Oyster cards have a chip which does apparently store a small amount of data including your balance or ticket. It has to work like that, because you couldn't instantly look up the balance associated with a given card in a central database at every transaction - especially on a bus with no data link available - so what happens is that they periodically check that your balance matches up with the transactions on record.

Presumably if your balance suddenly shoots up 20 quid with no associated payment transaction, they will realise and ban your card.

If the readers were badly programmed enough, you could fill an Oyster chip with nonsense data and crash the reader. In theory you could try to trick the readers into running code you had put on the Oyster chip (which is what this cartoon (http://xkcd.com/327/) is on about). I doubt there would be enough space on the 1Kbyte Oyster chip to store anywhere near enough code to reprogram the terminal and make it "evil", though.

However, since other companies are making Oyster cards (e.g. that Pulse credit card), they might conceivably use a bigger chip (because it served a dual purpose) and give you more room to store evil code. Even then you couldn't really make a virus because there wouldn't be enough room to store the evil code on normal Oyster cards. You could conceivably have the reader put a reader-crashing nonsense value onto normal Oyster cards, or blank their balance.

The people designing the system would have to be naive to let any of this happen.