In 2008, Boston’s transit authority sued to stop MIT hackers from presenting at the Defcon hacker conference on how to get free subway rides. Today, four teens picked up where they left off.
I guess I am just and old grinch, but I feel like this is written to feel more epic and crazy than it really is, and to accuse the subway engineers of incompetence, rather than what seem to be a conscious architectural decision.
The subway system basically encodes how much money you have on your RFID card, and merely overwrites that value when you recharge it or use it. To me, this sounds like a cost-saving measure and a cheap way to have a fault-tolerant system. It is vulnerable to hackers tho, sort of by design. The alternative is to build a very complex and expensive centralized system with higher maintenance cost and points of failure. Both options work, but it is a tradeoff.
To me, the reason they didn’t want word of this to get out is because the system is really good at doing what it is doing otherwise, and the small amount of fraud is probably costing them less than having to build a centralized system.
Kudos for students to even figure that out, but the feat in itself is almost equivalent to learning how to print counterfeit tickets to trick a clerk. It feels more crooked than technically impressive. Those responsibles for the system already knew of this “flaw”. They just don’t need the instructions how to make counterfeit cards out there.
I knew someone who worked at a company that handled e-payments for a certain service (purposefully being vague). They’re system functioned similar-ish to what you describe, but it also checked the amount on the card with the amount on a database, and also kept a history both on the card and on the database. If they all didn’t match up, they knew there was some tampering going on.
I guess I am just and old grinch, but I feel like this is written to feel more epic and crazy than it really is, and to accuse the subway engineers of incompetence, rather than what seem to be a conscious architectural decision.
The subway system basically encodes how much money you have on your RFID card, and merely overwrites that value when you recharge it or use it. To me, this sounds like a cost-saving measure and a cheap way to have a fault-tolerant system. It is vulnerable to hackers tho, sort of by design. The alternative is to build a very complex and expensive centralized system with higher maintenance cost and points of failure. Both options work, but it is a tradeoff.
To me, the reason they didn’t want word of this to get out is because the system is really good at doing what it is doing otherwise, and the small amount of fraud is probably costing them less than having to build a centralized system.
Kudos for students to even figure that out, but the feat in itself is almost equivalent to learning how to print counterfeit tickets to trick a clerk. It feels more crooked than technically impressive. Those responsibles for the system already knew of this “flaw”. They just don’t need the instructions how to make counterfeit cards out there.
The flaw is that the checksum is so bad.
I knew someone who worked at a company that handled e-payments for a certain service (purposefully being vague). They’re system functioned similar-ish to what you describe, but it also checked the amount on the card with the amount on a database, and also kept a history both on the card and on the database. If they all didn’t match up, they knew there was some tampering going on.