Loophole in Clipper Card System Allows For Card Theft

Clipper Card Image from clippercard.com

Background

In March, 2017, over 900,000 unique Clipper cards were used to get around the Bay Area with an average of more than 800,000 fare payments each weekday. Clipper cards which utilize NFC technology allow users to simply load money onto their card via one of their many payment machines or through their website if the card is registered. Registering a card provides a cardholder several useful features such as autoloading money and reporting a lost/damaged/stolen card for replacement.

However, despite the usefulness of registering a card, the number of registered Clipper cards has been dropping off for sometime as many cardholders decide to instead use their card anonymously. According to a report from the MTC commitee, the percentage of registered cards dropped from 77% to 43% from 2010 to 2011, and it’s very likely that number has only declined further since then.

The Loophole

Clipper Card

Here I demonstrate a loophole in the Clipper card system that allows someone with malicious intent to easily steal unregistered cards:

  1. Find the serial # of an unregistered card with balance over $5
  2. Register the card to your account
  3. Report the card as lost/damaged/stolen and request a replacement card with balance restoration

After reporting a card as lost/damaged/stolen, that card is blocked at midnight on the day you report it and a new card is shipped to you within two business days. Note that the balance of the card must be greater than $5 and there is a $5 card replacement fee. And…that’s it! You’ve essentially rendered the cardholder’s card useless and now have possession of a shiny new Clipper card with their balance.

The root of this loophole stems from the fact that anyone can register an unregistered card without any verification of ownership – all you need is the card’s 10 digit serial number which can be found on the card itself. Besides reporting the card as lost/damaged/stolen, you can also cancel the card to receive a full refund or even view transaction history on the card.

Finding Unregistered Cards

Clipper Card Demo of script in action (serial #’s censored for obvious reasons)

With some simple code, this whole process can be automated by iterating through 10 digit serial numbers and checking if the card with that serial number can be registered to your account (if it’s already registered, it will inform you of this). Another method is to utilize their “Add Value to Card” feature which allows you to add money and view the balance on unregistered cards. Using this endpoint, I managed to programmatically iterate through thousands of serial numbers within seconds and display unregistered cards and balances; these are all cards vulnerable to the loophole outlined above. Similarly, the process of registering these cards and reporting them as lost/damaged/stolen can be automated just as easily.

The Fix

The most logical fix to this problem would be to have card registration mandatory before the card is activated. An alterative would be to include a hard-to-guess token on the card that is required as part of the registration process if the cardholder decides to do so. However, for the time being, I believe the most practical fix for existing unregistered cards would be to bring awareness to the issue and encourage cardholders to register them online.

This article is purely for educational purposes and no Clipper cards were stolen during the production of this piece.

Home ·
Built with Jekyll & The Plain © 2017 Zaytoun