British Columbia

Compass tickets reprogrammed by hackers, TransLink confirms

A handful of hackers are using their smartphones to reprogram Compass tickets and gain free access at fare gates, TransLink has confirmed.

Single-use compass tickets can be reprogrammed using a smartphone app

TransLink recently closed all its fare gates, requiring all SkyTrain riders to tap in and out at the stations. (CBC)

A handful of hackers are using their smartphones to reprogram Compass tickets and gain free access at fare gates, TransLink has confirmed.

But the number of incidents is so low the transit authority is not concerned, says spokesman Chris Bryan.

"It is an issue that we are aware of and we have been aware of for some time. It affects a very small number of tickets," he said.

Since December, hacked tickets have been detected 35 times, for a total loss of about $100 to $150, says Bryan.

He notes the hack does not work on the multi-trip Compass Cards, only on the single-use disposable tickets.

"It is quite a small issue ... if we find that it is ramping up or becoming more frequent then we'll have to address that."

Alerted immediately

The hack involves using smartphone apps to reprogram the NFC computer chip embedded inside single-use Compass tickets. Similar chips are used to allow credit cards to tap payments.

But once the tampered ticket is used, it is immediately detected by TransLink and cancelled, says Bryan

"We are able to see as soon as someone tampers with a ticket. It shows up on our system and is flagged, and we are able to kill the ticket."

That means the hackers would have to use a second ticket to exit the station, he says.

"You would have to buy an exit ticket for $5.50, or you could be stopped by one of our transit police officers. You could be subject to a $170 fine."

But Bryan was not able to rule out the possibility that the hackers could reprogram another expired ticket to exit the station, and he could not say if anyone had actually been caught with a hacked ticket.

Hack first uncovered in 2012

Bryan notes the same type of tickets are used on transit systems around the world with minimal impact from the hack.

The hack was first revealed by security experts in 2012, who showed how it could be used on some U.S. subway systems. Since then it has reportedly been used on systems around the world. 

NDP MLA Harry Bains says he sent the government a letter with his concerns in November 2012 and nothing was done.

"They never replied to me. They never denied. The only thing I recall them saying is, 'Don't worry about it. They will fix it. That was old technology. We will use new technology.'"

On Thursday the minister responsible for TransLink, Peter Fassbender, said despite the hack the compass card system was still effective at reducing fare evasion.

"I am convinced that fare evasion is going down dramatically," said Fassbender.

"There are hackers out there that are consistently looking to hack into systems. I suspect people will continue to try. Our expectation is that they have protocols in place and as soon as they identify it, they fix it."

With files from Richard Zussman

ABOUT THE AUTHOR

Mike Laanela is an online journalist with CBC News in Vancouver.