For two months, the husband and wife who are in their 40s used the cards illegally to pay toll and over-the-counter purchases, until they were arrested the night of 22nd Feb. Petaling Jaya OCPD Assistant Commissioner Mohd Zani Che Din said they arrested the couple at their home in Kota Damansara and seized their 12 TnG cards, a laptop, smartphone, iPad, and one SmartTAG.
Huhh? TnG card so easy to hack ke? How did they do it?
All they used was an Android smartphone…
And an app that uses Near Field Communication (NFC) technology. iPhone kenot meh? Well, old models cannot, so only iPhone 6 and iPhone 6 Plus has NFC, anything iPhone 5S and older don’t have. But not ALL Android phones support NFC also. Depends on which model.
NFC (not to be confused with the Shahrizat NFC scandal) is a wireless technology that allows small data to be exchanged between two electronic devices, which are within range of each other (4cm and less). Think of it as something like Bluetooth, but different. One device is your card, the other is the reader. If you put them close together, *beep beep*, information is exchanged.
Here’s how NFC technology can be used:
Ok we’ll try our best to explain how this works. The Star reported that the couple used an Android phone and installed an NFC app. With this app, the phone can act as a reader and you tap a card on it (just like how you beep your card at tolls), then it can read the information inside the card. Watch this demo.
Of course, none of the reports mention the name of the app OR exactly how the couple cracked the encryption… coz duhh, worried about copycats! CILISOS oso dunno the details of how the Malaysian couple did it, but we know for a fact is they sourced the app from an online forum, according to the cops.
“We are looking into this online forum as well.” – OCPD Assistant Commissioner Mohd Zani told The Star
However, we can show you how hackers from another country did it with the SAME TOOLS! In Chile, their version of TnG cards is the Tarjeta BIP! card. So on 16 Oct 2014, the very first widely-available app for Android appeared, allowing users to top up their cards with 10k Chilean pesos (RM59.85)…….for FREE!!
All they had to do was install the Punto BIP! app on an Android phone with NFC function, tap the card to the phone, and then to push the “Cargar 10k” button, which means “Refill the card with 10k”. Jeng jeng jenggggg!
Super easy right? For those of you getting ideas, don’t bother – this app is specifically for Tarjeta BIP! cards not TnG cards, plus it’s in Spanish.
On Lowyat forum, people said information is stored in the TnG card AND the server. So as long as there is a difference between your card and the server, the card will be blacklisted. Perhaps that’s how the couple got caught.
What they did goes against the Computer Crimes Act 1997. OCPD Asst Comm Mohd Zani said they would be investigated under Section 4 (1)(a), which means they could be jailed up to 10 years, or fined up to RM150,000, or both. In comparison, the punishment of ordinary theft in the Penal Code is 7 years jail, or RM10,000 fine, or both.
And y’know, this is not the first crime that happened with Touch ‘n Go
In all stored-value cards and payment systems, there will be irresponsible people who tamper with technology so they can cheat, especially since technology keeps evolving, said TnG. We found a few cases, but we’ll just highlight two here la:
In 2005, two guys running an illegal TnG reload scam were caught when their customer accidentally exposed them. The syndicate offered cheap reload at 30% discount. After reloading through them, the customer’s card got blocked by TnG at a toll booth. When he asked TnG to clarify what happened, he was shocked to learn his card balance was fake. Then, TnG and the cops set a trap and ambushed the syndicate, seizing 1,163 TnG cards from their car.
Another time was 2009 when police caught a chicken rice seller for possessing 17 fake TnG cards. He knew they were fake, but tried to use them dishonestly as real ones.
TnG warned people tho that if they try to hack cards and reload them illegally, they WILL get caught:
“Touch ‘n Go systems are being constantly upgraded and those attempting to cheat will get caught.” – TnG CEO Syahrunizam Samsudin on paultan.org
Alamak! How!? Will it affect other TnG users?
Especially now that Malaysia is moving towards a cashless society. By the end of the year, 21 highways in the Klang Valley are going cashless and TnG is pushing for cashless technology in retail. Maybe one day we’ll be walking around without wallets. To date there are more than 13 million cards in Malaysia aldy. That’s A LOT of cards and people at risk wei.
TnG assured there is no risk of hacking incidents affecting other cards la, but scams can affect innocent Malaysians in other ways – if an illegal reload is detected, the person’s card and all its balance will be forfeited and forwarded to the authorities for investigation according to their FAQ page. But what if that person was a victim who reloaded without knowing it is an illegal syndicate?
So protect yourself this way…
1. Only buy ORIGINAL cards from TnG Hubs, TnG SPOTs at petrol stations, TnG Sales Counters located at highways, LRT stations and third party agents. Click here to find a location near you.
3. Always ask for RESIT when you buy a new card or reload. The receipt will show your new balance and your account balance. Additionally, if there is some problem with the card, the receipt is vital for TnG’s investigation.
5. Buy protection!! Imagine in a crowded place, someone with an NFC phone in their pocket brushes against you where your wallet and cards are…that phone can steal data such as account numbers. In fact, your own phone could steal data from your own card if they’re in the same pocket. It’s like wireless pickpocketing! Watch this demo to understand how it works. So you can buy NFC blocking sleeves to slot each card in, or NFC blocking wallets.
Lastly, if you see any ‘funny business’, you can report to TnG at [email protected] or call their careline.
- WHY SHOULD THE LEAKED DOCUMENTS OF A HACKING COMPANY CONCERN MALAYSIANS
- ANONYMOUS M’SIA ATTACKING GOMEN IN A FEW HOURS? REAL OR NOT?
- OMG! GUESS HOW LONG YOU CAN GET JAILED IF YOU FAKE AN MC IN MSIA