Android is making it easy for transit riders to steal free rides. With Android’s NFC enabled smartphone and their “UltraReset” application, transit riders in several U.S. cities can simply wipe their balance and add a new balance of their choosing. Cities like San Francisco and New Jersey have already been told that their transit smart cards are vulnerable, but other city transit cards still need to be tested.
Security researchers from the Intrepidus Group revealed the discovery this week at the EUSecWest security conference in Amsterdam. According to ITWorld, the application takes advantage of a flaw found in NFC-based cards. These cards are used by both San Francisco Muni and New Jersey Path, and both transit systems have been informed of the flaw. San Francisco’s cards were tested, and the city was originally informed in December, 2011. Currently, these cities are both still vulnerable.
However, it’s not just San Francisco and New Jersey that could be potentially affected. Boston, Seattle, Salt Lake City, Chicago and Philadelphia are also using contactless card systems. If their cards are also using the Mifare Ultralight chip that is used for contactless NFC chips, then the cards would also be easy to hack into. According to researchers, almost anyone would be able to put new data onto the card.
Unfortunately, San Francisco and New Jersey were the only cities that were able to be tested. However, other cities may now use UltraCard Tester, which is an adjusted version of the UltraReset application. With this, transit authority security can be tested, but some vulnerability may still linger. In order to fully fix the problem, researchers are suggesting that transit authorities invest in a more secure chip.
If your transit authority is looking for a secure solution, give Capture Technologies a call. We offer chip-based card solutions for a number of different industries. From smart cards to security cameras, we are dedicated to making your business a safer place.