2016 – MIFARE DESFire EV2 is announced with improved performance, security, privacy and multi-application support.
- 2016 – MIFARE SDK is rebranded to TapLinx, with additional supported products.
- 2018 – MIFARE 2GO cloud service was introduced, allows to manage MIFARE DESFire and MIFARE Plus product-based credentials onto NFC-enabled mobile and wearable devices.
- 2020 – MIFARE DESFire EV3 is announced
- 2020 – MIFARE Plus EV2 was introduced, adding SL3 to support MIFARE 2GO, EAL5+ certification & Transaction Timer to help mitigate man-in-the-middle attacks.
Infineon Technologies licensed MIFARE Classic from Mikron in 1994 and developed both stand alone and integrated designs with MIFARE product functions. Infineon currently produces various derivatives based on MIFARE Classic including 1K memory and various microcontrollers, 16 bit, and 32 bit with MIFARE implementations, including devices for use in USIM with Near Field Communication.
Motorola tried to develop MIFARE product-like chips for wired-logic version but finally gave up. The project expected one million cards per month for start, but that fell to 100,000 per month just before they gave up the project.
In 1998 Philips licensed MIFARE Classic to Hitachi Hitachi licensed MIFARE products for the development of the contactless smart card solution for NTT's IC telephone card which started in 1999 and finished in 2006. In the NTT contactless IC telephone card project, three parties joined: Tokin-Tamura-Siemens, Hitachi, and Denso. NTT asked for two versions of chip, i.e. wired-logic chip with small memory and big memory capacity. Hitachi developed only big memory version and cut part of the memory to fit for the small memory version.
The deal with Hitachi was upgraded in 2008 by NXP to include MIFARE Plus and MIFARE DESFire to the renamed semiconductor division of Hitachi Renesas Technology.
In 2010 NXP licensed MIFARE products to Gemalto. In 2011 NXP licensed Oberthur to use MIFARE products on SIM cards. In 2012 NXP signed an agreement with Giesecke & Devrient to integrate MIFARE product-based applications on their secure SIM products. These licensees are developing Near Field Communication products
Security of MIFARE Classic, MIFARE DESFire and MIFARE Ultralight
The encryption used by the MIFARE Classic IC uses a 48-bit key.A presentation by Henryk Plötz and Karsten Nohl at the Chaos Communication Congress in December 2007 described a partial reverse-engineering of the algorithm used in the MIFARE Classic chip. Abstract and slides are available online. A paper that describes the process of reverse engineering this chip was published at the August 2008 USENIX security conference.
In March 2008 the Digital Security research group of the Radboud University Nijmegen made public that they performed a complete reverse-engineering and were able to clone and manipulate the contents of an OV-Chipkaart which is using MIFARE Classic chip. For demonstration they used the Proxmark device, a 125 kHz / 13.56 MHz research instrument. The schematics and software are released under the free GNU General Public License by Jonathan Westhues in 2007. They demonstrate it is even possible to perform card-only attacks using just an ordinary stock-commercial NFC reader in combination with the libnfc library.
The Radboud University published four scientific papers concerning the security of the MIFARE Classic:
- A Practical Attack on the MIFARE Classic
- Dismantling MIFARE Classic
- Wirelessly Pickpocketing a MIFARE Classic Card
- Ciphertext-only Cryptanalysis on Hardened MIFARE Classic Cards
NXP tried to stop the publication of the second article by requesting a preliminary injunction. However, the injunction was denied, with the court noting that, "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."
Both independent research results are confirmed by the manufacturer NXP. These attacks on the cards didn't stop the further introduction of the card as the only accepted card for all Dutch public transport the OV-chipkaart continued as nothing happened but in October 2011 the company TLS, responsible for the OV-Chipkaart announced that the new version of the card will be better protected against fraud.
The MIFARE Classic encryption Crypto-1 can be broken in about 200 seconds on a laptop from 2008, if approx. 50 bits of known key stream are available. This attack reveals the key from sniffed transactions under certain circumstances and/or allows an attacker to learn the key by challenging the reader device.
The attack proposed in recovers the secret key in about 40 ms on a laptop. This attack requires just one authentication attempt with a legitimate reader.
Additionally, there are a number of attacks that work directly on a card and without the help of a valid reader device. These attacks have been acknowledged by NXP.
In April 2009 new and better card-only attack on MIFARE Classic has been found. It was first announced at the rump session of Eurocrypt 2009.
This attack was presented at SECRYPT 2009.
The full description of this latest and fastest attack to date can also be found in the IACR preprint archive.
The new attack improves by a factor of more than 10 all previous card-only attacks on MIFARE Classic, has instant running time, and it does not require a costly precomputation. The new attack allows to recover the secret key of any sector of MIFARE Classic card via wireless interaction, within about 300 queries to the card. It can then be combined with the nested authentication attack in the Nijmegen Oakland paper to recover subsequent keys almost instantly. Both attacks combined and with the right hardware equipment such as Proxmark3, one should be able to clone any MIFARE Classic card in not more than 10 seconds. This is much faster than previously thought.
In an attempt to counter these card-only attacks, new "hardened" cards have been released in and around 2011, such as the MIFARE Classic EV1. These variants are insusceptible for all card-only attacks publicly known until then, while remaining backwards compatible with the original MIFARE Classic. In 2015, a new card-only attack was discovered that is also able to recover the secret keys from such hardened variants.
Since the discovery of this attack, NXP is officially recommending to migrate from MIFARE Classic product-based systems to higher security products.
MIFARE DESFire attacks
In November 2010, security researchers from the Ruhr University released a paper detailing a side-channel attack against MIFARE product-based cards. The paper demonstrated that MIFARE DESFire product-based cards could be easily emulated at a cost of approximately $25 in "off the shelf" hardware. The authors asserted that this side channel attack allowed cards to be cloned in approximately 100 ms. Furthermore, the paper's authors included hardware schematics for their original cloning device, and have since made corresponding software, firmware and improved hardware schematics publicly available on GitHub.In October 2011 David Oswald and Christof Paar of Ruhr-University in Bochum, Germany, detailed how they were able to conduct a successful "side-channel" attack against the card using equipment that can be built for nearly $3,000. Called "Breaking MIFARE DESFire MF3ICD40: Power Analysis and Templates in the Real World", they stated that system integrators should be aware of the new security risks that arise from the presented attacks and can no longer rely on the mathematical security of the used 3DES cipher. Hence, to avoid, e.g. manipulation or cloning of smart cards used in payment or access control solutions, proper actions have to be taken: on the one hand, multi-level countermeasures in the back end allow to minimize the threat even if the underlying RFID platform is insecure," In a statement NXP said that the attack would be difficult to replicate and that they had already planned to discontinue the product at the end of 2011. NXP also stated "Also, the impact of a successful attack depends on the end-to-end system security design of each individual infrastructure and whether diversified keys – recommended by NXP – are being used. If this is the case, a stolen or lost card can be disabled simply by the operator detecting the fraud and blacklisting the card, however this operation assumes that the operator has those mechanisms implemented. This will make it even harder to replicate the attack with a commercial purpose."
MIFARE Ultralight attack
In September 2012 a security consultancy Intrepidus demonstrated at the EU SecWest event in Amsterdam, that MIFARE Ultralight product-based fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free in a talk entitled "NFC For Free Rides and Rooms ". Although not a direct attack on the chip but rather the reloading of an unprotected register on the device, it allows hackers to replace value and show that the card is valid for use. This can be overcome by having a copy of the register online so that values can be analysed and suspect cards hot-listed. NXP have responded by pointing out that they had introduced the MIFARE Ultralight C in 2008 with 3DES protection and in November 2012 introduced the MIFARE Ultralight EV1 with three decrement only counters to foil such reloading attacks.Considerations for systems integration
For systems based on contactless smartcards, security against fraud relies on many components, of which the card is just one. Typically, to minimize costs, systems integrators will choose a relatively cheap card such as a MIFARE Classic and concentrate security efforts in the back office. Additional encryption on the card, transaction counters, and other methods known in cryptography are then employed to make cloned cards useless, or at least to enable the back office to detect a fraudulent card, and put it on a blacklist. Systems that work with online readers only are easier to protect than systems that have offline readers as well, for which real-time checks are not possible and blacklists cannot be updated as frequently.Certification
Another aspect of fraud prevention and compatibility guarantee is to obtain certification called to life in 1998 ensuring the compatibility of several certified MIFARE product-based cards with multiple readers. With this certification, the main focus was placed on the contactless communication of the wireless interface, as well as to ensure proper implementation of all the commands of MIFARE product-based cards. The certification process was developed and carried out by the Austrian laboratory called Arsenal Research. Today, independent testhouses such as Arsenal Testhouse, UL and LSI-TEC, perform the certification tests and provide the certified products in an online database.Places that use MIFARE products
Transportation
| Card name | Locality | Type | Details |
| :es:Urbana |EYCON e-Bus | Argentina | MIFARE Classic 1K | Initially for use in the local public transport for short and medium distances. However it is expected that in the card will be used for taxis, and furthermore purchase items in shops. |
| SUBE card | Argentina | MIFARE Classic 1K | Used for public transport, such as Metro, trains and buses |
| Pase Metro | Dominican Republic | MIFARE Classic 1k | Used for public transportation. |
| Red Bus | Argentina | MIFARE Classic 1K | For payment of public transport. |
| Tarjeta Sin Contacto MOVI | Argentina | MIFARE DESFire EV1 SAM V2 | Means of payment for urban transport and as of 2015 payment for public bicycles and parking meters. |
| Adelaide Metro metroCard | Australia | MIFARE DESFire EV1 | Adelaide Metro network |
| TransLink Go card | Australia | MIFARE Classic 1K | Used on the TransLink public transport network. |
| ACTION MyWay | Australia | MIFARE Classic 1K | Form of electronic ticketing used on public transport services within Canberra |
| Metro Green Card | Australia | MIFARE Classic 4 | Greencard simplifies public transport by acting like a digital wallet. Used on buses and the metro. |
| SmartRider | Australia | MIFARE Classic 1K | Widely used across the Transperth public transport in metropolitan Perth, as well as the regional town bus services. Used for public bus, train and ferry services. |
| Opal card | Australia | MIFARE DESFire EV1, MIFARE Ultralight | Is valid on all bus, rail, light rail and government ferry services in Sydney and surrounding areas such as Central Coast. |
| Myki | Australia | MIFARE DESFire | Used on public transport such as, trains, buses, trams and coaches in Victoria |
| Baku metrocard | Azerbaijan | MIFARE Classic 1K, MIFARE Plus S 1K | For use on the subway rides on the Baku Metro. |
| TRI | Brazil | MIFARE Classic 1K | Used for the buses and trains in Porto Alegre. |
| BHTrans | Brazil | MIFARE Classic 1K | |
| Brasilia +Cidadã | Brazil | MIFARE Classic 1K | Used for the buses and subway in Brasilia. |
| RioCard | Brazil | MIFARE Classic 1K | The RioCard can be used on all modes of public transport within Rio- bus, ferry, subway and train. However it can only be used a maximum of eight times a day |
| Bilhete Único | Brazil | MIFARE Classic 1K, MIFARE Plus X, MIFARE Plus EV1 | Can be used on buses, bus rapid transit, Metrô and CPTM trains. |
| Orovale | Brazil | Can be used on the buses for this area. | |
| Carte Occasionnelle, Carte Solo | Canada | MIFARE Ultralight | SMT- Used on the bus, rapid transit, taxibus and paratransit in Montreal. RTC- used for bus servies, bus rapid transit and paratransit in Quebec. Carte Solo- used for the commuter rail and express bus service in Greater Montreal. |
| M-Card | Canada | MIFARE Classic 1K | Used on the Metrobus Transit system. |
| Presto Card | Canada | MIFARE DESFire | Used on various public transport systems in the greater Toronto and Hamilton Area and Ottawa. Buses, trains, rapid transit and streetcars |
| Compass Card | Canada | NXP's MIFARE DESFire EV1 4K, MIFARE Ultralight | Used for public transit. $6 refundable deposit. |
| Peggo Card | Canada | MIFARE DESFire EV1 4K | Used on the Winnipeg Transit system. |
| Tarjeta Metroval | Chile | MIFARE Classic 1K | Valparaíso Metro uses this card as a unique payment method |
| Tarjeta Bip! | Chile | MIFARE Classic 1K and 4K | Metro de Santiago, Transantiago |
| StrongLink | China | ||
| Yikatong | China | Can be used on the subway, buses, taxis and in some cooperating retailers and restaurants. The card can also be used for Beijing's bicycle sharing system | |
| Yang Cheng Tong | China | Used on the metro, buses, taxis and ferries in Guangzhou and the surrounding areas. | |
| Cívica | Colombia | Can be used for travel on the subway, cable cars, some bus routes and in the near future for the tram | |
| BusCARD | Croatia | MIFARE Classic 1K | Used for public transport |
| BuTra | Croatia | MIFARE Classic 1K | Used by trams & buses and social ID identification |
| Rijeka City Card | Croatia | MIFARE Classic 1K, MIFARE Ultralight | Used by buses, parking spaces, libraries, museums... |
| ZET Card | Croatia | MIFARE Classic 1K | Can be used for travel on all public transport networks in Zagreb. Also entitles you to get discounts at over 150 locations such as the museum and zoo. |
| In Karta | Czech republic | MIFARE DESFire, MIFARE DESFire EV1 | , Used for transport on trains, aimed at regular train users. Using the card enables 25% discount on fares. |
| Opencard | Czech republic | MIFARE DESFire EV1 | Used for travel on the public transport in Prague. As well as paid parking and libraries. |
| Lítačka | Czech republic | MIFARE DESFire EV1 | Successor of Opencard, used mostly for public transport in Prague, can be also used in municipal libraries. It cannot be used as electronic wallet – for parking – as its predecessor. |
| Hradecká karta | Czech republic | MIFARE Classic 4K | Card is issued by DPMHK a.s., compatible with Pardubická karta. |
| Pardubicka karta | Czech republic | MIFARE Classic 4K | Card is issued by DPMP a.s., can also be used as a ticket to local theatre, and used by many schools in Pardubice for student IDs. |
| Rejsekort | Denmark | MIFARE Classic 4K | Can be used for travel on trains, buses and metro in Copenhagen and nearly whole of Denmark. |
| Ühiskaart | Estonia | MIFARE Classic | Can be used for travel on trams, buses, trolleybuses in Tallinn, as well as other towns inside the country. |
| Bussikaart | Estonia | MIFARE Ultralight C | Used for bus travel in Tartu. Works also in other locations around the country. |
| Matkakortti | Finland | MIFARE DESFire | Can be used with all forms of public transport systems within Helsinki Metropolitan Area. |
| :de:Aachener Straßenbahn und Energieversorgungs-AG|ASEAG | Germany | MIFARE DESFire EV1 | Can be used with all forms of public transport systems within NordRhein Westfalen Area. Readers in all buses of Aachen and Deutsche Bahn staff. |
| Metromoney | Georgia | MIFARE Classic 1K | Used in municipal transport and while traveling by Rike-Narikala ropeway. |
| ATH.ENA CARD / ATH.ENA TICKET | Greece | MIFARE DESFire / MIFARE Ultralight | Used on the Athens metro, buses and trams. |
| MTR City Saver | Hong Kong | MIFARE Ultralight C | Older cards only. New cards use Sony FeliCa Lite-S. |
| Indian Railways | India | MIFARE DESFire | Indian railways |
| Delhi Metro Rail Corporation | India | MIFARE Ultralight | Used in Metro transit system and for paying fares in DTC and cluster buses. |
| Namma Metro Smart Card | India | MIFARE DESFire EV1 | Can be used to travel in Namma Metro in Bengaluru |
| Cardz Me | India | Issued to students in the Indian state of Karnataka by Cardz Middle East | |
| Metro/Bus Card | Iran | MIFARE Classic 1K | Used for public transport, Metro and Bus – |
| Esfahan Card | Iran | MIFARE Classic 1K | Used for public transport, Metro and Bus – Municipality Fun Places |
| Man Card | Iran | MIFARE DESFire EV1 | Used for public transport and low value payments – |
| SmartCard | Ireland | MIFARE Classic 1K | Used for train transport for Iarnród Éireann |
| Leap card | Ireland | MIFARE DESFire EV1 | replaces the individual Luas, Dart and Dublin Bus smartcards |
| Luas smart-card | Ireland | MIFARE Classic | being replaced by the Leap card |
| Dublin Bus smart-card | Ireland | MIFARE Classic | being replaced by the Leap card |
| DART smart-card | Ireland | MIFARE Classic | being replaced by the Leap card |
| AltoAdige/Südtirol Pass | Italy | MIFARE DESFire EV1 | Southern Tirol network |
| Etalons | Latvia | MIFARE Ultralight | Can be used to pay fare for buses, trams and trolleybus. |
| Travel card | Lithuania | MIFARE Classic | Introduced in summer of 2013 |
| Touch N Go | Malaysia | Used for paying road tolls on the Expressway, fare of public transport, electronics parking and retail payments. | |
| OV-chipkaart | The Netherlands | MIFARE Classic 4K | MIFARE Classic 4K and MIFARE Ultralight used for all public transport until it was [|cracked]. In 2011 a switch was made to cards based on Infineon microcontrollers. |
| AT HOP card | New Zealand | MIFARE DESFire EV1 | Introduced as the regional integrated ticketing card. The previous branded HOP card aka "Snapper/HOP" uses the JCOP standard and was phased out of use in Auckland in 2013. |
| Metlink Snapper Card | New Zealand | MIFARE Plus | - |
| Kolumbuskort | Norway | MIFARE DESFire EV1 | Bus, Boat. http://www.kolumbus.no |
| Ruter reisekort | Norway | MIFARE DESFire EV1 | Bus, boat, tram, subway and trains. Ruter and |
| Białostocka Karta Miejska | Poland | MIFARE Classic 1K | Used on buses |
| Krakowska Karta Miejska | Poland | MIFARE Classic 1K / MIFARE Plus 2K | Used on trams and buses and as ID for Kraków City Bike system |
| Warszawska Karta Miejska | Poland | MIFARE Classic 1K | Used on buses, trams, subway and railroad |
| SmartTech Production | Hong Kong | NXP MIFARE Golden Partner | |
| eBilet | Poland | MIFARE Classic 1K | Used on trolleybuses and buses |
| Beep | Philippines | MIFARE DESFire EV2 | Used on Manila Light Rail Transit System, Manila Metro Rail Transit System, FamilyMart, North Luzon Expressway, Robinsons' Movieworld, and Some City Buses |
| RATB Activ | Romania | MIFARE Classic 1K | Used on all public surface transportation and also available for subway |
| Moscow Metro | Russia | MIFARE Ultralight, MIFARE Plus X | Disposable ticket, eWallet "TROIKA" |
| EMcard | Slovakia | MIFARE DESFire EV1 | Used by almost every public transport system in Slovakia and some in Czech Republic. In most cases only referred to as BCK – Bezkontaktná cipová karta |
| Urbana | Slovenia | MIFARE DESFire EV1 | Used by buses, parking spaces, libraries, museums, the Ljubljana Castle funicular, sports institutes and cultural events. |
| Upass | South Korea | MIFARE Classic | Used by Metro, bus, light metro, and airport link. Discontinued in 2014, replaced by T-money. |
| Daekyung Transport Card | South Korea | MIFARE Classic | Mainly used by Daegu Metro, Daegu bus and Gyeongsan bus. Discontinued in 2014, replaced by Toppass/Onepass. |
| Consorcio de Transportes de Madrid | Spain | MIFARE DESFire EV1 | Metro, trains and buses |
| Consorcio de Transportes de Asturias | Spain | MIFARE Classic 1k | Buses and trains. |
| T-Mobilitat | Spain | MIFARE DESFire | Metro, trains and buses, with compatibility with Bicing bike rentals, car parks. |
| Barik | Spain | MIFARE DESFire | Used for public transport, such as Metro, trains and buses of the province of Biscay. Managed by Biscay Transport Consortium. |
| Resekortet | Sweden | MIFARE Classic 1K | Travel ticket for buses and trains. |
| Skånetrafiken JoJo | Sweden | MIFARE Classic 1K | Used for public transport in Skåne |
| Karlstadsbuss | Sweden | MIFARE Classic 4K | Karlstadsbuss Resekort |
| SL Access | Sweden | MIFARE Classic 4K | Stockholms lokaltrafik |
| Västtrafik | Sweden | MIFARE Classic 1K/4K, MIFARE Plus, MIFARE Ultralight | Västtrafikkortet |
| EasyCard | Taiwan | MIFARE Classic, MIFARE Plus | |
| Rabbit Card | Thailand | MIFARE DESFire EV1 | Used on BTS Skytrain, Bangkok BRT, restaurants, shops and cinemas that accept Rabbit Card |
| Smart Purse | Thailand | MIFARE Classic 1K | Used on Metrobus, 7-Eleven, shops and restaurants that accept Smart Purse |
| Bangkok Metro Smart card | Thailand | MIFARE Classic 1K | Bangkok Metro |
| KGS Card | Turkey | MIFARE Classic 1K, MIFARE Plus 2K | Toll Highways, KGS |
| Muzekart | Turkey | MIFARE Classic 1K, MIFARE Plus 2K | Used as a museum pass for Istanbul's various museums |
| Istanbulkart | Turkey | MIFARE DESFire EV1 | Buses, ferry boats, metro, light metro, trams and overground trains |
| İzmirimKart | Turkey | MIFARE Plus & custom card securing | Metro, bus, passenger ship |
| Iff card | United Kingdom | MIFARE DESFire EV1 | Used on Cardiff Bus services. |
| Walrus Card | United Kingdom | MIFARE DESFire EV1 | Public transport within Merseyside. |
| Oyster card | United Kingdom | MIFARE DESFire EV1 | Migrated from MIFARE Classic to MIFARE DESFire EV1 in 2011 |
| EasyRider | United Kingdom | Can be used as payment for buses or the tram on Nottingham City Transport | |
| United Kingdom | MIFARE DESFire EV1 | Can be topped-up and used at: local train stations, bus stations, PayZones and more. | |
| Breeze Card | United States | MIFARE Ultralight and MIFARE Classic | Can be used as payment for MATRA Rapid Rail and MARTA Bus. |
| CharlieCard | United States | MIFARE Classic 1K | MBTA v. Anderson – Civil case related to the responsible disclosure of flaws in the system |
| Ventra | United States | MIFARE DESFire EV1 | Used for payments with CTA and Pace. |
| METRO Q Card | United States | MIFARE Classic 1K | Used for payment of the METRORail, METROBus and METROLift. |
| Transit Access Pass | United States | MIFARE Plus – Security Level 1 | Used as electronic ticketing for most public transport within Los Angeles County. |
| Go-To Card | United States | MIFARE Classic 1K | |
| ConnectCard | United States | MIFARE Classic | |
| Hop Fastpass | United States | MIFARE DESFire EV1 256B | |
| ORCA card | United States | MIFARE DESFire | |
| Clipper card | United States | MIFARE DESFire | Replacing TransLink, which used a Motorola Card. |
| PATH SmartLink | United States | MIFARE DESFire | Used as a fare payment method on the PATH transit system in Newark. |
| Easy Card | United States | MIFARE Ultralight | Used on Metrobus, Metrorail, Tri-Rail, City of Hialeah Transit, and Conchita Transit Express. |
| Compass Card | United States | MIFARE Classic 1K | Used on buses, trolleys, Coaster and Sprinter trains in SDMTS and NCTD |
| SmarTrip | United States | MIFARE Plus X | Used on the Washington Metropolitan Area Transit Authority and neighbouring transit systems; accepted on systems in Baltimore, Maryland |
| CharmCard | United States | MIFARE Plus X | Used on the Maryland Transit Administration; accepted in Washington, D.C. systems |
| Freedom Card | United States | MIFARE DESFire EV1 | Travel between Philadelphia, Pennsylvania and Southern New Jersey on the PATCO Speedline |
Application references
Institutions
- Northwest University, South Africa – Student/staff ID, access control, library, student meals, sport applications, payments
- Linkoping university, Sweden – Student/staff ID, access control, library, copy/print, student discount, payments
- London School of Economics – Access control
- New College School in Oxford – Building access.
- Imperial College London – Staff and student ID access card in London, UK.
- Cambridge University – Student/Staff ID and access card, library card, canteen payments in some colleges
- University of Warwick – Staff and student ID card and separate Eating at Warwick stored value card in Coventry, UK.
- Regent's College, London – Staff and student ID access card in London, UK.
- University of New South Wales – Student ID access card.
- The University of Queensland – Staff and student ID, access control, library, copy/print, building access
- University of Alberta – Staff OneCard trial currently underway.
- Northumbria University – Student/staff building and printer access.
- City University of Hong Kong – Student/staff building, library, amenities building.
- Hong Kong Institute of Vocational Education – Student ID card, attendance, library, printers and computers access.
- The Chinese University of Hong Kong – Student ID card, attendance, library, printers and door access control
- University of Bayreuth – Student ID card and canteen card for paying.
- University of Ibadan, Nigeria – Student ID card and examination verification and attendance.
- Bowen University, Iwo, Nigeria – Student ID card and examination verification and attendance.
- Afe Babalola University, Ado-Ekiti, Nigeria – Student ID card and examination verification and attendance.
- Achievers University, Owo, Nigeria – Student ID card and examination verification and attendance.
- Adekunle Ajasin University, Akungba, Ondo State, Nigeria – Student ID card and examination Verification and Attendance.
- Auchi Polytechnic, Auchi, Nigeria – Student ID card and examination verification and attendance.
- University College Hospital, Ibadan, Nigeria – Student ID card and staff attendance.
- Federal University of Technology, Minna, Niger State, Nigeria – Student ID card and Examination Verification and Attendance.
- Benson Idahosa University, Benin City, Edo State, Nigeria – Student ID card and Examination Verification and Attendance.
- Federal University of Technology, Akure, Ondo State, Nigeria – Student ID card and Examination Verification and Attendance.
- Covenant University, Nigeria – Student ID card and Examination Verification and Attendance.
- Lead City University, Nigeria – Student ID card and Examination Verification and Attendance.
- Hogeschool-Universiteit Brussel, Belgium – Student ID card, canteen card for paying, library and building access.
- Southampton University – Student ID card, library and building access – MIFARE Classic 4K.
- Delft University of Technology, Netherlands – Student/Staff ID card, staff coffee machines, lockers, printers and building access.
- Eindhoven University of Technology, Netherlands – Student/Staff ID card, staff coffee machines, lockers, printers and building access currently rolling out DESfire EV1.
- Dresden University of Technology, Germany – Building access, canteen card for payment
- Chemnitz University of Technology, Germany – Student ID card
- Leipzig University, Germany – Student ID card, canteen card for payment
- Freiberg University of Mining and Technology, Germany – Student/Stuff ID card, building access, canteen card for payment
- University of Jena, Germany – Student/Staff ID card, building access, canteen card for payment
- University of Würzburg, Germany – Student/Staff ID card, building access, library access and fee payment, canteen card for payment
- Technical University of Denmark, Denmark – Student ID card, building access
- University of Duisburg-Essen, Germany – Student/Staff ID card, library access, canteen card for payment
- Walt Disney World Resort – used for tickets, Disney Dining Plan, and room key access
- University of Northampton – Car park access, building access – MIFARE Classic 1K.
- Assumption University, Thailand – Student/Staff ID card, library and computers access, canteen, transportation and parking payment, election verification – MIFARE Classic 4K
- Claude Bernard University Lyon 1 Student ID, access control, library
- University of Strasbourg Student ID, access control
- Aberystwyth University Student/staff ID, access control, library, copy/print, student discount, payments, building access
- University of Nottingham – Student ID, access control, library, payments, building access