Researchers Corey Benninger and Max Sobell discovered the flaw on the Ultralight cards used by San Francisco' Muni rail and bus system and New York City's Path rail system, and have since then found out that there are other U.S. NFC transit systems that use the same type of card and are possibly susceptible to this type of exploit.
The flaw can currently be exploited only on the disposable paper tickets that are set to be used for a predetermined number of rides.
By using a NFC-enabled phone and a specially developed Android app that allows them to copy the data from new tickets, then copy that data back on "expired" tickets thus making them "new" again, the researchers have developed a simple way for hackers to get as many free rides as they want.
Fortunately for the transit systems mentioned by the researchers, the app is not available for download. Intrepidus Group has only released an app that can scan the data from this type of tickets and tell users if the transit system issuing them is vulnerable to the exploit.
In the meantime, they have also informed the operators of the two aforementioned vulnerable transit systems about the flaw and instructed them on how to fix it.
"We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future," the researchers say.
"One of the items we also raised in our talk is that full card emulation on smartphones is likely to happen soon. When this does, it could cause a number of NFC based access control systems to be re-evaluated."