Forged Subway Passes in Boston

For years, an employee of Cubic Corp -- the company that makes the automatic fare card systems for most of the subway systems around the world -- forged and then sold monthly passes for the Boston MBTA system.

The scheme was discovered by accident:

Coakley said the alleged scheme was only discovered after a commuter rail operator asked a rider where he had bought his pass. When the rider said he'd purchased the pass on Craigslist, the operator became suspicious and confiscated the ticket.

An investigation by the MBTA Transit Police found that despite opening electronic gates, the printed serial number in the MBTA database did not show the card had ever been activated. Hundreds of similar passes in use by passengers were then discovered, investigators said.

Although you'd think the MBTA would poke around the net occasionally, looking for discount tickets being sold on places like Craigslist.

Cubic Transportation Systems said in a written statement that it is cooperating with authorities. "Our company has numerous safeguards designed to prevent fraudulent production or distribution of Charlie Tickets," the statement said, referring to the monthly MBTA passes.

It always amuses me when companies pretend the obvious isn't true in their press releases. "Someone completely broke our system." "Say that we have a lot of security." "But it didn't work." "Say it anyway; the press will just blindly report it."

To be fair, we don't -- and probably will never -- know how this proprietary system was broken. In this case, an insider did it. But did that insider just have access to the system specifications, or was access to blank ticket stock or specialized equipment necessary as well?

EDITED TO ADD (5/22): More details:

On March 11, a conductor on the commuter rail’s Providence/Stoughton Line did a double-take when a customer flashed a discolored monthly pass, its arrow an unusually light shade of orange. The fading, caused by inadvertent laundering, would have happened even if the pass were legitimate, but the customer, perhaps out of nervousness, volunteered that he had purchased it at a discount on Craigslist, Coakley said.

That raised the conductor’s suspicion. He collected the pass and turned it over to the Transit Police, who found no record of its serial number and began investigating. Working with State Police from Coakley’s office, they traced it to equipment at the Beverly branch of Cubic Transportation Systems Inc. and then specifically to an employee: Townes, a 27-year-old Revere resident.

Auditing could have discovered the fraud much earlier:

A records check would have indicated that the serial numbers were not tied to accounts for paying customers. But the financially strapped MBTA, which handles thousands of passes and moves millions of riders a month, did not have practices in place to sniff out the small percentage of unauthorized passes in circulation, Davey said.

Posted on May 20, 2011 at 7:44 AM • 47 Comments

Comments

PerplexedMay 20, 2011 7:59 AM

Your man had to have access to the stock and I'll bet that he had "inside" people helping him or "outside" forces bending his arm. The real question is: Why didn't he quit while he was ahead? Then no one would have been any wiser.

The next question would be: How many schemes like these are stopped by the perbs before they are exposed?

BF SkinnerMay 20, 2011 8:18 AM

So an example of an individual, locally informed, being able to identify 'something hinky'. I'd be interested in how the question "where'd you buy this pass" even came up.

400 passes at 175$ each? Did I do the math wrong? It seems pricy. My summing makes it about 3.5mil total.

Since people who bought the cards must have realized they were never reloading them with cash (shouldn't have been able to try if the card wasn't activated) aren't they all also culpuable? (and if I never had to reload a fare card? It would make 175$ a bargin)

And the contractor is screwed by their untrustworthy employee.

"Why didn't he quit when he was ahead? "
I'd say define ahead (for me it used to be 13Mil but I've changed that to performance based metric. It has to be enough that I can skip and stay disappeared from the kind of people that would be REALLY pissed off if you took millions from them).

This guy had pulled the scam for years. Likely he was confident that baring any change to his company's procedures (like a background check including financials every 3 to 5 years) he could continue indefinately. Why walk away from a golden calf giving millions in milk? Wall Street couldn't walk away from their derivetives.

What I'm constantly surprised at the number of people being busted for embezzlement in the couple thousand dollar range.

BF SkinnerMay 20, 2011 8:21 AM

addedum...isn't that fare card MY property? Who says a junior employee of the transit company can just confiscate it?

Clive RobinsonMay 20, 2011 8:22 AM

I will take a guess that the reason it was possible is that it was designed as an "off line" system.

That is when the pass is presented to the transit gate it does not check back with the central DB of valid passes.

If however it is an "on line" system then either the facts as reported are incorrect or the system design is so poor I'd expect better out of high school kids.

aMay 20, 2011 8:24 AM

@BF

Don't know about Boston, but my local transit network marks their RFID-type cards as being property of the transit network that you're just holding on to for convenience sake.

IanMay 20, 2011 8:42 AM

I don't know any specifics of how charlie cards work (I don't think these were actually charlie tickets, which are temporary, paper cards which AFAIK aren't able to be associated with monthly passes), but one peculiarity of the cards is that they can not be updated on buses.

If you sign up for a renewing monthly pass, it is only updated for the next month at a subway or other 'grounded' location. In theory, if you took a week off at the end of the month and then your first time using it next month was on a bus, it would say it had expired.

Clive RobinsonMay 20, 2011 8:43 AM

@ BF Skinner,

"400 passes at 175$ each? Did I do the math wrong? It seems pricy. My summing makes it about 3.5mil total."

Let me see ;)

400 x 175$ = 70,000$...

What have you left out? (3,500,000 / 400 = 8750)

atkMay 20, 2011 8:45 AM

@BF Skinner: There was a black hat (it may have been defcon) talk cancelled a couple years ago, about the MBTA using myfaire. I don't know if that's still the system in place, though.

Zach MayerMay 20, 2011 8:49 AM

@BF Skinner: You don't reload monthly passes with cash, you just purchase a new one each month. They open all subway turnstiles and allow you to travel on certain commuter rail lines.

There's probably an existing "black market" for used passes on craigslist, i.e. someone only needs the pass for half a month and re-sells it at a discount. This is probably also illegal, as the passes are supposed to be non-transferable.

Whoever was buying these passes probably thought they were real passes being re-sold.

AlanMay 20, 2011 8:53 AM

@Bruce "It always amuses me when companies pretend the obvious isn't true in their press releases."

It should be an easy sell in Massachusetts. According to the MA Office of Labor and Work Force Development, their big data breach earlier this week happened because the virus that infected their network was a new strain and then it mutated! It appears that there was no network segmentation so employees and even Joe Public could browse all over the web on the same network as computers used to collect SSN, financial account information, etc.

http://www.wbur.org/2011/05/17/...

PaeniteoMay 20, 2011 8:57 AM

@BF Skinner:
> isn't that fare card MY property?

Normally, it isn't. You'd be surprised about how many things in your wallet actually aren't your property.

> Who says a junior employee of the
> transit company can just confiscate it?

This is an interesting question, since the specific card wasn't the transit company's property, either ;-)
Anyway, let's assume that a company employee confiscates a "regular" ticket. This would not automatically invalidate contracts you have with the transit company. OTOH, such things practically won't go to a court and hence, no nitpicky clarification of the legal details occurs.

IANAL,NDIPOOTV

BF SkinnerMay 20, 2011 9:08 AM

DC Metro's Smartcard is not marked 'non-transferable' or 'property of'. It does say it has to be presented "on demand of an authorized transit employee or police." Interesting.

Because it carry's my balance of money for paying fees at the bus, train and parking garage gates. I'd say this card is mine. Wait. Is my currency - mine?

BF SkinnerMay 20, 2011 9:13 AM

@ Zach Mayer
Really? 'cause they way they talk about a Charlie Card is that it's reloadable with stored value.

What's the monthly fee for a pass?

According to the MBTA site some of the zones are pretty high and would make 147$ a good deal. But most aren't. Would you buy a monthly pass that you figured was only good for a couple of weeks for that much?

NickMay 20, 2011 9:24 AM

In a hurry to post this? Lots of typos:

"automatic fair card"
"forged forged"
"black ticket stock"

CraigMay 20, 2011 9:28 AM

There's always been loads of ways to break the MBTA's security. It's a total joke. But the payoff for doing so is pretty crappy, so nobody really does it: anyone who can afford a card writer can afford an MBTA pass.

This guy apparently decided to get his profit by selling bulk, which is never a really great idea if each card you falsify increases your chance of getting caught.

No OneMay 20, 2011 9:30 AM

@BF: Boston resident here -- Charlie cards, Charlie tickets, weekly passes and monthly passes are all different things (I'm not sure what they brand the weekly and monthly passes), though they are commonly all just referred to as Charlie cards.

The Charlie cards are the refillable (in $5 increments) plastic cards that use RFID to talk to the machines and the turnstiles. Most people who only use the subway occasionally (like me) will have one of these.

The tickets and weekly/monthly passes are paper with a magstripe and are not refillable. When you purchase a ticket you pay for a specific trip or number of trips -- it works like the card but the trips cost more money per trip but you can put a specific amount of money on it. When you purchase a weekly pass you get a seven day Sunday at opening to Saturday night closing (IIRC) ticket. Monthly is similar, working from the first of the month through closing time after the last of the month. (Trains stop running ~1 AM and start up ~5 AM.)

So the paper passes are bought each month.

The monthly fee, last I checked was ~$90 if you're staying in the most restrictive zone, which is basically two trips a day, such as a commuter. If you're using the commuter rails, which can cost $10 one-way I can see how they can get pricey.

NickMay 20, 2011 9:37 AM

Although I know nothing about how the system works, I'm going to say this anyway.

I assume that these were the monthly passes (not stored value cards), and that they were accepted as appearing valid when presented at turnstiles because some sort of cryptographic (??) checksum (??) matched. That's instead of comparing them in real time against some sort of on-line database.

You would think that periodically they MBTA Police (or someone similar) would compare the records of passes presented at a particular turnstile to the valid, approved passes in the MBTA database. Any unknown passes should have been identified in a big hurry.

It wouldn't seem like a big deal to equip a single station's turnstiles with real-time lookups (at least temporarily), and have the MBTA Police standing there to question users who presented cards not listed in the database.

But I suppose hindsight is 20/20...

CraigMay 20, 2011 9:42 AM

Re: No One. They're not quite that expensive.

Re: Nick. These were apparently cash cards sold at a discount. So they stored a cash value, not a valid monthly pass.

BostonMay 20, 2011 9:54 AM

@ No One,

Not quite. There are indeed two forms of transport title: paper "Charlie Tickets" with mag stripes and plastic "Charlie Card" prox cards. Both can contain either money (with a discount for using the card) or a pass. The vast majority of monthly passes are in card format and, while you need to pay up every month, you keep the same card. I pay through my employer who presumably just tells the T to extend my pass at the end of every month. It's great since I can't forget to pick up next month's pass like I used to.

Unfortunately, the commuter rail stations don't accept the plastic cards, so people whose monthly pass includes the commuter rail must carry the pass on a paper ticket, which they physically exchange each month for a new one. It is these tickets which were forged in this case. I suspect he had access to the ticket stock and probably the coding machine and associated algorithms.

If you could forge the prox cards (say clone the employee cards or something), it would be even better. Empty ones are freely available in most stations, and people hold on to them for years. How much would you pay for a never-expiring transit pass?

In any case, I suspect that it's going to be quite difficult to *prove* that his clients were in on the fraud. They probably suspected something, but people sell their monthly passes all the time for legit or semi-legit reasons (e.g. going on vacation this month or selling an employer subsidized pass, respectively).

No OneMay 20, 2011 10:01 AM

I stand corrected. I wonder why any of my friends bother with the paper pass now -- none of them use the commuter rails.

Captain ObviousMay 20, 2011 10:26 AM

I wouldn't nessesarily expect them to check craigslist regularly, but they could at least run an occasional report to see how many cards are unactivated, but in-use.

DaveMay 20, 2011 10:39 AM

What he was selling was a commuter rail monthly pass, which are cards with a magstrip on them. If you preorder them, you get a plastic one. If you buy them from a machine, you get a paper one. It's good for unlimited rides on the subway, bus, commuter ferry and commuter rail, out to whatever zone is printed on the card.

These cost anywhere from $59-$265/mo, and are not renewable. You just get a new one each month.

See http://www.boston.com/news/local/massachusetts/... for more details.

Chris SMay 20, 2011 10:40 AM

"You would think that periodically they MBTA Police (or someone similar) would compare the records of passes presented at a particular turnstile to the valid, approved passes in the MBTA database. Any unknown passes should have been identified in a big hurry."

What makes you think the turnstile keeps a record of all passes presented?

The way these monthly cards and turnstiles work sounds very much like monthly/weekly passes in Toronto. The turnstile only needs to have power and know what week and month it is, and that is sufficient information -- along with some form of algorithmic check -- to approve or deny passage to any particular card. But logging every card would get expensive, particularly at some of the busy downtown stations. I would not find it surprising if some stations see 10,000 cards per day.

This would be expensive on a system-wide scale, but I could see using a few specially equipped terminals to log this.

However -- since the MBTA cards are not transferrable, logging that information might have privacy implications.

Second -- what makes you think they have a database of valid, approved passes? They could know what was sent out to potentially be purchased, but these passes are 'active' whether they were purchased or not. I expect they are more likely to have an 'approved pass manufacture and sale' process, and not actually look at individual passes.

Captain ObviousMay 20, 2011 10:55 AM

@Chris S

"despite opening electronic gates, the printed serial number in the MBTA database did not show the card had ever been activated. Hundreds of similar passes in use by passengers were then discovered, investigators said."

...implies they have a way to check.

squarooticusMay 20, 2011 11:11 AM

All the negatives of such a system outweigh any positives, IMO. I like the way transit fares are handled in many European countries: you buy a paper ticket that is valid for a certain period of time and then are required to carry it with you at all times when you are riding transit. Occasionally you will be spot-checked by a transit employee, and if you don't have a valid pass, you are given a huge fine. This eliminates all of the costly infrastructure and replaces it with a small number of employees randomly riding the transit system, performing checks.

Of course this system is susceptible to counterfeiting as well (even with a asymmetrically-signed code, you could just copy the same barcode multiple times and assume probably correctly that two spot checks of the same code will not occur simultaneously), but you still come out ahead by eliminating all the infrastructure. Sadly, transit systems are run by governments, governments are run by unions, and unions like jobs, especially skilled jobs that include installing and maintaining costly, fragile infrastructure.

GreenSquirrelMay 20, 2011 11:12 AM

@BF Skinner

""Why didn't he quit when he was ahead? " I'd say define ahead "

Excellent points - it is very rare that anyone ever quits while they are ahead and this includes criminals and gamblers.

There is always the idea that the system can give them "just a bit more" until the house collapses around them. Just as true in Wall St as it is in the casino or the criminal mind.

(note, those three places are not mutually exclusive)

J.A. DukeMay 20, 2011 11:21 AM

Some specifics (courtesy of the Boston Globe and my personal experience):

The accused worked for Cubic in fulfillment, printing pre-ordered monthly passes and then packaging them for mailing. Companies can order passes for their employees as well as individuals ordering passes to be mailed.

It wouldn't be to difficult to print a pass, then not activate it (I think they are separate steps based on what I recall seeing when I've purchased a monthly commuter rail pass myself). Just claim that you entered the wrong zone (or whatever) and pocket it, then print a good one and activate that.

The bogus pass was discovered by a commuter rail conductor and on those trains you just need to show the pass for verification of month and zone.

The "T" has been conducting random screening of passes in the last few months, looking at the orange arrow that's printed on the pass to make sure that it glows under UV light. They only seemed to conduct those screenings on the homeward-bound commute from places like South Station.

All monthly passes are Charlie Tickets, at least for commuter rail. These are printed on plastic coated paper stock, versus a Charlie Card which is closer to a credit card for construction. Since there isn't any mobile swipe capability on the commuter trains, you can't use a Charlie Card there-only cash, a monthly pass or a 10/12 ride punch ticket (usually printed on the same Charlie Ticket stock but punched for each ride by the conductor).

Each commuter rail zone has its own price for all stations in that zone; I'm in zone 2 and pay $157/month for a pass. Higher numbered zones are more expensive with Zone 9 at the top at $265/month.

If anyone is interested in seeing each of these, post a comment and I'll scan images of mine and post them.

Cheers,
Jon

dragonfrogMay 20, 2011 12:46 PM

@Zach Mayer
In my city, the monthly passes don't even say they're non-transferable. Two people just can't use one at the same time.

I know plenty of people who share a monthly pass with a spouse, or have two or three passes for a house with four or five housemates, and only occasionally have to buy tickets.

Given that, I don't even see why it would be illegal here to sell your pass at a discount midway through the month if you only needed it for a few weeks.

MBTA RiderMay 20, 2011 12:49 PM

There's an easier way to defeat the MBTA's commuter rail pass security: get on a crowded train. The conductors don't even bother to check tickets.

A good option is to get a 12 ride ticket and then board a crowded train. Most of the time you will ride for free. And you will still have a valid ticket for the rare case when they do check.

Former Boston StudentMay 20, 2011 1:24 PM

@BF

Seems to me that the $70,000 quoted in the story is the face value of the Charlie Cards? What the perp actually sold it for on CL, that's an unknown.

@Clive

$70,000 / 400 gives unit cost of $175. If 20,000 of these are circulated over the years, that's $3.5 million.

JimFiveMay 20, 2011 3:00 PM

@Chris
"What makes you think the turnstile keeps a record of all passes presented?"

Because that is valuable data. Especially if you also have to scan out of the station. Tracking when someone got on and off each train would be a huge benefit of this system for the proprietors.
--
JimFive

No OneMay 20, 2011 5:01 PM

@JimFive, Chris: Scan-out does not occur in Boston, but if you use your CharlieCard on the bus immediately after using it on the subway you get the transfer rate I think. Haven't bothered looking up how that's handled.

BF SkinnerMay 20, 2011 9:00 PM

@Bruce - @Moderator

"What makes you think the turnstile keeps a record of all passes presented"
"implies they have a way to check"

Okay so THIS is why we need a white board we can draw on here.

Chris SMay 21, 2011 12:08 AM

@me
"What makes you think the turnstile keeps a record of all passes presented"

@TFA
"despite opening electronic gates, the printed serial number in the MBTA database did not show the card had ever been activated. Hundreds of similar passes in use by passengers were then discovered, investigators said."

@Captain Obvious
...implies they have a way to check.

I should have been clearer. Nothing in the article indicates that it was specifically *the* *turnstile* that records the data. It just says the similar passes "were then discovered". They could have done an audit inspection, for example.

Having every turnstile record every inbound card and shipping it back to a central database would be both expensive, and - as the article notes - incomplete. Some places you only need to show your card, not swipe it. Someone more familiar with MBTA could estimate the number of scanning turnstiles in the system.

Since the data is going to be incomplete anyway, they could use a few instrumented turnstiles, but let most of them run offline. That would give you a basis on which to audit the card sales -- something you want to do anyway! (Toronto Transit had a problem with merchants "selling" passes, but then accepting returns at the end of the month and returning the pass to Transit as unsold.)

BigMay 21, 2011 12:52 AM

@greensquirrel
'@BF Skinner
""Why didn't he quit when he was ahead? " I'd say define ahead "
Excellent points - it is very rare that anyone ever quits while they are ahead and this includes criminals and gamblers.'

I wonder if this is true, of if it just seems obvious until you consider that if there were a few or even a lot of crooks who did quit when they were ahead, we'd never hear about it...

Richard NelsonMay 22, 2011 10:55 AM

Not super-familiar with the Cubic system, but almost all electronic fare systems are semi-off-line. The validation device reads the card, compares it against its local hotlist, does whatever other validation it's required to do (e.g., deducting a trip's value from the card's stored value), and then trips the Go/No Go indicator or action.

Data collected are "occasionally" uploaded to the central. That "occasion" is very frequent for fixed devices, daily for buses (i.e., when they pull into the garage).

Data are also pushed to devices. Hence, your stored-value card can have value added at the validation device if you've purchased it, e.g., on the Web. And hotlists, too.

The scam certainly reflects a design flaw in Cubic's security, which I'm sure Cubic and its competitors are studying.

Two sidenotes:

- The MBTA implementation is generally considered the most successful implementation of RFID fare payment in North America (so far).
- The coming thing in fare payment is micropayment off bank-issued credit cards

Dirk PraetMay 22, 2011 5:22 PM

As noted by Bruce, the major security flaw in this system was the lack of proper auditing and cross-referencing of serial numbers and paying pass holders. Being financially strapped is no excuse for getting basic security wrong, just like the IRS won't accept being low on cash as an excuse for not paying your taxes.

Were I live, we can nowadays also pay for our tickets using SMS text messaging. And senior citizens aged 65 or older ride for free.

GreenSquirrelMay 23, 2011 3:07 AM

@ big

You make a good point there. Is it possible to ever work out how many people cheat/trick/steal etc but have enough will power to call it a day when they hit a certain threshold?

Certainly this occurs in fiction ( and is pretty much the premise of Layer Cake ) but on the grounds that we would never find out about it, I dont think we could ever calculate this.

We can try to extrapolate from those who do "fail" - and there are enough of these that if there is an equal number who succeed, we are surrounded by criminals.

RhialtoMay 23, 2011 9:24 AM

Chris S wrote: "However -- since the MBTA cards are not transferrable, logging that information might have privacy implications."

Wow, you haven't heard of the Dutch public transport chipcard ( http://en.wikipedia.org/wiki/OV-chipkaart )then. Everybodies movements through the whole country are logged and stored for a few years, and nobody in the government seems to think that this is a bad thing.

Davi OttenheimerMay 23, 2011 3:27 PM

"you'd think the MBTA would poke around the net occasionally, looking for discount tickets"

if they don't even look at their own internal systems for interesting data, i have a hard time expecting them to look externally.

ok, well, maybe if "charlie tickets" was a facebook profile...

Mike BMay 24, 2011 11:59 AM

Yes indeed. Boston as well as most other transit systems with smart cards use Mifare brand cards, most often the "Classic" model. The card has numerous technical flaws that can allow someone to add value to the card at will, although it can be detected through auditing.

The MIT students became the subjects of the MBTA v. Anderson court case that weighed on responsible disclosure.

The main problem with transit smart cards is that to maintain throughput at turnstiles and to keep the cost and power requirements low enough, the cards have to finish all processing within 200 milliseconds. This makes adding most side channel protection impossible as well as limiting the size of the crypto variables. For example the Classic uses a 48-bit key.

I am sure that the cards will improve with time, but their rock bottom price point even manages to put stress on Moore's law.

http://en.wikipedia.org/wiki/MBTA_v._Anderson

http://en.wikipedia.org/wiki/Mifare

Doug CoulterMay 24, 2011 11:22 PM

@BF Skinner
I'd suppose the reason you see busts for small time embezzlers is that they take from people who notice small amounts of money, and since they don't get much, can't bribe...er share, the proceeds with those who'd bust them.

After all, you don't see Lloyd Blankfein up on charges, do you? Or any of a number of other Wall street names who are surely guilty.

Same deal with college kids selling dime bags getting busted but not the big guys...who turn their competitors in for the good of their paid cops careers and their own business.

White collar crime pays much better and is much safer than the usual (or more public) sort. A long life of studying where the money goes convinces one of that readily.

Prefer not to sayMay 28, 2011 10:29 PM

Seriously, how hard is it to Google "Charlie Cards for sale"? I bet the MTBA has a web filter that blocks Craigslist.

John langmanJune 17, 2011 5:11 AM

I suggest you read David Everetts summation of mifare security at www.microexpert.com and visit the TNO research site at Deplh Holland for a full expose of Mifare card security!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..