The typical Android phone contains a chip that transmits a low-power radio signal that allows Android owners to pay for coffee, snacks, gasoline and other goods with their phone via the Google Pay service. After two years of research, the students found they could use that same chip to rewrite the data on a CharlieCard, adding up to $300 of credit to a card purchased for just 25 cents.
The student’s vending machine, a rectangular black box with a small video screen, also uses the chip to alter CharlieCards. But it can also forge different types of cards, such as the reduced-fare cards issued to students, or those given to employees of the Massachusetts Bay Transportation Authority. Employee cards can open the same gate over and over, so companions can also ride for free.
But instead of abusing their newfound power, the students reached out to MBTA cybersecurity officials in January, and told them about it. Scott Margolis, the MBTA’s chief information security officer, said that without the students’ help, their systems would have been defenseless against this newly discovered attack.
“We didn’t even know this could happen,” he said.
In 2008, when several students at the Massachusetts Institute of Technology figured out how to get free rides on Boston’s subways, the Massachusetts Bay Transit Authority won a court order barring the students from describing the hack at the Defcon computer security conference in Las Vegas. Since then, T officials have changed course, and now welcome input from so-called ethical hackers.
For instance last December, independent cybersecurity analyst Bobby Rauch demonstrated a way to copy the monetary value of one CharlieCard onto other cards, using an Android phone. In this way, a cardholder could add, say, $20 to a CharlieCard and fund another card over and over without ever paying another dime to ride the T.
The T worked closely with Rauch to find ways to defend against such attacks.
The agency has also treated the Medford high school students as allies, not enemies. “They were an impressive group of young people,” said William Kingkade, the MBTA’s senior director of automated fare collection. “My fraud team really enjoyed working with them.”
When Harris, Gibson, Bertocchi, and Campbell spoke at the Defcon conference earlier this month, it was with the MBTA’s blessings. “Luckily one of the parents had frequent flyer miles that paid for most of it,” said Scott’s father Jay Campbell, who accompanied the group to Las Vegas.
Jay Campbell said he is proud of the students’ achievements — and their integrity. “They really weren’t stealing any money. They weren’t doing anything illegal,” he said. “For them it was just a challenge. It was something fun to do.”
The MBTA says that exploiting the security flaw is so complicated that it doesn’t expect a flood of forged cards. Lucky for them, because a permanent fix for the problem will require replacing the present CharlieCard system.
Today’s cards store the user’s financial data on the card itself, so it can be rewritten by someone with a card reader and the security key for the card’s embedded chip. Hackers can find the key online.
With help from the students, the T came up with automated scripts that can recognize forged cards and remotely deactivate them every 24 hours. That means a forged card can be used for no more than one day. On the other hand, someone armed with a stack of forged cards could still rack up a lot of free rides.
The only complete solution is a system that stores all financial data in the cloud. A rider’s card would contain a unique identification code, just like a credit or debit card. The money available for rides would be would stored remotely and couldn’t be altered by hacking the card itself.
The T is updating the CharlieCard system to store all data in the cloud. This upgrade is scheduled to be completed by March of 2025.
Meanwhile, a more advanced solution is in the works. You may have seen credit card readers attached to the fare gates at T stations. They’re part of a new $930 million system that was supposed begin service next year, but has been plagued by delays and rising costs.
Kingkade couldn’t say when the new system will be activated. But it will let riders pay with smartphones or tap-and-pay credit cards. And it will make today’s insecure CharlieCards obsolete.
Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him @GlobeTechLab.
(function () {
/* eslint-disable */
const fbqEvents = () => {
fbq(‘set’, ‘autoConfig’, ‘false’, ‘;884869448226452’);
fbq(‘set’, ‘autoConfig’, ‘false’, R16;493062270895851’);
fbq(‘init’, ̵6;884869448226452’);
fbq(‘track’, ‘PageView’);
};
if(typeof fbq === ‘undefined’) {
!function(f,b,e,v,n,t,s) {
if(f.fbq)return;n=f.fbq=function(){n.callMethod?n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s);
}
(window,document,’script’, ‘https://connect.facebook.net/en_US/fbevents.js’);
fbqEvents();
} else {
fbqEvents();
}
})();
——————————————————–
Click Here For The Original Story From This Source.
