Contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated on Thursday during the EUSecWest security conference in Amsterdam.
The NFC (near field communication) smartphone can read the fare card balance, and once the card has been depleted, the users are able to write the initial balance back to the card over and over again. The app, Ultra Reset, accomplishes this by taking advantage of a flaw found in particular NFC based cards that are used in San Francisco and New Jersey.
Other U.S. cities including Boston, Seattle, Salt Lake City, Chicago and Philadelphia also use a contactless ticketing system and those systems could also be vulnerable for the same technique, they said. Those systems, however, were not tested by the researchers, who said they had not been able to travel everywhere.
The vulnerability could be fixed relatively easy, according to the researchers. Transit companies could use a more secure chip, or adjust their back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.