12 August 1997


The New York Times, August 11, 1997, pp. A1, B4.

What Galls a Hacker Most? The Metrocard

By Amy Harmon

Cracking Pentagon computers lost its cachet among computer hackers around the time the 1983 movie "War Games" alerted the world to their existence. AT&T has been penetrated so many times by pale young computer jocks that it's a bore. And the World Wide Web is so full of security holes that it is almost too easy.

But the thousand or so hackers who gathered at a conference in SoHo over the weekend have a new Holy Grail: the Metrocard, and the $700 million computer system the New York City Transit Authority has installed to make it work.

Led by a renegade Transit Authority token clerk who goes by the code name Red Balaklava, the hackers of New York -- and fellow travelers from other cities--have launched a series of guerrilla attacks against the irritatingly secure Metrocard, the little plastic card whose magnetic strip can be encoded with up to $80 in subway or bus fares.

So far, the hackers have had little luck. But the weekend gathering at the historic Puck Building, draped for the occasion with thick coils of high-speed phone lines and power cables, served as a rallying point for the anonymous exchange of underground notes.

Disguised in his trademark red ski mask and a yellow Transit Authority baseball cap given to employees, Red Balaklava--who refuses to identify himself, for obvious reasons but who showed his Transit Authority identification card to a reporter--gave a seminar yesterday summing up the progress thus far. Overcoming the now ubiquitous Metrocard is an issue of privacy, he insisted, not free rides.

"They can tell where you've been and when you've been there," he said. "All the information is stored on their computers. Does anyone here have a problem with that besides me?"

"Yes!" came the resounding reply.

The Metrocard is of particular interest to hackers because, unlike the older fare cards in cities like San Francisco and Boston, which long ago fell to hacker attacks, New York's card is not simply a receptacle for stored value. Instead, each card appears to have--no hacker seems sure--an account stored in the Transit Authority's main computer, which communicates via phone lines and radio signals with its subway stations and buses. Closer examination of the Metrocard may also shed light on other corporate networks that use similar security techniques, several hackers said. And besides, said a Boston hacker called Kingpin, who claims to have hacked his hometown fare card: "It's New York. It's big, and it's expensive. And here, everybody's always looking for a con."

Eric Corley, publisher of 2600, the hacker magazine sponsoring the conference, called "Hackers on Planet Earth," said: "It's new technology. We want to see if it's secure. We want to see if it's a threat to privacy. The only way we can do that is to tear it down and see how it ticks."

Founded 13 years ago, the magazine takes its name from the 2600-hertz tone that used to control AT&T's switching system. Mimicking it to gain free access to long-distance lines was one of the first hacks practiced by so-called phone phreaks, who focused on illicit entry into the public phone network. But now that daily life, from subway rides to bank transactions to office E-mail, is increasingly taking place over computer networks, 2600 has branched out.

The Metropolitan Transportation Authority, the Transit Authority's parent agency, declined to explain how its new system works, except to confirm the obvious: "There is a magnetic stripe and it is read when you swipe it or put it into the coin box," said Tom Kelly, the M.T.A.'s spokesman. "We feel that we have adequate safeguards to protect the integrity of the system. We are working with both our own inspector general and the New York City Police Department in regard to any type theft of service."

That doesn't exactly jibe with the hacker credo: "Information wants to be free." Hackers have long tried to portray themselves as information-age Robin Hoods. Most of the young attendees of the hackers' conference insisted that their goal was not to profit for themselves, but simply to embarrass government entities like the M.T.A. and large corporations by exposing their vulnerabilities.

"It's not about making money," said Yonick, a New ,York hacker. "If it was, we'd just hop the turnstiles."

But the recent Metrocard antics have reopened the debate among hackers about where the line gets drawn between exposing security flaws and breaking the law. Some hackers defend their actions as helping to strengthen the very entities they attack. But not all have such high-minded motives.

"It's power, it's money, it's very cool," said Max, a 20-year-old New York City college student who would not give his last name. "If I could give you an $80 Metrocard right now, would you accept it?"

Max said he previously specialized in stealing credit card numbers from corporate Web sites ("Disney is crazy insecure," he noted). But since the Transit Authority unveiled a new Metrocard last month--a so-called gold card that allows free transfers between subways and buses--he has focused on figuring out how to clone it. With a friend, he invested $1,500 in a three-track magnetic card reader, but to no avail.

The gold Metrocard's predecessor, a blue card, was first dissected at Mr. Corley's last conference, in 1994. Since then, he said, he has received several "donations of knowledge" in the mail. For instance, a package recently arrived at his Middle Island, N.Y., headquarters postmarked San Diego, the location of the Cubic Corporation, which designed the Metrocard system. Mr. Corley said it contained detailed schematics of the turnstiles, which are believed to house small computers that both read from, and record information onto, the card.

The drawings had apparently been retrieved via a tried-and-true hacker technique: Dumpster diving.

The Metrocard was not the only object of hacker deliberation at the conference, where the entirely pseudonymous crowd tapped remorselessly away at computer terminals, performed friendly stunts on the "Hacking in Progress" gathering going on simultaneously in Holland and smoked endless chains of cigarettes.

Mark Abene, better known as Phiber Optik, New York's most famous hacker, who served a jail term for breaking into computer systems, gave a talk on the supposedly more secure digital network for wireless phones making its American debut this year. E-Z Pass, the M.T.A.'s electronic toll payment system, has its hacker adherents, too.

But the Metrocard, because it is so widely used, so simple and so hard to crack, seems to have a special appeal. Clutching their tiny cell phones beepers and other unspecifiable electronic equipment, teen-age boys and a few girls with name cards like "Binary," "Terrorisczt" and "Joe" crowded in to hear Red Balaklava's tips.

The transit employee, who said he was always good at chemistry, began his hacking career with experiments in homemade napalm. Later, he graduated to "phone stuffing," a pay-phone-hacking technique popular in the late 1970's. At the M.T.A., he said, he used to use a small electronic device that mimics telephone keypad tones to call his girlfriend from an emergency phone in his booth.

His interest in the Metrocard arose, he said, because "it was there and I was there."

Essentially, "Red" told his audience, there are two known ways to hack the Metrocard, and both allow for only one free $1.50 ride. One hacker played the magnetic strip through an eight-track tape recorder, then glued the cloned tape onto a piece of cardboard. He made it through the turnstile shortly after the blue card came out in 1994, but was immediately arrested by a police officer who had spotted the odd card.

Another way--and it would have to be done by an employee--is to disconnect the booth computer from the main computer, and make up cards. But since the main computer communicates regularly with both the turnstiles and the booth computers, false cards have so far all been invalidated after they have been used once.

Since token clerks can see the code of the station or bus where the card was last used on their booth computer, Red Balaklava has urged his young cohorts to write down the physical location of their last swipe and send it to him--via an intermediary, of course.

Some hackers believe that because the turnstiles, the token booth computers and the mainframe computer, respectively, upload and download information at six-minute intervals, the length of time that a passenger can transfer without paying may actually be 18 minutes more than the advertised two hours, if the timing is right.

Bruce Schneier, a highly regarded cryptography expert who spoke,at the conference, said experience bad taught him that hackers often understood computer systems better than the engineers who designed them.

"Hackers just have a much more holistic view," he said.

Mr. Schneier, who is a consultant to Cubic on the next-generation Metrocard, said he believes someone will inevitably figure out a hack. "I believe that, fundamentally, a system as complicated as the Metrocard cannot be absolutely secure," he said. "What we have to make sure is that the hack won't scale. If a few people ride for free, that's no big deal."

Katie Lukas, 20, of Brooklyn said she already had the best way, to "hack" the Metrocard.

"I use tokens," said Ms. Lukas, who wore a beeper in the waist of her skirt. "It's the Transit Authority, you know. Anything that is going to store information at all and has the word "authority" on it, I try not to use."

[Photo] A renegade token clerk lectured hackers about the Metrocard.

[Photo] From left, Brian MacFarlane, Rebecca Dean and Sean Buddles got in some practice yesterday at a convention of computer hackers in SoHo.


See comments on two HOPE sessions:

http://jya.com/beyond-hope.htm