2026年7月2日 星期四

捷運交通卡的現況及改進計劃

目前全台捷運系統大多仍依賴悠遊卡或一卡通這類 MIFARE Classic 舊晶片,安全性與數位化程度都落後日本的 Suica、香港的八達通。雖然北捷已經用 EMV 信用卡感應「繞過」悠遊卡,但整體票證系統仍存在結構性問題。以下我幫你整理現況與一個可行的改進計劃:

---

🚇 全台捷運現況

  • 台北捷運:2024 年起支援 EMV 信用卡感應(Apple Pay、Google Pay),但悠遊卡仍是主力,且九成卡片是 MIFARE Classic。
  • 高雄捷運:2019 年就與 Mastercard 合作,支援 Apple Pay,但票證仍以一卡通為主。
  • 台中捷運:2025 年率先啟用 Apple Pay 快速交通卡,算是最積極。
  • 其他系統(桃園、台南輕軌等):仍以悠遊卡或一卡通為主,尚未全面導入 EMV 或 CPU 卡。

👉 結論:除了台中捷運較積極,其餘系統仍停留在「舊卡片 + 後台補漏洞」的模式。

---

🔒 安全問題核心

  1. MIFARE Classic 漏洞:加密演算法早在 2008 年被破解,複製卡門檻極低。
  2. 後台補漏洞:靠交易稽核與異常偵測兜著,但仍有時間差,導致 2025 年高中生套現事件。
  3. 與 Apple Pay 不相容:Apple Secure Element 不接受過時演算法,必須升級到 CPU 卡或 EMV 規格。

---

🛠 可行改進計劃

1. 分階段淘汰 MIFARE Classic

  • 設定 5 年時程,逐步回收舊卡,改發 CPU 卡(具獨立微處理器與現代加密)。
  • 提供換卡補助或優惠,降低使用者抗拒。

2. 閘門與後台升級

  • 閘門全面支援 多元支付:悠遊卡 CPU 卡、EMV 信用卡、行動支付。
  • 後台改為 即時連線架構,符合 EMV 與 Apple Pay 要求,避免離線認卡的時間差漏洞。

3. 票證功能數位化

  • 與 Apple/Google 合作,將 CPU 卡票證直接整合進 Wallet,支援快速交通卡模式。
  • 保留票種功能(定期票、TPASS、轉乘優惠),避免信用卡支付的「付款工具」限制。

4. 資安監管與演練

  • 建立跨捷運系統的資安聯盟,定期檢測票證安全。
  • 舉辦「白帽駭客挑戰賽」,提前發現漏洞,避免再出現高中生套現事件。

5. 商業模式調整

  • 與銀行、支付業者分攤手續費,避免悠遊卡公司因利潤過薄而抗拒。
  • 開發數位會員方案(積分、優惠),讓票證數位化後仍有商業誘因。

2010年9月9日 星期四

FW: NEWSBANK :: Trend Micro Titanium Maximum Security 3.0 Consumer Endpoint Security Performance vs K7, Kaspersky, McAfee & Symantec


-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Friday, September 10, 2010 3:10:41 AM
To: Newsbank
Subject: NEWSBANK :: Trend Micro Titanium Maximum Security 3.0 Consumer Endpoint Security Performance vs K7, Kaspersky, McAfee & Symantec
Auto forwarded by a Rule


Trend Micro Titanium Maximum Security 3.0 Consumer Endpoint Security Performance vs K7, Kaspersky, McAfee & Symantec

 

Today Tolly, the leading global provider of hands-on IT research, published a Trend Micro Titanium Maximum Security 3.0 Consumer Endpoint Security Performance vs. K7, Kaspersky, McAfee & Symantec.

 

Trend Micro, Inc. commissioned Tolly to benchmark the performance of Titanium Maximum Security 3.0 vs. consumer-class, Windows 7 32-bit security solutions from K7, Kaspersky, McAfee and Symantec. Specifically, this testing evaluated the impact each solution had on system resources and user experience in a number of common usage scenarios.

 

Testing showed that Trend Micro Titanium consistently scored at or near the top of the rankings in a series of tests that involved boot times, on demand scanning, memory and CPU usage, installation and network copy functions.

 

 

The Bottom Line:

Demonstrated consistently optimal usage of system resources

Implemented the smallest installer among the products tested

Delivered the fastest boot time of all products tested

Delivered the fastest network file copy of all products tested

Demonstrated the lowest memory and CPU usage when performing a full scan of the C: drive

Showed the lowest combined impact on installing and uninstalling programs

 

http://tolly.com/DocDetail.aspx?DocNumber=210142

 

FW: NEWSBANK: Symantec Surges on Microsoft Chatter


-------------------------------------------
寄件者: David Lau (MKT-US)
傳送日期: Friday, September 10, 2010 2:18:27 AM
收件者: Newsbank
主旨: NEWSBANK: Symantec Surges on Microsoft Chatter
自動依照規則轉寄


Symantec Surges on Microsoft Chatter

By James Rogers    09/08/10 - 05:09 PM EDT

 

(TheStreet) -- Symantec's(SYMC) shares surged on Wednesday following rumors that the security software maker could be an acquisition target for Microsoft(MSFT).

 

The software maker's stock closed up 61 cents, or 4.37%, at $14.58.

 

Symantec, which missed Wall Street's revenue estimate in its recent first-quarter results, is one of a number of security firms in the M&A spotlight following Intel's(INTC) shocking $7.7 billion acquisition of McAfee(MFE). Companies such as IBM(IBM), Hewlett-Packard(HPQ) and Dell(DELL) have all been touted as potential buyers of security technology at a time when businesses are under intense pressure to lock down data.

 

A spokeswoman for Symantec said that the company does not comment on industry rumors or speculation. Microsoft has not yet responded to TheStreet's request for comment on this story.

FW: NEWSBANK: Trend Micro Shares Set to Rise After Digitimes Report of Takeover Approach


-------------------------------------------
寄件者: David Lau (MKT-US)
傳送日期: Friday, September 10, 2010 1:52:22 AM
收件者: Newsbank
主旨: NEWSBANK: Trend Micro Shares Set to Rise After Digitimes Report of Takeover Approach
自動依照規則轉寄


Trend Micro Shares Set to Rise After Digitimes Report of Takeover Approach

By Drew Gibson - Sep 8, 2010 5:09 PM PT

 

Business ExchangeTwitterDeliciousDiggFacebookLinkedInNewsvinePropellerYahoo! BuzzPrint Trend Micro Inc. is poised to rise in Tokyo after Taiwan’s DigiTimes reported the Japanese maker of anti-virus software has been approached for a possible takeover. The newspaper cited Eva Chen, Trend Micro’s chief executive officer, as the source of the information.

 

The stock was bid at 2,386 yen as of 9:04 a.m. on the Tokyo Stock Exchange, compared with yesterday’s closing price of 2,336 yen. Bids outnumbered offers to sell by about 7-to-1.

 

++++++++++++++++++++++++++++++++++++++++++++++++

Trend Micro shares jump, says no takeover bids now

Published September 09, 2010

 

TOKYO, Sept 9 (Reuters) - Shares of Japan's Trend Micro leaped 10 percent on Thursday after a Taiwanese newspaper saidthe anti-virus computer software developer had received takeover proposals, but they ended off highs after the company said nooffers were now on the table.

 

Investors have speculated Trend Micro may be a take over target after chipmaker Intel said last month it would buyanti-virus software maker McAfee in a $7.7 billion deal seen sparking industry consolidation.

 

Taipei industry newspaper DigiTimes cited chief executive Eva Chen as saying Trend Micro regularly receives takeover proposals and would consider any actual offers, although it prefers independence.

 

An official at the company later said there had been proposals in the past, but that none were current. Trend Micro would consider any offers at a premium, he said.

 

An analyst said a takeover was conceivable, given current business conditions and industry enthusiasm for acquisitions.

 

"There is a possibility that it (Trend Micro) will be taken over," said Deutsche Securities analyst Satoru Kikuchi. "I don't think business is going all that well, and they are probably not as confident as they were 10 years ago. So, if they get a good offer, they may sell."

 

Kikuchi, however, added he could not think of any obvious candidates as buyers.

 

"Intel's purchase of McAfee was not seen in the industry as reasonable. It was too expensive. They didn't have any specialtechnology and neither do Trend Micro. With viruses, it's simply a question of tackling them one by one, so there is no real needto buy this company," Kikuchi said.

 

The DigiTimes article did not mention any specific offers. It cited Chen as saying she believes Trend Micro is worth more thanMcAfee.

 

Trend Micro shares ended up 10.3 percent at 2,576 yen on Thursday, valuing the company at $4.3 billion. The stock earliersoared more than 21 percent, or by its daily limit of 500 yen, toa four-month intraday high of 2,836 yen.

 

More than 5 million Trend Micro shares changed hands, roughly6 times the daily average over the past 3 months. (Reporting by Sachi Izumi, Isabel Reynolds and James Topham; Editing by Nathan Layne)

FW: NEWSBANK: Hurd's Top Five Oracle Acquisition Target Hit-List


-------------------------------------------
寄件者: Sofia Despotidou (MKT-EMEA-SMB)
傳送日期: Friday, September 10, 2010 12:06:50 AM
收件者: Newsbank
主旨: NEWSBANK: Hurd's Top Five Oracle Acquisition Target Hit-List
自動依照規則轉寄


http://www.crn.com/slide-shows/channel-programs/227300309/hurds-top-five-oracle-acquisition-target-hit-list.htm?pgno=1

 

Hurd Sets His Sights On Game-Changing Oracle Acquisitions

You don't hire an executive with the sales, strategy and execution smarts of a Mark Hurd unless you are looking to make some big new bets (i.e. acquisitions), the kind of bets that Hurd engineered as CEO of HP. Those big bets included HP's $13.9 billion acquisition of systems integration giant EDS, its $2.7 billion acquisition of networking stalwart 3Com and its $1.2 billion acquisition of hand-held computing superstar Palm. Oracle is about to get a facelift. Here are the five top companies that we think should be on Hurd's short list now that he is looking to remake Oracle.

# 1: CSC

# 2: Juniper

# 3: Trend Micro

Security spending within the enterprise market is soaring. So if you want a bigger slice of the enterprise pie then you better be security strong. That's why the number three company on Hurd's acquisition hit list should be Trend Micro.

Trend Micro, one of the most innovative of all the IT companies, would provide Oracle with what may well be the most robust cloud security offering in the business. That's no small competitive advantage given the big move to the cloud by companies of all sizes. Trend Micro had a strong security SaaS (Software-as-a-Service) and cloud footprint years ago, long before it was fashionable.

Trend also has a critical strategic partnership with virtualization leader VMware and recently launched SecureCloud that encrypts data stored in the cloud.

# 4: Hitachi Data Systems

# 5: Terremark

 

FW: NEWSBANK:: Antivirus isn't dead--it's growing up


-------------------------------------------
寄件者: Jon Clay (MKT-US)
傳送日期: Thursday, September 09, 2010 10:15:56 PM
收件者: Paul Ferguson (RD-US); Newsbank
主旨: RE: NEWSBANK:: Antivirus isn't dead--it's growing up
自動依照規則轉寄


A few points from this article I thought were relevant to us.

However, the tests are to be taken with a grain of salt given the variances in testing standards.)  Appears AMTSO has their work cut out for them as it seems more and more reporters are saying this same phrase.

But malware writers are adept at testing their code against the antivirus software and tweaking it until it passes through undetected.  This is one of our key arguments on why file-based testing should be taken with a grain of salt.  When you test file samples that only come from the same vendors who participate in the test, how real-world is that??  Samples should be sourced at the time of the test and should NOT be obtained by anyone other than the tester.

"In the smartphone world, the answer will not be putting antivirus clients on every phone," said Pescatore. "The answer will be (malware) filtering by cellular carriers...Everything that goes on the phone has to go through the carrier."   And where will these carriers get their threat intelligence?  This is where Trend Micro’s Smart Protection Network should come into play as they can access our intelligence easily through the cloud.

"It's a fascinating time for AV," he said. "Rumors of its death have been greatly exaggerated over the last few years." As we heard Eva state in HiComm, there is a shift happening and we need to take advantage of it.  Protection For and From the Cloud is key, and we have the answers now.

Thanks,


Jon Clay

Sr. Core Technology Marketing Manager

(970) 419-0611

From: Paul Ferguson (RD-US)
Sent: Wednesday, September 08, 2010 2:46 PM
To: Newsbank
Subject: NEWSBANK:: Antivirus isn't dead--it's growing up

 

September 8, 2010 4:00 AM PDT

Antivirus isn't dead--it's growing up

by Elinor Mills

 

We've been hearing it for years: antivirus software is dead. But is it really? If so, it seems to have more lives than Richard Nixon.

Rather than being the industry's swan song, mobile devices could be its redemption opportunity.

Computer security

The antivirus industry is in major transition as threats have evolved from being just the viruses and worms written to exploit holes in Windows that plagued computers in the 1990s to the exploits that target vulnerabilities in Web applications and end user gullibility today.

Many consumers fork over at least $40 for Norton AntiVirus or something similar, many more are turning to free antivirus from AVG or Avast (here's why), and yet millions of computers are still getting hit with infections daily.

While no antivirus software is perfect, the perception that AV often isn't doing a good enough job is backed by studies. Recent benchmark tests pegged the average detection rate among major antivirus products at about 75 percent. (In one test, three out of 10 products stopped all of the original exploits, but the vendors are not named. However, the tests are to be taken with a grain of salt given the variances in testing standards.)

Antispyware and antispam have become standard in most AV, or antimalware, products as vendors have expanded their software into endpoint protection suites. And many have begun placing as much emphasis on heuristic technologies that look at the behavior or reputation of a piece of software as well as matching it to a database of malware signatures. But malware writers are adept at testing their code against the antivirus software and tweaking it until it passes through undetected.

As an alternative, some people are turning to whitelisting technologies that allow only approved programs to run on a computer. Whitelisting is akin to the closed environment of the iPhone where Apple vets every app and is largely effective in protecting the devices, said Gartner analyst John Pescatore. (Bruce Schneier discusses the problems with whitelisting in his essay from last year on the state of the antivirus industry.)

"Antivirus in the e-mail server does a lot of good things...(but) antivirus on people's desktops is almost totally ineffective," Pescatore said. "The antiviral model has been broken for quite a while."

With the fast rise of smartphones and new electronics like iPads, the big challenge for antivirus companies is how best to protect those devices.

It's obvious the traditional antivirus software model won't work, in large part because handheld devices have limited processing power, memory and storage, said Rebecca Bace, chief executive of Infidel, a security consultancy. That's where the cloud comes in, she said.

"There is market demand from the consumer that this will be rolled in as part of the service," Bace said. "This is part of the utilization of network access; something you expect a provider to offer. When I sign up with Verizon, to a degree I'll have the expectation that they'll handle all the security stuff."

Pescatore has a similar view of the future of mobile security.

"In the smartphone world, the answer will not be putting antivirus clients on every phone," said Pescatore. "The answer will be (malware) filtering by cellular carriers...Everything that goes on the phone has to go through the carrier."

Clearly, the antivirus space is grappling with how to move to mobile, said Hugh Thompson, who serves as chair of the RSA Conference and is founder of consultancy People Security and an adjunct professor of software security at Columbia University.

"The challenge for antivirus is how to adapt to new devices, how to allow users to make better choices around what they're doing, and from a business perspective it's coming down to the cloud--what does antivirus mean in the cloud?," he said. "Those three points will define AV over the next two to three years."

Mobile is likely a big reason behind Intel's $7.6 billion acquisition of McAfee, according to Thompson. "For Intel to buy McAfee, they can build some synergies there so that when the chip is released they will have an antivirus solution that supports the chipset and the platforms that come on it," he said.

In general, a big part of the problem for people today is the fact that they are putting so much of their lives on the Web and they don't realize that that data, albeit in numerous different Web sites and sources, can be easily used to trick them into accepting malware with open arms. Sites like Facebook, LinkedIn, and Twitter have expanded peoples' circles of friends and acquaintances exponentially and that can be used to advantage in personalized attacks.

Antivirus will eventually have to defend against social engineering attacks as well as malware, Thompson said.

For instance, an e-mail coming from someone claiming that they met you at an event a few months back and you have a friend in common is more likely to be trusted than one with a generic reference like "LOL is this you?" with a link that appears to lead to a video.

"In the future, an antivirus product will go out and analyze the information and say this is the data that is out there on the Web, this could be a legitimate person, but it will make you aware that you are connected to this person on LinkedIn and you tweeted about a meeting five months ago," Thompson said. "That context sensitive level of threat information is going to be really important in the future."

"It's a fascinating time for AV," he said. "Rumors of its death have been greatly exaggerated over the last few years."

 

 

 

 

http://news.cnet.com/8301-27080_3-20015623-245.html

 

-ferg

 

--

"Fergie", a.k.a. Paul Ferguson

 Threat Research,

 CoreTech Engineering

 Trend Micro, Inc., Cupertino, California USA

 

 

2010年9月8日 星期三

FW: NEWSBANK:: Report: RBS WorldPay Hacker Gets Four Years' Probation


-------------------------------------------
From: Paul Ferguson (RD-US)
Sent: Thursday, September 09, 2010 7:53:04 AM
To: Newsbank
Subject: NEWSBANK:: Report: RBS WorldPay Hacker Gets Four Years' Probation
Auto forwarded by a Rule


September 08, 2010 3:40 PM

Report: RBS WorldPay Hacker Gets Four Years' Probation

By Robert McMillan, IDG News

 

The mastermind behind one of the biggest hacking paydays in history has been sentenced to four years' probation and an US$8.9 million fine, according to published reports.

Victor Pleshchuk, 28, was sentenced to four years' probation on Wednesday, according to Bloomberg News. He is considered the leader of a group of criminals who organized a 2008 precision strike on RBS WorldPay, the payment processing division of the Royal Bank of Scotland.

In addition to the reduced sentence of probation, Pleshchuk must also pay back more than 275 million rubles ($8.9 million) to RBS WorldPay, Bloomberg reports.

Russia is trying to fight a reputation for being soft on cybercrime, but this light sentence won't do much to change that perception. Security experts say that Pleshchuk falls into the same category of highly accomplished cybercriminals as Albert Gonzalez, best known for hacking into retailer TJX Companies and the Heartland Payment Systems payment processing network. In March, Gonzalez was sentenced to 20 years in federal prison.

In the RBS WorldPay hack, the criminals broke into the company's back-end system and downloaded enough data to make duplicate corporate debit cards, which are typically used by employees to withdraw money on payday. Then, using an international network, they took money out of victims' bank accounts using their phony cards.

Prosecutors say Pleshchuk and his gang took $9.4 million by hitting more than 2,100 ATMs in at least 280 cities around the world during the 12-hour window of their November 2008 attack. It remains one of the most successful computer crimes ever.

Last month, another alleged ringleader, Sergei Tsurikov, 26, of Tallinn, Estonia, was extradited from Estonia to face a federal judge in Atlanta.

Tsurikov, Pleshchuk and a third leader, Oleg Covelin, were arrested in Russia earlier this year. U.S. authorities have indicted eight people on charges relating to this fraud, though it's not clear how many of them will ever face U.S. justice.

The U.S. Federal Bureau of Investigation did not return a call Wednesday seeking comment.

 

 

 

http://www.pcworld.com/businesscenter/article/205084/report_rbs_worldpay_hacker_gets_four_years_probation.html

 

-ferg

 

--

"Fergie", a.k.a. Paul Ferguson

 Threat Research,

 CoreTech Engineering

 Trend Micro, Inc., Cupertino, California USA