Millions of identity cards are carrying a serious security flaw that allows them to be cloned by anyone with a standard laptop,The Times has learnt.

The Mifare smartcard, which is used to gain access to thousands of schools, hospitals and government departments around Britain, as well as providing the technology behind 17 million Oyster cards for travel in London, was hacked into by scientists at a Dutch university.

Bart Jacobs, of Radboud University, used a commercial laptop to clone a swipe access card to a public building in the Netherlands. His team then travelled to London, where they used the same technique to ride on the Underground for a day without paying.

Security experts said that the breach posed a serious risk to security as swipe cards to sensitive areas could be cloned with ease.

After learning of the breach in April, the Dutch Government posted armed guards outside all its buildings and it now plans to spend millions of euros upgrading its systems. It also postponed the introduction of a €1 billion transport payment system similar to the Oyster card until security issues were addressed.

“We take this extremely seriously,” a spokesman for the Dutch Interior Ministry said. “It’s a national security issue. We’re in the process of replacing the cards of all 120,000 civil servants at central government level at a cost of about €5 for each card.”

The Cabinet Office refused to confirm yesterday which government buildings used the system.

About ten million Mifare smartcards are sold in Britain each year, providing access to public buildings as well as cashless payment systems for transport systems and colleges. Six million were issued recently to pensioners for free travel on public transport.

“You only have to walk down the street to see contactless access control systems everywhere,” said Adam Laurie, a security researcher. “It used to be a magnetic strip, now it’s a card held up to a reader on the wall. A large percentage of these will have Mifare technology and are very vulnerable to attack. They should all be replaced.”

He added: “The cryptography is simply not fit for purpose. It’s very vulnerable and we can expect the bad guys to hack into it soon, if they haven’t already.”

To perform the London experiment, Dr Jacobs used a computer to reverse the Mifare algorithmic code, allowing him to put credit back on his Oyster card. The cards use a similar wireless technology to that found in biometric passports and the planned national identity card.

“When we found these vulnerabilities we gave a clear security warning to the Dutch Government, which was then passed on to the UK authorities in April”.

Buildings accessible by photo ID cards were particularly vulnerable to attack, Dr Jacobs said. “An employee can be cloned by bumping into that person with a portable card reader,” he said. “The person whose identity is being stolen may then be completely unaware that anything has happened.

“At the technical level there are currently no known countermeasures.”

The technology is owned by NXP Semiconductors, a company based in the Netherlands and founded by Philips. A spokesman for the company said: “We are aware that the Dutch researchers have reverse engineered the algorithm and we are taking this issue very seriously. We’ve informed all of our system integrators and advised them to closely assess their systems. We’re talking to the guys at Radboud University and have identified various counter measures.”

Transport for London denied yesterday that any security breach had taken place. “This was not a hack of the Oyster system,” a spokesman said. “It was a single instance of a card being manipulated.”

There are an estimated two billion Mifare Classic cards worldwide.

Explore Tech & Web

• Personal Tech

• The Web

• Gadgets & Gaming