Not so long ago a Nanyang Technological University (NTU) student managed to hack Kopitiam cards. Now, another former NTU computer science student did the same, raising more questions on the security of stored value cards.
The student, Alex Quek Wei Kai, 29, hacked 121 stored value cards and made purchases through them. Later he sold the cards online for S$7,753. He pleaded guilty and received a five-month jail sentence under Computer Misuse and Cybersecurity Act on July 22.
Cards Modified to Pay for Food, Drinks
The story of Quek is woefully similar to another hacker Tee Chin Yue. Like the latter, Quek started off with modifying stored value cards as a first-year student in 2015. While staying in NTU residential halls, one of his neighbors asked him if he could modify one to pay for air-conditioning services in their rooms and could be used even without a top-up. The students get a pre-paid stored value cards which they need to top up to pay for certain services.
Quek downloaded a specialized software and using that he managed to retrieve information of two cards. It was not too difficult for him to modify the details. The 29-year-old Singaporean then used the details to overwrite a low-value card to S$50.
He was successful and while he could not use the card to pay for his own room's air-conditioning as it was faulty, Quek realized he could use the hack to his advantage for other value-add cards such as Kopitiam. Both cards use the same contactless or near-field communication (NFC) method to make payments.
Quek, although, did manage to modify two Kopitiam cards which he received from relatives, to pay for such services and lent them to his friends, an updated encryption system forced him to take another route. The Singaporean altered the internal card numbers but that too failed.
However, he eventually managed to succeed after getting his hands on a specialized card from the Taobao marketplace. Using that card, he could modify the unique identification numbers of the cards and paid for food, drinks, cigarettes and parking fees.
In 2017, Quek started selling such altered cards on the Carousell marketplace, changing the value of each card to S$100 and advertising them for S$55 to S$70 each. Between May and July 2017, he sold such 121 cards to 24 people. But his luck ran out.
A Kopitiam staff member noticed the suspicious transactions and informed authorities who captured Quek on CCTV footage. He stopped when his friends informed him that his photograph was put on display in Kopitiam outlets. He was finally arrested on July 25, 2017.
The story sounds familiar because another ex-NTU student was also arrested on similar charges. Tee Chin Yue, who was pursuing a computer engineering degree began hacking the cards for air-conditioning service and later applied the same method to modify four Kopitiam cards 137 times to purchase food, drinks and cigarette worth S$12,000.
Later, Tee topped up 186 SIM cards for $34,000 using those cards. The Malaysian national received a 10-month jail term. He, however, revealed that he had a solution to fix the loophole.
Poor Security in NFC Cards
Contactless payment methods using cards are becoming popular. With the Coronavirus pandemic, such a method is becoming even more prevalent to avoid contact and contract the virus. But the risk is that such contactless cards use the NFC method which is known to be vulnerable to hacking.
Cards with NFC technology work similarly as an RFID card (radio-frequency identification) which is used to gain access to doors and specific areas. NFC technology relies on the wireless signals to accept payments and any unsecured connection can be intercepted and exploited.
Hackers can gain access to sensitive information stored on the card and also modify in some cases. Using modified terminals, data stored in the card can be accessed even if it is kept in a locker. Hence, many of the NFC cards use EMV chip these days to secure a connection while making payments.