How did this Malaysian couple hack a dozen Touch ‘n Go cards?!

A modern-day Bonnie and Clyde couple has been caught – except instead of robbing people of physical money, those two hacked A DOZEN Touch ‘n Go cards, spending up to RM20,000.

For two months, the husband and wife who are in their 40s used the cards illegally to pay toll and over-the-counter purchases, until they were arrested the night of 22nd Feb. Petaling Jaya OCPD Assistant Commissioner Mohd Zani Che Din said they arrested the couple at their home in Kota Damansara and seized their 12 TnG cards, a laptop, smartphone, iPad, and one SmartTAG.

hacking couple stuff Image from Harian Metro
Stuff that was confiscated from the couple’s house. Image from Harian Metro

Huhh? TnG card so easy to hack ke? How did they do it?

 

All they used was an Android smartphone…

And an app that uses Near Field Communication (NFC) technology. iPhone kenot meh? Well, old models cannot, so only iPhone 6 and iPhone 6 Plus has NFC, anything iPhone 5S and older don’t have. But not ALL Android phones support NFC also. Depends on which model.

NFC (not to be confused with the Shahrizat NFC scandal) is a wireless technology that allows small data to be exchanged between two electronic devices, which are within range of each other (4cm and less). Think of it as something like Bluetooth, but different. One device is your card, the other is the reader. If you put them close together, *beep beep*, information is exchanged.

Here’s how NFC technology can be used:

NFC near field communication Image from digitaldealer.com.
Amazing how technology has made life so convenient. Image from digitaldealer.com

Ok we’ll try our best to explain how this works. The Star reported that the couple used an Android phone and installed an NFC app. With this app, the phone can act as a reader and you tap a card on it (just like how you beep your card at tolls), then it can read the information inside the card. Watch this demo.

touch n go card and reader toll Image from hype.my and screenshot from Chung Kin Lim's video on YouTube.
Image from hype.my and screenshot from Chung Kin Lim’s video on YouTube. Click to watch the video

So, the couple managed to crack the encryption to change the value inside the TnG cards. Then they ‘reloaded’ RM1,500 into each card. Memang all TnG cards’ limit is RM1,500.

Of course, none of the reports mention the name of the app OR exactly how the couple cracked the encryption… coz duhh, worried about copycats! CILISOS oso dunno the details of how the Malaysian couple did it, but we know for a fact is they sourced the app from an online forum, according to the cops.

“We are looking into this online forum as well.” – OCPD Assistant Commissioner Mohd Zani told The Star

However, we can show you how hackers from another country did it with the SAME TOOLS! In Chile, their version of TnG cards is the Tarjeta BIP! card. So on 16 Oct 2014, the very first widely-available app for Android appeared, allowing users to top up their cards with 10k Chilean pesos (RM59.85)…….for FREE!!

All they had to do was install the Punto BIP! app on an Android phone with NFC function, tap the card to the phone, and then to push the “Cargar 10k” button, which means “Refill the card with 10k”. Jeng jeng jenggggg!

chile card hacking NFC phone app Image from securelist.com.
“Cargar 10k” means “Refill the card with 10k” (Chilean pesos). Image from securelist.com

Super easy right? For those of you getting ideas, don’t bother – this app is specifically for Tarjeta BIP! cards not TnG cards, plus it’s in Spanish.

On Lowyat forum, people said information is stored in the TnG card AND the server. So as long as there is a difference between your card and the server, the card will be blacklisted. Perhaps that’s how the couple got caught.

What they did goes against the Computer Crimes Act 1997. OCPD Asst Comm Mohd Zani said they would be investigated under Section 4 (1)(a), which means they could be jailed up to 10 years, or fined up to RM150,000, or both. In comparison, the punishment of ordinary theft in the Penal Code is 7 years jail, or RM10,000 fine, or both.

 

And y’know, this is not the first crime that happened with Touch ‘n Go

Screenshot of The Malaysian Insider article touch n go scam fake card
Screenshot of The Malaysian Insider article

In all stored-value cards and payment systems, there will be irresponsible people who tamper with technology so they can cheat, especially since technology keeps evolving, said TnG. We found a few cases, but we’ll just highlight two here la:

In 2005, two guys running an illegal TnG reload scam were caught when their customer accidentally exposed them. The syndicate offered cheap reload at 30% discount. After reloading through them, the customer’s card got blocked by TnG at a toll booth. When he asked TnG to clarify what happened, he was shocked to learn his card balance was fake. Then, TnG and the cops set a trap and ambushed the syndicate, seizing 1,163 TnG cards from their car.

Another time was 2009 when police caught a chicken rice seller for possessing 17 fake TnG cards. He knew they were fake, but tried to use them dishonestly as real ones.

TnG warned people tho that if they try to hack cards and reload them illegally, they WILL get caught:

“Touch ‘n Go systems are being constantly upgraded and those attempting to cheat will get caught.” – TnG CEO Syahrunizam Samsudin on paultan.org

 

Alamak! How!? Will it affect other TnG users?

people queue lining up to get Touch n Go card Image from The Star
People queuing up to get TnG cards. Image from The Star

Especially now that Malaysia is moving towards a cashless society. By the end of the year, 21 highways in the Klang Valley are going cashless and TnG is pushing for cashless technology in retail. Maybe one day we’ll be walking around without wallets. To date there are more than 13 million cards in Malaysia aldy. That’s A LOT of cards and people at risk wei.

TnG assured there is no risk of hacking incidents affecting other cards la, but scams can affect innocent Malaysians in other ways – if an illegal reload is detected, the person’s card and all its balance will be forfeited and forwarded to the authorities for investigation according to their FAQ page. But what if that person was a victim who reloaded without knowing it is an illegal syndicate?

 

So protect yourself this way…

1. Only buy ORIGINAL cards from TnG Hubs, TnG SPOTs at petrol stations, TnG Sales Counters located at highways, LRT stations and third party agents. Click here to find a location near you.

2. Reload at legit TnG partners only. There are over 9,000 locations nationwide and you can find them here or check out the chart below. To know which operator charges for reload, click here.

touch n go reload locations Chart from TnG Facebook
Chart from TnG Facebook

3. Always ask for RESIT when you buy a new card or reload. The receipt will show your new balance and your account balance. Additionally, if there is some problem with the card, the receipt is vital for TnG’s investigation.

touch n go card receipt Image from
Image from rilek1corner.com

4. Register your card here or call their Careline Centre (03-2714 8888), in case it gets lost or stolen, you can claim refund.

5. Buy protection!! Imagine in a crowded place, someone with an NFC phone in their pocket brushes against you where your wallet and cards are…that phone can steal data such as account numbers. In fact, your own phone could steal data from your own card if they’re in the same pocket. It’s like wireless pickpocketing! Watch this demo to understand how it works. So you can buy NFC blocking sleeves to slot each card in, or NFC blocking wallets.

NFC RFID block protection sleeve
Click to buy NFC blocking sleeves on Amazon

Lastly, if you see any ‘funny business’, you can report to TnG at [email protected] or call their careline.

 

nah read more ugaiz

NAH, BACA:
4 latest scams that PDRM is warning the public against
About New Jo-Lyn 330 Articles
They see me Jolyn, they hatin' (Just kidding. My colleagues made me write this).