Does the MBTA need to rethink its ticketing system?

  1. You have chosen to ignore posts from BostonDotCom. Show BostonDotCom's posts

    Does the MBTA need to rethink its ticketing system?

    Three MIT students say they have learned how to hack the MBTA system and ride the T for free. This research has aroused criticism within the MBTA about the effectiveness of the agency's ticketing system.

    Do you think the MBTA needs to reevaluate the current ticketing system? Why or why not?
     
  2. You have chosen to ignore posts from lrecliner. Show lrecliner's posts

    Does the MBTA need to rethink its ticketing system?

    Ah, another succesfully run gov't entitiy. We need the gov't to run healthcare too, that way these dweebs can get free public transportation and all the free vicodin they want.
     
  3. You have chosen to ignore posts from Streetcar_Eddie. Show Streetcar_Eddie's posts

    Does the MBTA need to rethink its ticketing system?

    What is this fettish that the MBTA has about free speech and civil liberties? Instead of trying to fix things, they squelch constructive criticism. Their new name should change from MBTA to USSR. Not much difference. Even in their departments have similar names like Central Transportation Planning Staff. stuff you would expect out of the Politbureau. Why are they always in court either to trammel civil liberties or defend themslves against such? It seems that employees cannot discuss "athority business" without clearence from the "spokesman" or it is "non-public" information. Why are they always in the "Executive session"mindset. More more often than not they loose the case, waisting OUR fares and OUR tax dollars on legal fees. It is time for regieme change.
     
  4. You have chosen to ignore posts from estavo. Show estavo's posts

    Does the MBTA need to rethink its ticketing system?

    I see college kids ride for free all the time using two much less high tech ways. (1) Jump behind someone who pays and walk behind them through the gate that stays open for what seems to be a really long time. (2) Just lean over or around the swinging plastic gate and wave your backpack or bag in front of the sensor on the "exit side" -- gates open and people walk right through. The T staff does nothing to stop this.

    The card hack is embarrassing, but the entire fare gate system that the T rolled out along with the Charlie system is so stupid as to be almost criminal. Were there kickbacks with the award of that contract?

    Seriously, why did the T remove the highly effective metal gates and turnstiles? If they needed to upgrade, why not adopt a "push through" fare gate like they use in NYC and several European transit systems? The system needs to go, and those that set it up need to be held accountable.
     
  5. You have chosen to ignore posts from ManOnTheSilverMountain. Show ManOnTheSilverMountain's posts

    Does the MBTA need to rethink its ticketing system?

    No, they just need to fix the security hole(s).

    Duh.

     
  6. You have chosen to ignore posts from ManOnTheSilverMountain. Show ManOnTheSilverMountain's posts

    Does the MBTA need to rethink its ticketing system?

    [Quote]Ah, another succesfully run gov't entitiy. We need the gov't to run healthcare too, that way these dweebs can get free public transportation and all the free vicodin they want.[/Quote]
     
  7. You have chosen to ignore posts from GGallagher. Show GGallagher's posts

    Does the MBTA need to rethink its ticketing system?

    [Quote]You can take a bus AND a train for $1.70 on the T, and travel as far as your heart desires. Try THAT in NY or DC![/Quote]

    Actually to take the bus AND the train it cost more like $3 to ride the system and it's usually one OR the other that you can ride all day not both at the ssame time. .

    As far as other Metro city transporation systems are run a hell of a lot better thjan ours.
     
  8. You have chosen to ignore posts from lrecliner. Show lrecliner's posts

    Does the MBTA need to rethink its ticketing system?

    [Quote]

    Actually to take the bus AND the train it cost more like $3 to ride the system and it's usually one OR the other that you can ride all day not both at the ssame time. .

    As far as other Metro city transporation systems are run a hell of a lot better thjan ours.[/Quote]

    Good point, plus people aren't usually going all that far on the subway or bus. Boston and the immediate surrounding area the T covers is not a big area geographically. They just use it because it costs less then parking and/or driving. The people who live further away (outside of the 128 loop) use the Commuter Rail and that is alot more then a $1.70....plus who would want to travel on the T "as far as your heart desires" anyhow...probably not most peoples idea of a good time.
     
  9. You have chosen to ignore posts from ManOnTheSilverMountain. Show ManOnTheSilverMountain's posts

    Does the MBTA need to rethink its ticketing system?

    [Quote]Ah, another succesfully run gov't entitiy. We need the gov't to run healthcare too, that way these dweebs can get free public transportation and all the free vicodin they want.[/Quote]

    Yeah, the TJX Companies never had any security breaches, don't ya know. It's only the government entities that are flawed.

     
  10. You have chosen to ignore posts from skier7303. Show skier7303's posts

    Does the MBTA need to rethink its ticketing system?

    [Quote]

    Actually to take the bus AND the train it cost more like $3 to ride the system and it's usually one OR the other that you can ride all day not both at the ssame time. .

    As far as other Metro city transporation systems are run a hell of a lot better thjan ours.[/Quote]


    oh really? i've lived in DC and NYC, and I would take the MBTA over either any day. people talk about the T like it's some problem exclusive to Boston... it's not. there are the same problems in public transportation systems all over the world.
     
  11. You have chosen to ignore posts from unh1122. Show unh1122's posts

    Does the MBTA need to rethink its ticketing system?

    hmmm lets see how much thats gonna cost us as tax payer. How about reevaluate each train's AC system and the timelinness of the T?? I'm sick of hearing "disable train".........

     
  12. You have chosen to ignore posts from blobpet. Show blobpet's posts

    Does the MBTA need to rethink its ticketing system?

    If you want to understand just how bad the situation is with the MBTA, you need to look at the actual presentation: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

    We're not talking just hacking the Charlie Ticket/Card system, but also serious lapses in physical security.

    The Charlie paper ticket hack was really not that revolutionary. The ticket is just your standard magnetic stripe card with almost no security built into it. Anybody could hack it.

    I don't necessarily blame the T for the Charlie card though (which is hacked differently from the paper ticket). At the time they decided to use the Mifare system, they probably felt it was the most secure solution available.

    Why they chose to use both a paper ticket AND the plastic card is beyond me.
     
  13. You have chosen to ignore posts from eighttaft3. Show eighttaft3's posts

    Does the MBTA need to rethink its ticketing system?

    Sure let's get rid of it. Why we are at it, let's close down TJX and all its affiliates, and oh let's TD Banknorth, oh and let's add, a restaurant that recently double charged everyone. Oh why we are at it, let's everyone, including those who posted here, get rid of your PCs.

    Guess what, the Globe and what you wrote here is no more secure and by the way, hackers can probably go right through this message board to your PC (especially if you are using an unsecure wireless network) and get all your personal data and bank account information.

    The fact is, times have changed and with it comes new problems. Nothing is perfect, not even one of the dweebs who writes here like an idiot.

    For a such an education focused town, people act and talk like it is 1620.
     
  14. You have chosen to ignore posts from boston234. Show boston234's posts

    Does the MBTA need to rethink its ticketing system?

    I don't think the MBTA ever really intended their system to be 100% fool proof. We are talking about public transportation and government employees here. Their prior system was a complete joke. If you have the security software and you are a loser hacker, I'm sure you can do wonders to save yourself 2 bucks everyday. Way to go MIT dorks. This story would be much better if the MIT dorks revealed a security flaw with American Express cards instead.
     
  15. You have chosen to ignore posts from roaddemon. Show roaddemon's posts

    Does the MBTA need to rethink its ticketing system?

    One security glitch isn't a reason to replace an entire system. It's something that you fix.
     
  16. You have chosen to ignore posts from kesj. Show kesj's posts

    Does the MBTA need to rethink its ticketing system?

    If only the MBTA were as imaginative in solving their funding issues as they are by filing a lawsuit which makes such astounding claims (in paragraph 64) as the Charlie Ticket (a piece of paper) "standing alone" is a computer. Imagine the potential revenue the MBTA could raise if that was true. Certainly many people would buy this "computer" for $0.05 (the minimum Charlie ticket purchase amount.) This would be laughable but for the implications to everyday people that use these tickets if they actually write a note on their Charlie ticket. That very act means they've violated the computer and Fraud Act (18 USC 1030) according to the MBTA.

    The real issue is the MBTA automated fare system, as described by the MIT students, is not a well thought out system that is vulnerable in several ways. If the MIT students are correct, the current Charlie Ticket essentially has almost zero security. What little security there is can be compromised with a little technical know how. The MBTA Charlie ticket security is "security through obscurity." A system which includes as security a checksum that can be brute force attacked in 64 or less attempts is not secure. This calls into question the competence of the systems vendor as well as MBTA technical staff.

    Finally, the scariest part of the students presentation is not the problems with the Charlie card or Charlie ticket, it the complete lack of physical security of the MBTA computer network supporting the automated fare system. The MIT students' original presentation (which was published in the conference CD a month prior to the restraining order) has several photographs of open doors to supposedly secure areas as well as unsecured and easily accessible network equipment which carries transaction information. Some of this information includes credit card information. Of course, the MBTA police would rather spend its time randomly frisking innocent fare paying passengers than assuring the MBTA physical infrastructure is protected by seeing that doors and controls centers are securely closed.

     
  17. You have chosen to ignore posts from kesj. Show kesj's posts

    Does the MBTA need to rethink its ticketing system?

    If only the MBTA were as imaginative in solving their funding issues as they are by filing a lawsuit which makes such astounding claims (in paragraph 64) as the Charlie Ticket (a piece of paper) "standing alone" is a computer. Imagine the potential revenue the MBTA could raise if that was true. Certainly many people would buy this "computer" for $0.05 (the minimum Charlie ticket purchase amount.) This would be laughable but for the implications to everyday people that use these tickets if they actually write a note on their Charlie ticket. That very act means they've violated the computer and Fraud Act (18 USC 1030) according to the MBTA.

    The real issue is the MBTA automated fare system, as described by the MIT students, is not a well thought out system that is vulnerable in several ways. If the MIT students are correct, the current Charlie Ticket essentially has almost zero security. What little security there is can be compromised with a little technical know how. The MBTA Charlie ticket security is "security through obscurity." A system which includes as security a checksum that can be brute force attacked in 64 or less attempts is not secure.

    Finally, the scariest part of the students presentation is not the problems with the Charlie Card or Charlie Ticket, it the complete lack of physical security of the MBTA computer network supporting the automated fare system. The MIT students' original presentation (which was published in the conference CD a month prior to the restraining order) has several photographs of open doors to supposedly secure areas as well as unsecured and easily accessible network equipment which carries transaction information. Some of this information includes credit card information. Of course, the MBTA police would rather spend its time randomly frisking innocent fare paying passengers than assuring the MBTA physical infrastructure is protected by seeing that doors and controls centers are securely closed.
     
  18. You have chosen to ignore posts from seligb. Show seligb's posts

    Does the MBTA need to rethink its ticketing system?

    The Charlie Ticket system is like a bank passbook system, if the bank just trusted that the number in the passbook was accurate. Sure, honest people won't write new balances in their passbook, and the charlie ticket system is probably just enough security to keep honest people honest, but it's not going to make dishonest people play by the rules. Why not just copy the NYC metrocard system?
     
  19. You have chosen to ignore posts from Bokonon. Show Bokonon's posts

    Does the MBTA need to rethink its ticketing system?

    Any system is hackable. If they replace the CharlieCard / Ticket system wholesale, they'll be back to square one, less several million dollars (that they don't have, I might add).

    If you take a look at the hackers' DEFCON presentation slides, you'll see that a lot of the actual "hacks" simply involve poking around T stations for open doors that shouldn't be open, and "social engineering" (e.g., placing a well-designed prank phone call to get employees to vacate their workstations, etc.) These security holes have nothing to do with technology, and everything to do with employee training and common sense.

    That said, on the technology side, the T's decision to use a magnetic stripe for CharlieTickets (easy to reverse-engineer by spending a few bucks on eBay) rather than, say, printed RFID tickets (see the MARTA system in Atlanta) or some other more advanced system is very questionable, as is their decision to only require 48-bit encryption on Charlie Cards (which could be easily cracked by that old Windows 3.1 machine you used to have in 1993).

    Even worse has been the T's response to this whole incident. Given the T's general lack of self-awareness, I guess it isn't surprising that they didn't bother to take a look at what routinely happens in the software industry when hackers (operating independently or working for security research firms) uncover security flaws and choose to report them in a publicly-accessible forum, rather than keeping them to themselves and hoarding the benefits of exploiting them. Typically, when this happens, there begins a collaborative effort between the hacker and the maker of the hacked software to patch the security flaw as quickly as possible. Lawsuits are not the answer -- they do not fix the fundamental security problem, and only serve to fill the T's lawyers' pockets (at the expense of us taxpayers).

    Ultimately, I think many of the T's problems (information security related and otherwise) would be solved (or at least be headed toward a solution) if all of the career bureaucrats on the management team were fired and replaced with younger, solutions-oriented people whose first response to any problem is "here's what we can do" rather than "here's what we can't do". How about starting by hiring these MIT kids as consultants to help make the Charlie system what it should be: secure, reliable, web-accessible, etc? There's no reason why Boston's primary public transportation system shouldn't be up to basic 21st-century standards.
     
  20. You have chosen to ignore posts from satnavsys. Show satnavsys's posts

    Does the MBTA need to rethink its ticketing system?

    The fare collection system slows down buses and trolleys. The bus spends more time waiting for passengers to count change and recharge their charliecards than the bus spends moving along its route.
     
  21. You have chosen to ignore posts from engfant. Show engfant's posts

    Does the MBTA need to rethink its ticketing system?

    The cards are an embarrassment. The vending machine way of buying them is just terrible. They take 10times as long to get a card IF YOU CAN GET ONE that is. No cash but charge which is just CRAZY for such a small transaction. You have NO IDEA of how much you have left unlike a TOKEN, the cards are crazy litter, and everything is now TRIPLE what it used to cost.

    HAS to be someone making out on this deal cause it sure as hell isn't the commuters.

    This is embarrassing that this is what Boston offers. Maybe south dakota or some nonsense state. Not Mass.
     
  22. You have chosen to ignore posts from asot. Show asot's posts

    Does the MBTA need to rethink its ticketing system?

    Long live the token!
     
  23. You have chosen to ignore posts from frankjcapp. Show frankjcapp's posts

    Does the MBTA need to rethink its ticketing system?

    How about starting by hiring these MIT kids as consultants to help make the Charlie system what it should be: secure, reliable, web-accessible, etc? There's no reason why Boston's primary public transportation system shouldn't be up to basic 21st-century standards.

    Good idea ... but here is the irony

    IF these STUDENTS (their discovery was PART OF A CLASS ASSIGNMENT) were to say to the "T" .. "Hey .. I found a butt-load worth of security breaches. Pay me some money and I'll help you fix them" ... would find themselves in court .. not civil court, but criminal court for extortion ... I would bet my last nickel on that.

    People ... this is the GOVERNMENT we're talking about. A government where people who CANT don't ... no one with serious ambitions goes into civil service. It's all a pension and health benefit scheme that includes some decent perks (like a living wage). No one really expects the GOVERNMENT to do anything EXCEPT protect its own interests.

    The entire Constitution was originally written to protect US from THEM ... now, not so much.

    To think that the "T" would do something (1) logical, (2) ethical, (3) well thought out .. is in the same league as thinking a Bus Driver is capable of removing your spleen.

    As mentioned above, the best solution would be to fire the miserable management wholesale, hire the kids on a short term contract, and devise a solution that actually works. Then fire them, and hire some civil service moron to watch over the system .. DONT TOUCH IT ... just watch it and call the folks with brains when it breaks.


    Yeah ... don't have a lot of use for government

     
  24. You have chosen to ignore posts from pietropaulo. Show pietropaulo's posts

    Does the MBTA need to rethink its ticketing system?

    The security of Charlie may well be flawed. But the system can't even do the simplest things, such as selling a single fare ticket at the push of a button.
     
  25. You have chosen to ignore posts from nautic3727. Show nautic3727's posts

    Does the MBTA need to rethink its ticketing system?

    Boston should get more federal support, so Boston can have a state of the art public transit system as Washington D.C. has.
     

Share