Wednesday, November 13, 2013

Clever hacker gets 50 years free travel on insecure MetroCard

The system used by Environment Canterbury to make MetroCards has been cracked wide open by a geek hacker to expose its weakness.

He was able to load $167,769 on his card and then run it into the red for $3 million!!

According to the article in online mag SCI - Secure Business Intelligence

To demonstrate the flaws, software developer and security hobbyist William Turner had taken advantage of security weaknesses and hacked a transport card to boost its monetary value to a staggering $167,769.85, and by the same means ran it into the red to the tune of nearly three million dollars.

"If we have physical access to a card we can reprogram it with a balance (because) they are using old standards, default keys and there's no encryption stored on the data on the cards," Turner told delegates at Kiwicon in Wellington.

[my emphasis]

No doubt there is cause for genuine concern and improving the security of MetroCards. 

However the hacker did not seem to understand much of the intrinsic strength of MetroCards - possibly the best structured and best value customer loyalty reward card in the public transport world.

For a start you have to have a physical card - steal one (or a break in some where and steal a stack). This immediately allows the owner to report it missing, or the agency to declare the codes number of stolen cards null-and-void. If presented it will be blocked. With CTV cameras on most buses it would not take long to identify the offender/s before he or she had gained more than a few dollars advantage.

If he can hack into the system changes the coding, still the most he could steal is $9.10 per day!  That's the most one can spend in a day or ever needs too. That amount is two separate - longer distance - 3 zone fares (he would have to travel to Rolleston, Rangiora or Diamond Harbour, twice a day, to fully enjoy his ill gotten gains!)

This amount is the maximum per day, for five days in any calendar week after which all travel is free to 5am Monday morning and the start of a new calendar week. This applies to whatever zoning applies. If a card is used twice, more than two hours apart in any one day all subsequent travel for that day is free.

Losing a card even if it has $20 dollars on it, even if it is stolen, can be quickly remedied merely by cancelling it before more than a dollar or two is used, and the remaining balance is transferred to a new card.

If a hacker tried to sell or give away this secret access to loading cards to anything more than five people, human nature being what it is word would soon get out, and then to the Serious Fraud Office and the pathway would belatedly be blocked, I'm sure.

Perhaps too the hacker - out to expose a faulty system  rather than steal - got mixed up with the Snapper card in Wellington, with which a large variety of other items can be purchased at a range of businesses.

I think it is absolutely wonderful (another strength!) that Environment Canterbury have never opted to broaden the range of things that can be purchased with a MetroCard - it is for public transport use only.

As an "on and off" full time bus user in many years, including the last thirteen, like most other regular users, I have had occasional incidents where I  left my cardboard "10 trip concession card"  or the $60 monthly pass at home. This is much more rare now that I can carry my MetroCard, separate from other bank cards or wallet, in one of the tough plastic envelope casings, that Metro itself sells for $2. It has a comfortable presence in my right pocket, it is instantly possible to check I have it on me just by patting my pocket.

Even worse in the past,  there were occasions where I didn't have any cash on me either; or I spent the fare or some part of it, in a moment of forgetfulness. For example I needed  to hold back $3.50 bus fare to get home but accidentally used $1 of that amount when making some other small purchase, only realising later - too late - oh noooo!!  Oh you stupid bugger! Not being a kid I can't plead for discount or a free ride on a bus - here comes the long walk!

An inbuilt security factor of the Christchurch MetroCard - eroding vitally needed transport fares by buying coffees, newspapers, ice creams, or whatever, is impossible with a "public transport only" card. 

It feels to me a much more reassuringly safe system than the Snapper system. There are plenty of other cards (or cash) to buy other things. With Metrocard  however much money is spent, wasted or blown, the bottom line is; the ride home is secure.

And even if there is only 10 cents value on the card it will allow you to ride - deducting the outstanding balance of what is owed next time the card is reloaded.

I am sure ECan value the knowledge and advice that their system seriously needs an upgraded security (and appear to have been fixing this over the last day or two) but the greatest security was really just good old fashion design - the card and the way it operates is so well structured it makes theft in any form largely pointless.

The $167,000 would have bought 50 plus years of bus travel around Christchurch! To obtain this involves constantly reused system - daily to get value - making exposure and prosecution only a matter of time, not to mention suffering a certain feeling of jaded ennui from too many trips to Rolleston, Rangiora and Diamond Harbour!


  1. Hi! I can suggest a really good anti-piracy and copyrighting protection company Onsist® that offers very good services.

  2. Home Larm is an affordable home security solution that will meet the needs of almost any homeowner. Out of all of the positives, there are a few issues that kept Protect America in second place. They do not make cellular monitoring a mandatory and in our opinion, cellular monitoring is the most secure communication available between your security system and monitoring station and therefore should be the highest priority.

  3. People with high incomes are always worried about tax raids in every country so they desire to have an opportunity to keep their money at some secret place where it cannot be accessed by Income Tax department. One of the best options to save your additional profits is to access offshore bank accounts where one can save as much as profits with very few formalities of account opening and management.

  4. Hello there!
    If you want to find the best copyright protection company i think this is the right place for you: . These guys are based in 2010 in Netherlands and help companies protect their copyrighted content material in opposition to illegal copying, selling and distributin