Hacker divulges card's failings

A hacker exposed a flaw in Christchurch's public transport system in the hopes of making Environment Canterbury take action.

At Kiwicon, a technical security conference at the weekend, William Turner exposed a flaw in the Metrocard system that left up to 70,000 people's personal details exposed, and potentially gave some free rides.

He told the conference that it was possible to access most users information, change the balance of the card, unblock cards and clone cards.

He said he had "no sympathy" for ECan as he had already told them of the problems but they had not fixed all of them.

"I'm kind of hoping that, after this, maybe you know, maybe it will prompt them to do something."

Yesterday morning, the Metrocard section of the regional transport information website was taken down.

ECan director operations Wayne Holton-Jeffreys said that, a few months ago, a hacker showed them how he was able to put funds on to his Metrocard without actually paying.

"We were aware of that issue and had put things in place to upgrade [the card system]," he said.

"We had that planned to roll out by June 2014."

He said they fixed the problems they were aware of but were unaware of the hacker's other concerns relating to the website.

Holton-Jeffreys said the same person had presented information at Kiwicon showing flaws in the system that allowed access to unregistered Metrocard holders' details. He said there were about 70,000 active Metrocards, but was unsure how many were registered.

"So to protect our Metrocard holders' privacy we have taken the website down," he said, adding that, "I don't think I would be worried [as a Metrocard holder]."

Holton-Jeffreys said the hacker had to enter an active Metrocard six-digit number at random so could not search for people specifically. Likewise, there was no bank account data available, although names, addresses, telephone numbers and dates of birth could be found.

The flaw meant people could also add money to their Metrocards without actually paying. But Holton-Jeffreys did not believe this was going on as ECan kept a close eye on amounts transferred.

ECan hoped the flaw with the Metrocards could be fixed quickly. In the meantime, Metrocard users can still use the card, but must top it up manually rather than online.

Holton-Jeffreys said the hacker had been co-operating with the regional council.

The Press