IMGCAP(1)]
Three undergraduate students at the Massachusetts Institute of Technology have found ways to add funds to fare cards from the Massachusetts Bay Transit Authority and a means to break into fare cards from transit systems around the world. The students, Russell Ryan, Zack Anderson and Alessandro Chiesa, were scheduled to present their findings Sunday to a computer hacking conference called Defcon in Las Vegas, but the Massachusetts Bay Transit Authority filed a lawsuit seeking to prevent them from presenting. The U.S. District Court, District of Massachusetts, granted a temporary restraining order on Saturday that prevents them from sharing information about the fare system. The Electronic Frontier Foundation, a San Francisco-based nonprofit organization that provides consumer advocacy regarding electronic issues, is representing the students in their legal case, Marcia Hofmann, a foundation staff attorney, tells CardLine. Besides their presentation, the students also gave the transit authority a risk assessment, Hofmann says. "We think it is a first-amendment issue; we think this is a prior restraint matter," Hofmann says. "This is definitely an unusual situation, and only rarely will courts gag someone before speech has occurred." The students did not give their presentation and are refraining from talking about it while the case is making its way through the courts, Hofmann says. Though the restraining order prohibits the students from sharing the information they found, the MIT student newspaper and other Web sites have published their work. The assessment for the authority recommends a central auditing system, encrypted digital signatures on fare cards and teaching the staff about physical security. The presentation shows vulnerabilities in the Massachusetts system and in other transit systems that use the same software platform, including those in Beijing, London, the Netherlands and Brazil. The Massachusetts Bay Transit Authority did not return messages seeking comment.
