The high school student cracked the EasyCard and made hundreds of thousands; this is not a first-time incident but an old problem.
Yesterday, several Taiwanese media reported that a high school student from the north used an NFC reader to crack the EasyCard chip encoding, tampered with the card's stored value amount, and then cashed out through specific self-service refund machines or exchanged goods for shopping in small payment channels, with an initial estimate of at least successfully cashing out hundreds of thousands.
The EasyCard Corporation discovered an anomaly in refund cash flow during routine reconciliation work and proactively reported it to the police and supervisory authorities after internal auditing.
Although some media believe this is the first case for the EasyCard Corporation, blogger Huli, familiar with the cybersecurity field, casually mentioned: 'This is not the first case at all.' Back in 2011, a cybersecurity consultant altered the EasyCard amount and was caught while shopping at a convenience store, receiving a suspended sentence of 5 years and a fine of 1 million.
The difference in the high school student's method compared to past cases is that he directly refunded the EasyCard at the metro station instead of using it for consumption. Since the metro company does not immediately charge the EasyCard after a refund, there is a time lag, and it won't be discovered immediately.
Huli said that although the card amount can be tampered with, since the recharge records are on the server, discrepancies in the amounts will definitely be discovered, so in the end, they will be caught. This time, the anomaly was noticed only after a few months during reconciliation.
Image source: FB cybersecurity blogger Huli casually discussing the high school student cracking the EasyCard incident.
The responsibility for the EasyCard incident has sparked controversy; did netizens wrongly blame the Digital Department?
On Threads, a netizen attributed the EasyCard incident to the Digital Department, claiming 'a high school student slaughtered the entire Digital Department,' but faced heavy criticism.
A netizen explained that the Digital Department is responsible for national digital transformation and cybersecurity policies, but the backend of the card and the settlement system are managed by the EasyCard Corporation, while the Taipei Metro Company is responsible for the ticketing equipment and processes at the metro end, with the supervisory authority being the Taipei City Government.
The old EasyCard system was already cracked; even after adopting the new version, the old cards were not eliminated.
Huli further pointed out that the MIFARE Classic system used by the EasyCard was cracked 15 years ago, and in recent years, a new system has been adopted with a different underlying architecture.
At the HITCON hacker conference in Taiwan in 2010, Professor Zheng Zhenmu from the Department of Electrical Engineering at National Taiwan University demonstrated how to modify the amount on an EasyCard. At the end of the same year, cybersecurity researcher Harald Welte also detailed the cracking process at the Chaos Communication Congress.
Huli believes that even if tampering with the EasyCard balance will ultimately be caught, to completely resolve the issue, all cards using the old system should be recalled and eliminated.
(United News Network) reports remind that if the EasyCard in the hands of the public was issued many years ago, is unregistered, and has no co-branding features, it may still be using the lower security, easily cracked MIFARE Classic chip.
Reports also mentioned that the EasyCard system has not yet fully upgraded its chip specifications, and the level of cybersecurity and transaction control does not meet Apple's technical requirements, which may also be one of the reasons why the EasyCard has not yet been integrated into Apple NFC payments.
'High school student cracked the EasyCard and made hundreds of thousands! Shouldn't we blame the Digital Department, where is the real problem?' This article was first published on 'Encrypted City'.