In March 2008 security weaknesses in the Oyster card were discovered by Professor Bart Jacobs and others from Radboud University, Nijmegen.
The BBC give a good summary: "The weaknesses centre on the chip, called the Mifare Classic, that sits at the heart of the contactless card system. As well as being used on 17 million Oyster cards, the Mifare chip is used by about 1bn smartcards worldwide, and is the basis of the Dutch Rijkspas card.
Many organisations, including governments, use Mifare technology as a secure entry system for buildings. Given the many millions of cards in use Prof Jacobs held off publishing details about how the information on the chips can be copied and used. It told the Dutch government and NXP about its work to give them time to harden systems against the attack.
Despite this, NXP sought an injunction to ensure the details of the attack would never be aired. The case went to court in Holland and now the court in Arnhem has overturned the injunction citing local freedom of expression laws." Thanks to Dav for first alerting me to this.
So that's all well and good, but what do Transport for London feel about the freedom to share how to hack the Oyster card? A spokesperson said:
"Transport for London remains confident in the security of the Oyster card system. We take fraud and the security of personal data extremely seriously and constantly review our security procedures."
"Any fraudulent card would be identified within 24 hours of being used and blocked. Using a fraudulent card for free travel is subject to prosecution and we would seek to enforce this wherever possible."
We'll see what happens in October when the research will be published by Professor Bart Jacobs (love that he's called Bart - it's just what you'd imagine Bart Simpson would do if he grew up to be an academic) & his mates.