The flaw is that the checksum is so bad.
Comment on Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides
Elderos@lemmings.world 1 year ago
I guess I am just and old grinch, but I feel like this is written to feel more epic and crazy than it really is.
The subway system basically encodes how much money you have on your RFID card, and merely overwrites that value when you recharge it or use it. To me, this sounds like a cost-saving measure and a cheap way to have a fault-tolerant system. It is vulnerable to hackers tho, sort of by-design.
To me, the reason they didn’t want word of this to get out is because the system is really good at doing what it is doing otherwise, and the small amount of fraud is probably costing them less than having to build a centralized system.
Kudos for students to even figure that out, but the feat in itself is almost equivalent to learning how to print counterfeit tickets to trick a clerk. It feels more crooked than technocally impressive. Those responsibles for the system already knew of this “flaw”. They just don’t need the instructions how to make counterfeit cards out there.
matter@lemmy.world 1 year ago
Hazdaz@lemmy.world 1 year ago
I knew someone who worked at a company that handled e-payments for a certain service (purposefully being vague). They’re system functioned similar-ish to what you describe, but it also checked the amount on the card with the amount on a database, and also kept a history both on the card and on the database. If they all didn’t match up, they knew there was some tampering going on.