Thursday, April 30, 2009

Metro Card Bending




From the decision of Judge Victoria A. Graffeo in the case of an MTA metro card bender. Thanks to the judge's decision, hackers everywhere can learn more about the MTA Metrocard design.
"The Metropolitan Transit Authority (MTA) is responsible for operating the mass transit system in the New York City area. In years past, a person gained access to the subways by purchasing a token and depositing it into a turnstile. This mechanical means of entry was eventually replaced with a computerized system that uses a "MetroCard" -- a plastic swipe card that is "read" by a scanner, embedded within a turnstile, that deducts the cost of the fare from the MetroCard.

There are two types of MetroCards: value-based MetroCards (referred to as "pay-per-ride" cards) and time-based MetroCards (referred to as "unlimited" cards). A purchaser of a time-based card is provided unlimited transportation access for a specified period of time (one day, one week or one month depending on the purchase price). The purchaser of a value card electronically stores a certain amount of money on the MetroCard that will be debited each time the user enters the MTA system. Only value cards are at issue in this appeal.

A MetroCard has two distinct magnetic fields that contain information, referred to as the primary and secondary fields. The MTA opted to use two fields so that the information encoded onto the card has "backup" storage in the event that a magnetic field is damaged. Based on the testimony of an MTA expert in this case, when a value-based MetroCard is swiped through the electronic eye of a turnstile, a computer reads both magnetic fields. If the MetroCard has monetary value remaining, the turnstile grants access and deducts the cost of the ride from the value of the card, amending the information stored on the magnetic strip to reflect the reduction in value. Thus, the expert explained, if a MetroCard is bought for $4 in value, that amount is initially encoded onto both the primary and secondary fields. When the card is first used for a $2 fare, the computer will deduct $2 from one of the fields, leaving the other field at $4. The next time the MetroCard is swiped for entry, the computer does not change the $2 field but instead reduces the $4 field to zero. Once one of the fields reads zero, the turnstile is not supposed to open. By utilizing this design methodology, which electronically leaves $2 of value on one of the magnetic fields even though the purchased value has been depleted to zero, the MTA intended to give riders "the benefit of the doubt" in the event that the magnetic strip was damaged. Thus, if the computer eye in the turnstile cannot determine the true remaining purchase value but can read the $2 backup field, one ride can be obtained.

Individuals seeking free rides on the subway soon learned how to take advantage of the system's design. By creating a small bend or crease on the section of the magnetic strip where the zero-value field is contained, a person can obliterate that information so that, when swiped, the computer is unable to detect that the MetroCard is worthless, meaning no purchase value remains. When there is a strategically-placed crease or bend on the card, the turnstile computer will read the other field containing the $2 "backup" information, which gives the user of the card a free entry to the subway. Hence, a person can bend a valueless MetroCard and swipe it once, then use or sell the free ride at a discounted price by swiping it a second time (this is referred to as "selling swipes"). The ease of this type of alteration and its popularity among individuals who are willing to defraud the MTA contributed to considerable losses of revenue for the MTA -- it was estimated that as of 2005, fraudulent MetroCard use was costing the MTA approximately $16 million per year, the equivalent of about 8 million ride fares."

No comments: