Monday, February 13, 2012

Fraud: Security Flow Allows Major Transportation Tickets to be Recharged Indefinitely

Considered infallible for 7 years and a source of revenue of almost U.S. $200M per month, Sao Paulo's unified transportation ticket has a security flaw that allows defrauding it him in just five seconds. The breach was discovered by a researcher, who sent all the details for the SPTrans, a company that manages the City buses.
SPTrans has now investigated the problem for over a week and has not disclosed what steps will be taken - however, it has announced that it will exchange all 25 million tickets this year. Sao Paulo's unified ticket is the second largest electronic ticketing system in the world, second only to the Octopus card in Hong Kong.

The flaw was discovered by a young computer researcher named Gabriel Lima, a partner in the security company Pontosec, which specializes in detecting threats and flaws in websites and virtual networks.

After three weeks analyzing the system of internal data storage of the ticket, he got a way around the recharge card. For this, he just needed just a computer program developed by himself and a card reader imported from China which costs about $ 70.

The loophole allows you to save a virtual copy of a single ticket credits and use them indefinitely. In practical terms: if a person has a single ticket to $15, you can save that credit on the computer, and after normal use, recharge the card at home, with the value that had been recorded earlier. And then redo the process endlessly, without ever spending a dime to ride the buses and subways of Sao Paulo.

(O Estado de Sao Paulo, in Portuguese)

Stumble Upon Toolbar

No comments:

Financial TV

Blog Archive

// adding Google analytics