Experts: New ticket app leaves MBTA vulnerable
The MBTA is on the forefront of new technologies, with plans to roll out digital ticketing on the Commuter Rail this fall, but security professionals say the transit agency shouldn’t be so sure the new system couldn’t be hacked.
“Everything has a flaw,” said Caitlin Johanson, technical specialist for Core Security Technologies.
This week the T announced plans to unveil an app for smartphone devices that will let riders buy passes using a debit or credit card.
Train conductors will then check tickets on riders’ phones to ensure their validity.
Developers from Masabi, the company launching the app, said color-changing, visually encrypted images and scanner codes will help deter fraudulent passes.
Johanson said from a “reverse engineering perspective,” however, once this technology hits the public market, that’s when the “frenzy will begin.”
“As a security professional, you come to realize that there is literally a workaround for everything … you just need to give it time,” she said.
While used widely in England, the T will be the first transit agency in the U.S. to use the new app, something Johanson said can be risky.
“Saying you can’t hack this coming into the U.S. is like putting a huge, red target sign on your forehead,” she said. “Boston is one of the top cities for hacker and security communities — it’s a rough area to introduce something like this.”
But MassDOT Secretary Rich Davey said the agency is relying on evolving security developments to stay “a step ahead.”
“Nothing in life is fool proof, but I expect we will have the most secure program possible,” he said.
According to Johanson, those in the “hacker community” pride themselves on breaking through services deemed “un-hackable.”
“You get your name on this, that’s world news. Notoriety is one of the biggest currencies the hacker community has,” she said. “It’s not always about hurting someone as much as it is saying ‘look what I did.’”
Past MBTA scams
Being the target of massive ticket scams isn’t something new to the T.
In 2008, three MIT students figured out a way to get free subway rides and unveiled a video called “The Anatomy of a Subway Hack.”
In 2012, four people were arrested for allegedly producing thousands of unauthorized T passes worth millions of dollars.