The Ins-and-Outs of MetroCard Gold

by blueski-mask and the wrapper

MetroCard Gold is a thin plastic credit card sized magnetic stripe card used in the New York City transit system.

It was first offered for sale on May 27, 1997, replacing the original (blue) card.  The Gold cards were introduced to provide free bus-bus, subway-bus, and bus-subway transfers (effective July 4, 1997), as they have the ability to store up to four free transfers.  MetroCard Blue can only store one.  The blue cards will be valid until the expiration date printed on the back of the card.  Current Transit Authority (TA) propaganda calls for tokens to be completely eliminated in 1998.

Free transfers are valid for two hours after a passenger boards a bus or passes the subway turnstiles and are only available using MetroCard - no paper transfers will be given.

To use multiple transfers, the card has to be used at the same station or bus.  First, swipe the card for as many passengers as are in your "group" (up to four).  If you try to use the card a fifth time, you will get a "transfer limit exceeded" message on the turnstile.  To transfer, swipe the card one time.  Transfers for your party of up to four will be granted in one fell swoop.

If you ride the bus and don't pay with MetroCard, you'll notice that the bus-to-bus transfer you'll be given is now a magnetic-paper transfer which gets inserted into the farebox like a MetroCard.  For more info on transfer details, check out: www.mta.nyc.ny.us/mtacc/demo/mcgtreng.htm

A passenger card looks like this:

The back of a MetroCard has printed on it:

  • The expiration date
  • A 6-digit batch number
  • A 10-digit serial number
  • Instructions for use
  • Customer service phone numbers

The front of a MetroCard has encoded on the magnetic stripe:

  • The expiration date
  • A 6-digit batch number
  • A 10-digit serial number
  • The type category of card (pre-encoded for $3, $6, $15, $40, or non-pre-encoded)
  • The current amount on the card
  • Date, time, and 4-digit location code of last use how many times the card has been used how many transfers are available

The printed information on the MetroCards is visible.  Internal informational material states that the card has a read/write magnetic stripe on it.  The Token Booth Terminal (TBT) displays the above categories when a card is dropped into the TBT box or swiped through the Passenger Information Unit (PIU).

How Is This Supposed to Be Used by Passengers?

Passengers can buy $3, $6, $15, and $40 pre-encoded cards.  These are wrapped in cellophane and have been encoded en masse and shipped to the booths (and other retail outlets).

Passengers can buy non-pre-encoded cards in any amount that they want, provided:

  • The amount is equal to or over $3.00.
  • The amount is a multiple of $1.50 or $5 but no larger than $80.

Passengers can add to previously-purchased cards, provided:

  • If the card amount is $0 to $1.49, the passenger can add enough value to equal one fare.
  • If the card amount is over $1.50, the previous listed rules apply except that the maximum value of any fare card is $100.
  • The amount brings the card to a multiple of $1.50.

How Does It Really Work?

Pretty much as stated above, except:

A card can be encoded for any amount between $5 and $80 (even in increments of $0.01, making possible such amounts as $5.01, $11.43, $22.99, $63.85, etc.).  This wasn't true for most of 1995 and 1996, but is now thanks to software "enhancements."

What Software Glitches Currently Exist?

Go back and re-read "How Does It Really Work?".

Other glitches (past and present) include:

A prohibition against multiple employees signing on at the same Token Booth Computer (TBC) used to exist.  If multiple employees attempted to sign onto the same TBC, the TBC would freeze and go back to the original sign-on prompt.  This problem was fixed late in 1994.  However, multiple employees in the same "category" (i.e., Main Clerk (responsible for booth), lunch relief, side window) cannot all operate the TBC at the same time - only the most recently signed-in clerk can operate the TBC.  That's why it's harder to get a MetroCard during shift changes - the guy counting the cash probably also has control of the computer.

The MetroCard Customer Service folks apparently cannot determine where, when, or by whom a card was "added-to."  This could provide some interesting possibilities.  There is some evidence that they can determine information on a card's first encoding.  However, initial information about MetroCard stated that all transactions would be recorded in sufficient detail in a central computer to allow for transaction tracing and problem resolution (and of course, fraud detection).

Although we don't yet have any further information concerning the "added-to" amount or location fields, at the beginning of 1997 about a dozen MTA employees were dismissed and criminal charges were brought against their relatives.  Employees apparently let relatives use their employee passes while the employees were at work.  Since most TA employees are at fixed work locations, or along a given subway line, repeated incidences of employee pass use in other areas of New York City were seen on the central computer, prompting the NYPD Transit Bureau to investigate.

Are There Any Potential Security Holes?

Access to a TBT

Um... well, we shouldn't be telling you this, but, um, hmm... if access to a booth with a TBT can be "arranged," a valid Employee MetroCard combined with knowledge of the appropriate PIN would allow encoding of almost infinite numbers and amounts of fare cards.

We estimate about 5000 current valid Employee MetroCards can be used at TBTs.  However, discovery would be quick, and invalidation of these cards would occur.  We believe that they could still be swiped at the PIU (Passenger Information Unit - the freestanding device that tells you how much is on the card) and mislead potential marks for con artists.  These "rubes" would then be persuaded to buy - at a deep discount - a $20, $50, or $80 card which would not work in a turnstile.

Potential for Lost or Misappropriated Employee Cards

ESPs will eventually be in the hands of all 40,000 NYCTA Employees as well as Metro-North, LIRR, SIRTOA, MABSTOA; however, most will be valid for transportation only.

Only some 3500 railroad clerks (RRCs) and 1000 station supervisors, managers, and superintendents will be able to encode fare cards.  Employee cards look just like the old blue MetroCards on the front, but they have the employee's photo and signature (along with other TA identifiers) on the back.

Duplicate Card Prevention - Truth or Fiction

There is some belief that cards can be duplicated and used.  Every indication short of an admission from a TA spokesperson suggests this.  Articles in The New York Times have stated that the serial number and value on a card are sent from the turnstile to the TBT to a central computer at TA Headquarters 370 Jay Street, and if a second card with the same amount is used at a turnstile without an intervening add-on transaction, the card will be declared invalid.

However, if the central computer or TBT is down, turnstiles continue working (and store up to about 3000 swipes).  The "central computer check" apparently does exist, requiring a card counterfeiter to create only "one-fare" ($1.50 or $0.75 if senior citizen or disabled cards are duplicated) cards.

MetroCard Blue (the original) had an expiration date, but no "invalid before" date.  MetroCard Gold has a "Card Starts On" field as well as a "Card Expires On" field (as can be seen on the TBT screen).  It is highly likely that random combinations of "Card Starts On" and "Card Expires On" dates along with random serial numbers will not work, making duplicate cards even harder to produce.

Rumor

We've heard a rumor that a few vendors on a well-known cheap-electronics-goods thorough-fare downtown will put a single $1.50 fare on your MetroCard for as little as $0.25.  This is still under investigation...

Successful Hack

The only known (non-inside job) temporarily successful defeat of MetroCard security happened in March 1994.

Someone used a tape recorder to "record" a card's "sounds" on 8-track tape, cut the tape, glued it to a piece of cardboard or plastic, and successfully entered the station at 34th Street and 8th Avenue.

He was later arrested, allegedly because something suspicious showed up on the main computer at 130 Livingston Street, Brooklyn.  However, it is more likely that a sharp-eyed police officer noticed his use of an unorthodox-looking card and arrested him on the spot.

Clerk Screens and Strange Fields

There are a number of ways that a clerk can examine the information on a MetroCard.


TBT Screen for Regular Cards

Class Code is always either FULL FARE, PREVALUED, or READY FOR SALE.

The Error statements seen so far are:

  • No Error (0)
  • Read Error Fare Media Lifted During Read (15)
  • Invalid Class (45)

We're unsure of the meaning of Authority Control, but it sure sounds scary.

Last Use Place is a very interesting field, for the obvious reason - the TA can track MetroCard users!

And as of some time in 1998, you won't have an option... you'll have to use MetroCard!

We're trying to figure out what this code is.  To date, we've experimented - the place code is not turnstile specific.

Help us crack the code!  When you're down to one fare on your card, look for the booth number of the station you use the card in.  The most likely places for the booth information to be displayed are shown in the graphic below:

The booth number is the Y ### above the clerk's badge as shown in the graphic below:

Write the booth number on your card and send it to 2600 or bring it to a New York City 2600 meeting!


TBT Screen for As-Yet-Unsold Cards

Note that the Class Code changes.

The Period Expires on date is very odd.

Card Values

Blank, never-before-encoded cards may have any value of $0.01 and over put on them (up to $80.00).

Cards with money on them can have amounts between $0.01 and $80.00 added to them.  Note that most clerks will not add bizarre (non-multiples of $1.50) amounts to your card; their TBTs will allow them to do so, but they don't think they can!  Go ahead, ask them...  You can't ever have more than $100 on a MetroCard.

MultiCard Trade-in

Multicard trade-ins (transferring fares from more than one card to a new card) did not originally work.  This was fixed some time in 1995.  The new MetroCard Gold has a limitation - you can trade in up to a maximum of 10 cards.

Voided Transactions

If a customer changes their mind immediately after a transaction, the transaction can be voided and their money refunded.  If they were adding money to a zero-value card (card with $0.00 on it), that card can never be used again.

Technical Tidbits

Cubic Corporation designed the TBT software system.  Some software was also provided by IBM.

The original TBC was some sort of PC enclosed quite securely in a sturdy stainless steel housing.  Two Medeco locks provided TA Supervision and Cubic Technician access to various functions unavailable to the clerk.

The Technician's menu allows him to perform diagnostic checks.  The TA Supervisor's menu allows him to sign-on railroad clerks who do not have possession of their ESP.  The Supervisor's menu may allow for other functions but is not generally available for observation.

The TBC had an amber screen.  The keyboard was housed in the stainless steel cabinet.  The cables from the back of the box were standard.  The TBC communication port was very well secured.  It is unknown whether the TBC communicated via modem or network, although there are plans to have a dedicated fiber optic network between all TBCs and the central computer.

One of the best-known (to TA personnel) scams occurred when the RRC at the part time booth at Whitehall Street discovered which cable connected the TBC to the central computer.  He disconnected this cable but continued to sell MetroCards.  The card "creation" (or the addition of money to them) was unknown to the central computer.  However, the turnstiles interpreted these cards as legitimate, deducted one fare, let the passenger through, and sent the information to the computer at 130 Livingston Plaza.  This computer sent messages back to all TBCs and turnstiles that since the MetroCard had never been heard of previously, it was invalid.

The RRC in question pocketed plenty of cash for a time, but of course, people with $30 cards that only gave them one ride complained.  As far as we know, the clerk was allowed to resign in lieu of prosecution.  Perhaps the TA didn't want to give anyone ideas.

Standard PC reboot and control sequences were disabled from the TBC railroad clerk menu.  Many keys have no apparent functionality.

The TBCs have been replaced by TBTs (Token Booth Terminal).  The screen is thinner and independent of the CPU and keyboard.  The CPU and cables are almost completely armored.  The card swipe area, which used to be similar to those on turnstiles, has been replaced by a "drop box" like those on buses (yes, that's what those little holes are for).
Return to $2600 Index