The oyster travel cards in London are Mifare cards (not actually classic ones though) but the system was designed in a way to be resilient to attacks on the card.
When you tap the card on the reader the transaction happens locally with the card and the reader, this means that there is no latency and the system can continue to operate even if the central server goes down.
Every minute or so the machines sync with a central server and if at any point a machine saw a card with a balance or journey history that conflicted with the server copy then that card gets blacklisted and no machine will accept it any more. This means if you clone a card you can use it to start your journey but by the time you get to your destination you won't be able to get out.
I'm under the impression all Vix-ERG designed systems do this as well. Examples are ClipperCard (SF Bay area) and OrcaCard (Seattle).
I had heard that the OrcaCard system had an issue early on where a number of cards were disabled as a result of a TVM not being synced back to the database. There certainly was a large number of completely dead cards for a couple of weeks in 2010.
It works similar here in the Netherlands, although they only seem to do the polling during night, so you can use it during the day. The next day you need a new card.
In the Netherlands, the public transport card "ov-chipkaart" used Mifare classic too [0]. Even worse, the "defensiepas", for access to military bases, uses it too [1], even as of today.
The problem with any type of hardware/usage like this is that it's susceptible to offline attacks, which widens the attack surface greatly. A better way to do this would be to encrypt any data that you need to store on the card. And an even better way would be to communicate with a server and have it validate the transaction.
...which is, if at all, this type of card should be used for storing an user identifier which is linked to the UID of the card and both verified on a server.
Of course, this does not prevent cloning with chinese knockoffs where the UID can be overwritten.
When you tap the card on the reader the transaction happens locally with the card and the reader, this means that there is no latency and the system can continue to operate even if the central server goes down.
Every minute or so the machines sync with a central server and if at any point a machine saw a card with a balance or journey history that conflicted with the server copy then that card gets blacklisted and no machine will accept it any more. This means if you clone a card you can use it to start your journey but by the time you get to your destination you won't be able to get out.