There’s an old saying out there that goes something like this: All is fare in love and subways. Or perhaps that’s love and war. But either way, this week has not been a good one for public transit and fare-payment technologies.
We’ll start in New York where the MTA has recently discovered a flaw in its vending machines that has allowed riders to acquire free tickets just by using a debit card. Oops.
William Neuman reports:
The Long Island Rail Road said that a check of its records from 2004 until this May, when the glitch was discovered, found that in addition to the scam, there had been 990 transactions totaling $74,000 that appeared to be related to the software error.
Metro-North said that it had not made such an extensive check but that in the first several months of this year it found that the error had allowed the sale of tickets worth $2,960 in which the buyer was not charged. The machines were installed in 2001, and a Metro-North spokeswoman said that there appeared to have been hundreds of the free transactions in the intervening years…
Technicians discovered that it was possible to buy tickets using one of the debit cards even if there was not enough money in the account to cover the cost of the transaction. Further investigation revealed that other debit cards from some smaller banks operated in the same way: if the account had insufficient funds, the vending machines dispensed tickets anyway, and did not charge the account.
So instead of alerting a customer to a potential overdraft and denying the charge, the MTA’s vending machines simply processed the transaction and dispensed a ticket for free. Needless to say, the glitch — seven years in the making — has supposedly been corrected, but this is an embarrassing admission on the part of an agency long criticized for its inability to adopt and respond to problems with new technologies.
Meanwhile, in Boston, a group of MIT students has hacked the MBTA’s own fare payment system. Basically, three students figured out how to reverse-engineer the magnetic strip on the CharlieTickets and how to crack the RFID technology used in the CharlieCard. Transit systems across the nation and globe rely on these technologies, and I’m sure no one is too thrilled to hear about these two developments.
For those of us who ride the subways every day and don’t want to see our technologies hacked, these news is not surprisingly but discouraging. Those who run subway systems are forever looking for ways to improve fare systems, and the obvious answer is technology. MetroCards allow for discounted fare options, and more flexible payment systems. RFID-based cards such as the CharlieCard or London’s Oyster Card allow for speedier fare processing. A touch-and-go system is a lot more efficient than our swipe, “Try Again at this Turnstile” and finally go technique.
But as with any technology, the people who can get at the root of the code and turn it around are always one step ahead. The hackers will always be able to exploit security holes and systematic loopholes. Once the MTA addresses its problems and the MBTA deals with their security holes, something else down the line will pop up. That’s just the nature of technology.
While it’s easy to say that we should go back to an era of tokens, even those relics of another age aren’t hack-proof. Just ask Alan Campbell and Kim Gibbs. I wonder how their token slug ring is doing today.
1 comment
Predator and prey. Make better security and the hackers will find better ways of getting around it.
Still, cracking the code on farecards takes brainpower, computer power, and effort. Slugging tokens was as simple as finding an object of similar size and weight… much easier, and any idiot could do it. It didn’t take a hacker.
So this technology is still a vast improvement.