This Smart Card Bug Gives Free Metro Ride, But What’s The Catch?
A smart card bug in Delhi Metro, that allows anyone to travel in the metro for free
India's mass rapid transit systems or you can say metro, which largely depends on commuter smart cards have captured the headline with its smart card bug that is vulnerable to exploitation, and these metro smart cards allow anyone to effectively travel for free.
Security researcher Nikhil Kumar Singh has brought this smart card bug to light which is impacting Delhi Metro's smart card system. The researcher revealed that the smart card bug exploits the top-up process that permits anyone to recharge the Metro's smart card as many times as they want. Singh added that he discovered this smart card bug after inadvertently getting a free top-up on his metro smart card by availing an add-value machine at a Delhi Metro station. According to Nikhil Kumar Singh's saying the main reason for this bug is that the metro recharge system is not properly verifying payments when a traveler credits his India metro smart card by using a station add-value machine. He further added that the lack of checks means a smart card can be tricked into thinking it was topped up even when the add-value machine says that the purchase failed. Payment in this particular case is marked as pending and subsequently refunded, allowing the person to effectively ride the metro for free.
"I tried it on Delhi Metro's smart card system and was able to get a free recharge," Singh mentioned and continued "I still have to initiate a recharge by paying for it using PhonePe or Paytm, but because the recharge still remains pending, it will be refunded after 30 days. That is why technically it can be considered a free ride." He has also shared a proof-of-concept video he recorded in February showing how smart cards give a free metro ride. After a better understanding of this smart card bug, the researcher reached out to the Delhi Metro Rail Corporation (DMRC) a day later. In response, the DMRC asked for an email mentioning the details of the bug, which he did. On March 16, Singh received a boilerplate reply, acknowledging the receipt of his email, but did not receive any further responses.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.