Boston.com THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

MBTA board member blasts agency's ticketing system

Independent audit of program urged

By Christopher Baxter, Globe Correspondent  |  August 14, 2008

An MBTA board member delivered scathing criticism of the T's ticketing system yesterday, seizing on the findings of three MIT students who said they discovered how to hack the system and ride for free.

At the Massachusetts Bay Transportation Authority's monthly meeting, Janice Loux distributed a report by the students detailing the vulnerabilities of the CharlieTicket and CharlieCard program. She said it was the latest example of "a systemwide failure" to properly implement and oversee automated fare collection.

"Whatever the reality of the reports, the automated system is a mess," Loux said, calling for an external audit of the program. "I've lost all confidence in our general manager."

The MBTA remains concerned about what Massachusetts Institute of Technology students Zack Anderson, R.J. Ryan, and Alessandro Chiesa may have discovered during their research for a network security class. A federal judge granted a temporary order Saturday blocking the trio from publicly discussing at a Las Vegas convention how to hack the cards and ride the T for free.

Daniel A. Grabauskas, general manager of the MBTA, said Monday that claims made in the past against the cards have either been dismissed or dealt with, adding yesterday that both internal audits and federal reviews monitor the program's performance.

Federal officials "have not raised any concerns," Grabauskas told the board. "They have been highly complimentary of the program, and they are pleased with how it's proceeded."

In court today, the agency will request changing the order to bar the students from discussing "nonpublic" information. That would probably allow them to talk about the details of their conference presentation, including how to hack the cards, and also about a vulnerability report that identifies weaknesses in the ticketing system. The MBTA would then have to persuade a judge to order a permanent injunction.

Grabauskas said after the meeting that he was not convinced the two documents contained all of the students' findings, which is why the agency is pushing forward with the injunction.

But he avoided the question of whether the reports posed a threat to the system.

Christopher Baxter can be reached at cbaxter@globe.com 

© Copyright The New York Times Company