India’s mass rapid transit systems — or metro, as it’s known locally — rely on commuter smart cards that are vulnerable to exploitation and allow anyone to effectively travel for free.

Singh told TechCrunch he discovered the bug after inadvertently getting a free top-up on his metro smart card using an add-value machine at a Delhi Metro station.

The bug exists, Singh says, because the metro recharge system does not properly verify payments when a traveler credits their metro smart card using a station add-value machine. He said that the lack of checks means a smart card can be tricked into thinking it was topped up even when the add-value machine says that the purchase failed. A payment in this case is marked as pending, and subsequently refunded, allowing the person to effectively ride the metro for free.

“I tried it on Delhi Metro’s system and was able to get a free recharge,” Singh told TechCrunch. “I still have to initiate a recharge by paying for it using PhonePe or Paytm, but because the recharge still remains pending, it will be refunded after 30 days. That is why it is technically free,” he said.

“If the technical infrastructure is the same in other state metro trains, then this bug will work there too,” Singh told TechCrunch.

Singh suggested that the smart card bug could be fixed if the metro systems migrate to DESFire EV3 cards.

Three DMRC spokespeople did not answer multiple emails seeking comment. When reached, a spokesperson for NXP (via agency) was unable to provide comment by the time of publication. Bengaluru Metro Rail Corporation, the body responsible for the city’s metro service, also did not comment.

India metro smart cards vulnerable to ‘free top-up’ bug by Jagmeet Singh originally published on TechCrunch