The hacker who broke the security of London's Oyster cards plans to clone the cards to prove that it can be done.

Cryptographer Dr Nicolas Courtois estimated that a criminal could create a commercial cloning kit for as little as £200 to produce fake travel cards.

Dr Courtois, a member of the Information Security Group at University College London, was addressing the International Crime Science Conference in London about his exploits.

"I do not know if there will be a lot of cloning, but I think we will be working on a demonstrator to show that it is feasible," he told vnunet.com.

Dr Courtois and his colleagues discovered in April that they could crack MiFare Crypto 1, the cipher used in Oyster cards and a billion RFID chips worldwide.

An attempted injunction to prevent release of the details was rejected by a Dutch court on 22 July.

Dr Courtois told the conference that a criminal could clone the cards simply by standing behind a user.

"You can do it in public quite fast just from eavesdropping," he said. "It is the very nature of the wireless technology that you can clone the cards in real time."

Dr Courtois's presentation was on whether ethical hackers and researchers should publish details of vulnerabilities they discover.

"We have an interesting dilemma because we cannot survive as researchers without publishing," he said.

"Yet if we do publish the full specification of the cipher and the attack, as soon as the hackers can reproduce what we already do a massive fraud will occur. We can omit some details, but they will sooner or later be discovered by hackers."

Following his address Dr Courtois told vnunet.com: "I hope not to reveal it all, and hope someone else will. I do not want to disclose the spec but the spec is the last straw on which the security is relying."

Using a purely cryptographic approach, the MiFare Crypto 1 cipher was cracked in 12 seconds on a laptop with a 1.66GHz CPU.

"We are using public source software with a couple of tricks. We did not do anything, we just tried our software," he said.

Dr Courtois has also been involved with cracking KeeLoq and Hitag 2, ciphers used by millions of people every day to unlock car doors.

"Cryptology is a science that assesses the security level of a cipher then cracks it," he explained.

"It is the science that gives most of the pain and negative contribution to the industry. We are never able to say 'this is secure', but frequently we can say this is really, really bad."

The International Crime Science Conference was organised by the Centre for Security and Crime Science at UCL.