53 comments

[ 2.8 ms ] story [ 84.1 ms ] thread
RFID isn't spoofable? I thought it was.
> The card operates on the 13.56 MHz range putting it into the Near Field Communication category (rather than RFID, as is commonly misconceived).

https://en.wikipedia.org/wiki/Clipper_card#Technology

The important distinction isn't really the frequency. It's that the card has an actual circuit that performs some crypto handshake with the reader. It's not just static information encoded that anyone can just read and duplicate.
Mifare cards are generally spofable is as long as you know the keys. Which you can extract out of the air with a computer and some equipment.
Does this mean BART doesn't check your tickets while riding?
BART doesn't have that type of ticket. You tag your Clipper card (or insert your BART ticket, if you're not a frequent rider) upon entering a station, and again when exiting at your destination.
But CalTrain does have employees occasionally walk through the cars scanning Clipper cards.
Yep and I've seen them catch people who just hopped on.
Correct, BART is not a proof of payment system. You must scan your clipper card or transit pass to enter the gated BART platform.
It's been a few years since I've used it, and that was only a couple of times between going between a couple of stations, but that's not how I remember it. Some stations had ticket scanners at the entrance to the platform but some didn't.

I remember the Palo Alto station very clearly because I got on once thinking I had grabbed my ticket from the vending machine when I had actually grabbed the previous person's receipt because I was in a hurry. I got on the train and once I realized I was worried about the fare inspectors coming on and catching me, so that station definitely does not require a ticket to get on the platform. Maybe that's just classism with respect to Palo Alto?

Edit: never mind, it was Caltrain not BART.

That's Caltrain, not BART.

Caltrain is POP.

(comment deleted)
I believe you are thinking of Caltrain, which is a proof-of-payment system. BART does not go to Palo Alto.
That makes sense, and explains some other memories I have about transferring trains. I did not realize they were separate systems.
You may be thinking of Caltrain, rather than BART.
Discounts = Theft. Way to give back to the community.
One final note before I dive in: this algorithm is essentially large scale ticket swapping, which is obviously illegal and unethical. I don’t believe that it would be ethical to use this in the real world... and since Clipper cards are not cloneable, this work can’t be used to facilitate this large-scale theft.
Couldn't you just do the equivalent of a remote attack like you might do on a car?

Could probably do this with a group of cooperating people if you really wanted to trade time for a little bit of money.

Unfortunately I don't know enough about the hardware or encryption used in the Clipper Card to say whether that sort of attack is feasible. It's interesting but ultimately I'm not looking to execute this sort of attack!
When you are some kid in their parents basement and figure out ways to scam money from public transit you are rebelling as a natural part of childhood.

When you are a well skilled and very well payed employee of a high profile tech company you are essentially having fun at the expense of the public servants who work(for a lot less money) to provide essential services to the public.

Maybe those reading this can take this as a lesson in tone and tact.

> you are essentially having fun at the expense of the public servants

The author never actually went out and fraudulently saved money by implementing his idea, so I fail to see how his actions are "at the expense of the public servants". To quote him,

> One final note before I dive in: this algorithm is essentially large scale ticket swapping, which is obviously illegal and unethical. I don’t believe that it would be ethical to use this in the real world. I value safe and smooth travel more than I value the 20-40% of my fare I could save by stealing from

> The author never actually went out and fraudulently saved money by implementing his idea

nope, it's just a big mental wank designed to show the world that the author is medium clever and knows how to write down an ILP problem, make pretty graphs, and something about NFC.

I'm not sure which I find less appealing, really.

I think he shouldn't have made the source available. Now it's really only the (apparent?) uncloneability of the Clipper cards that stops someone.
I am of the view that anyone who finds an exploit should (generally) do what they feel would have the best result. This would incentivize organisations to create payouts (prizes) for non-public exploits, and it would allow concerned citizens to force a change from generally unmovable bureaucracies.
This is just the latest justification among security people to not having acknowledge their own incompetency in things like risk management. Since when was "doing what you feel" considered a reasoned solution? Many times these things aren't even weaknesses as such, just loose tolerances in the system and exposing them under great fanfare just making the system less flexible. Which is pretty ironic if you think about it.
This is a silly objection. If you can clone clipper cards, you don't need special software to cheat the system. The software here is just an academic exercise in optimization algorithms.
The technical component of the post is really interesting and indeed it's a more general problem, but I had a similar reaction to the framing: spending time figuring out how to reduce revenue on public transportation isn't the right problem. That same time 'hacking' could have been spent thinking how to genuinely improve a public service.
It is a fun "what if" problem you might think about if you spend a lot of time on public transit and realize that the system is less than ideal. Of course, no systems are fraud proof, as doing so would usually require more resources than could be justified.

Thinking about the system at all is also a nice way of getting started with thinking about how to solve its real problems. Creative juice priming. This is why persecution of thought crimes isn't the right approach either.

Personally this is my least favorite artifact from hacker culture. Not necessarily thinking about these things, but the embellishing of it. There used to be a time where information was scares so it was hard to learn thing, today that isn't the case so one should pivot form reverse engineering the system to improving it fairly quickly. Instead people spend a lot of time formalizing how "smart" their hack was. The greater damage is of course that when a lot of people is ready to point out and celebrate inconsistencies it's hard to foster a culture of proposing improvements.
How many corporates have you seen not do something like this in some capacity but at a larger scale?

Something or the other was exploited (like natural resources, human resources) as money certainly didn't print itself.

Public transport is built at a great cost to income tax payer's money and subsequent subsidy to ensure the tax payers could afford it and prefer it. Usually, the only ones making money are the builders and manufacturers who were contracted to construct it, and other corporates and vested interests that are probably the 1%

As the author said, Clipper Cards aren't cloneable, so this is impractical because it would require physically swapping BART tickets. It's just a theoretical mental exercise, not some kind of anti-government rebellion. And given the number of people I see each day simply jumping over the fare gates (very common in stations where there's no station agent booth next to all of the gates, and not uncommon even in stations where the agent is right there) this hack is hardly the biggest threat to BART revenue.
Clever, but I hear it's pretty easy to just hop over the BART railings.
And if you look respectable you can get away with it. Life hack!
And when the BART starts breaking down and looking shitty, we'll know to blame you guys for not paying for it.
It's already pretty shitty. Have you tried traveling from downtown SF through the Mission stops? The tunnel is incredibly loud with screeching/scraping noises, and it's been that way a long time, apparently a product of how the rail is designed.
In the original manual formulation, I don't understand how the paths of these two travelers cross in Oakland. It looks like they'd only be able to take their quite short section. Unless they both stayed on their trains past the points where they where supposed to exit, but I don't see how you can do that if they scan your ticket when exiting the train.
The BART stations use turnstiles at entrances to the stations, and that's it. No ticket checking on the actual train.
> I don't see how you can do that if they scan your ticket when exiting the train.

On the BART system you scan your tickets while entering/exiting the station, not the train

This will probably attract downvotes, but I'd call it an algorithm for collective, mass fraud.

One might find it surprising, but I've seen people do this several years back. The only difference being that it was on a much smaller scale, with only a handful of friends involved.

Was trying to think of a real world problem that this could solve. Basically you want multiple entities to peform tasks for each other (tagging) at multiple destinations at a minimal cost.

One possibility is the taxi/uber/lyft hailing problem. Instead of stations, you have rider and car locations. Time and distance is the ticket cost.

Of course the discount would only apply only as long as BART doesn't realize people were doing it, at which point they would likely just increase all fares to a flat rate (like Muni) of "a little more than $7" :-P
Although I don't know if there is a time limit, it is possible to exit the same station as you enter for no fee with the standard BART card. e.g. in case you realize you've forgotten something in your car after you pass the turnstiles. Therefore it should be possible to save 100% of fares for people leaving/arriving at opposite stations, respectively.

System-wide savings would then be proportional to directionality on a station by station basis - optimizing by zeroing out trips by longest first.

Dunno if this works with the clipper cards though, so everyone might need a magnetic card writer and blanks...

If you enter/exit via the same station, BART charges $5.75 (Search for 'excursion' at https://www.bart.gov/guide/faq) unless you talk with a Station Agent.

I've never understood why they charge this fee when it would be possible to get a lower fare by going a station further, exiting, and entering again but I haven't had a problem if I talk with the Station Agent.

Presumably they charge the fee because it would be inconvenient and time-consuming for at least some to take a train a stop, exit, re-enter and take the train back for a few bucks.
Doesn't BART have onboard ticket inspectors? That would easily foil this.
Another Bart hack; If you fly in to SFO and don't mind walking a few blocks to the San Bruno Bart station you can save about $4.60 each way. For some reason the SFO stop costs a lot extra. The easiest way is to continue on the sky tram to the rental car place. When you get off its a quick half a mile walk over San Bruno ave to Huntington.
If you ask Google maps for walking directions from the rental car station to Bart, it says it's 1.9 miles and 39 minutes. Presumably there are significant shortcuts one can make?
Even if you took every shortcut, you're still looking at least 1.5 miles walk, and a good 40-60 minutes for that $4.60 savings.
Reminds me of a time in Hong Kong when I accompanied a friend buy or trade used games at the train station. We were outside of the paid area and the other guy was inside the paid area of the concourse. It seems to be common practice there.
Yep, happens all the time in HK. [1] The MTR (metro system) charges based on the station where you enter and the station where you exit. The ticket is valid for 150 minutes after you enter, which is plenty of time to take a train to a distant station and come back again. As long as you don't actually leave the distant station, the fare system has no idea where you went. :)

[1] http://www.urbanphoto.net/blog/2010/12/06/online-shopping-in...

(comment deleted)