August 19, 1997

To the Editor of the Boston Globe:

This communication is in response to the August 13, 1997 Boston Globe article on page B3 entitled "T Officials Keep Eye Out For Pass Interference" by staff member Peter J. Howe. In it, there is much misinformation that has been perpetrated by the MBTA and the Boston Globe that I would like to expose.

1. The following points consist of out-of-context, erroneous and irresponsible reporting:

• Mr. Howe incorrectly interpreted material from the New York Times article printed August 11, 1997 entitled "What Galls a Hacker Most? The Metrocard". In the Globe article, Mr. Howe writes: "...a Boston-area hacker nicknamed Kingpin who claims to have beaten the T and now wants to crack the Metrocard because, he said: 'It's New York, it's big, and it's expensive'." The article is focused on fraudulent counterfeiting of MBTA T passes, which I have no desire to do, and I feel that I have been portrayed as a criminal. If Mr. Howe had communicated directly with me, I would have explained that I was talking about WHY people might want to defraud the New York City Metrocard. I have absolutely no interest in abusing the Metrocard system, as he claimed. My interest is solely an intellectual one: to understand how the technology operates. As a result, I have found that Boston's MBTA card system is not secure and by having "beaten the T", I have discovered some of its flaws and vulnerabilities, not abused the system.
• "Over the weekend, more than a thousand computer hackers...met in New York to trade notes on efforts to beat a $700 million fare collection system..." Mr. Howe was unaware that this New York City conference, known as "Beyond HOPE: Hackers on Planet Earth", consisted of dozens of technical seminars and demonstrations of computer security topics and vulnerabilities. Officials from numerous government ogranizations and large corporations attended, as well as thousands of computer and electronics enthusiasts from around the world. The seminar on Metrocards was one of many various seminars; It was not a conference based specifically on Metrocard hacking. If Mr. Howe had properly researched the topic, he would have obtained first-hand information from those who attended the conference. Unfortunately, this was not done, and the reputability of the Boston Globe has been challenged.

The Boston Globe and MBTA are attempting to delude the public, trying to make them believe that they have a "fraud-proof" system when, if fact, they do not. The MBTA card system has numerous security vulnerabilities which should be recognized and challenged by the MBTA, instead of relying on a 17-year-old outdated system.

2. The insert article, "Frustrating Hackers", mentioned a number of "security precautions" that are "aimed at preventing high-tech fraud". None of these items leads to significant security, nor will they prevent a dedicated person from counterfeiting a card:

• "Forging a card that can fool the computerized pass reader into releasing the turnstile is a far more difficult challenge, requiring that someone obtain a special kind of magnetic tape and the expensive equipment needed to encode the right data on it." The MBTA must face the truth that the T pass is not secure simply by using expensive equipment. Obtaining the correct equipment is trivial, and anyone with the proper knowledge and determination could build their own.
• "The magnetic strip requires special recording machines. Only a few companies sell the material, primarily to transit systems, so a hacker would have to steal the strip material". This information lulls the MBTA into a false sense of security. Finding high-coercivity magnetic tape, the material used in magnetic strip applications, is no harder than flipping through the Yellow Pages. Samples and small quantities of this product can easily be obtained by anyone. The MBTA is not unique in using magnetic strips and must realize that their system can be compromised. Hackers like myself should be the least of the MBTA's worries, and should not be condescendingly portrayed by the media as criminals who are simply looking for a free train ride.
• "Bank-card encoders can't write fraudulent T pass data because the information tracks on a T pass are in a different alignment from a credit card or ATM card." The T pass may not be a 2- or 3-track system like ATM and credit cards but the 1-track MBTA card data has already been read and written with a standard magnetic strip reader and encoder by myself and possibly others.

I was extremely disappointed in the quality of this article. It is irresponsible and erroneous to take words and events out-of-context. I expected to find more accurate reporting from such a widely-read newspaper.

Kingpin

Boston