
Fare Hacking on BART - brenns10
http://brennan.io/2016/07/23/bart-fare-hacking/
======
namuol
Clever, but I hear it's pretty easy to just hop over the BART railings.

~~~
tibbetts
And if you look respectable you can get away with it. Life hack!

~~~
hansfr
And when the BART starts breaking down and looking shitty, we'll know to blame
you guys for not paying for it.

~~~
spike021
It's already pretty shitty. Have you tried traveling from downtown SF through
the Mission stops? The tunnel is incredibly loud with screeching/scraping
noises, and it's been that way a long time, apparently a product of how the
rail is designed.

------
arnonejoe
Another Bart hack; If you fly in to SFO and don't mind walking a few blocks to
the San Bruno Bart station you can save about $4.60 each way. For some reason
the SFO stop costs a lot extra. The easiest way is to continue on the sky tram
to the rental car place. When you get off its a quick half a mile walk over
San Bruno ave to Huntington.

~~~
areyousure
If you ask Google maps for walking directions from the rental car station to
Bart, it says it's 1.9 miles and 39 minutes. Presumably there are significant
shortcuts one can make?

~~~
benchtobedside
Even if you took every shortcut, you're still looking at least 1.5 miles walk,
and a good 40-60 minutes for that $4.60 savings.

------
hiou
When you are some kid in their parents basement and figure out ways to scam
money from public transit you are rebelling as a natural part of childhood.

When you are a well skilled and very well payed employee of a high profile
tech company you are essentially having fun at the expense of the public
servants who work(for a lot less money) to provide essential services to the
public.

Maybe those reading this can take this as a lesson in tone and tact.

~~~
zodiac
> you are essentially having fun at the expense of the public servants

The author never actually went out and fraudulently saved money by
implementing his idea, so I fail to see how his actions are "at the expense of
the public servants". To quote him,

> One final note before I dive in: this algorithm is essentially large scale
> ticket swapping, which is obviously illegal and unethical. I don’t believe
> that it would be ethical to use this in the real world. I value safe and
> smooth travel more than I value the 20-40% of my fare I could save by
> stealing from

~~~
gpvos
I think he shouldn't have made the source available. Now it's really only the
(apparent?) uncloneability of the Clipper cards that stops someone.

~~~
nickff
I am of the view that anyone who finds an exploit should (generally) do what
they feel would have the best result. This would incentivize organisations to
create payouts (prizes) for non-public exploits, and it would allow concerned
citizens to force a change from generally unmovable bureaucracies.

~~~
uola
This is just the latest justification among security people to not having
acknowledge their own incompetency in things like risk management. Since when
was "doing what you feel" considered a reasoned solution? Many times these
things aren't even weaknesses as such, just loose tolerances in the system and
exposing them under great fanfare just making the system less flexible. Which
is pretty ironic if you think about it.

------
musesum
Was trying to think of a real world problem that this could solve. Basically
you want multiple entities to peform tasks for each other (tagging) at
multiple destinations at a minimal cost.

One possibility is the taxi/uber/lyft hailing problem. Instead of stations,
you have rider and car locations. Time and distance is the ticket cost.

------
endophage
Of course the discount would only apply only as long as BART doesn't realize
people were doing it, at which point they would likely just increase all fares
to a flat rate (like Muni) of "a little more than $7" :-P

------
thereisnospork
Although I don't know if there is a time limit, it is possible to exit the
same station as you enter for no fee with the standard BART card. e.g. in case
you realize you've forgotten something in your car after you pass the
turnstiles. Therefore it should be possible to save 100% of fares for people
leaving/arriving at opposite stations, respectively.

System-wide savings would then be proportional to directionality on a station
by station basis - optimizing by zeroing out trips by longest first.

Dunno if this works with the clipper cards though, so everyone might need a
magnetic card writer and blanks...

~~~
jaredsohn
If you enter/exit via the same station, BART charges $5.75 (Search for
'excursion' at
[https://www.bart.gov/guide/faq](https://www.bart.gov/guide/faq)) unless you
talk with a Station Agent.

I've never understood why they charge this fee when it would be possible to
get a lower fare by going a station further, exiting, and entering again but I
haven't had a problem if I talk with the Station Agent.

~~~
bhahn
Presumably they charge the fee because it would be inconvenient and time-
consuming for at least some to take a train a stop, exit, re-enter and take
the train back for a few bucks.

------
lelandbatey
In the original manual formulation, I don't understand how the paths of these
two travelers cross in Oakland. It looks like they'd only be able to take
their quite short section. Unless they both stayed on their trains past the
points where they where supposed to exit, but I don't see how you can do that
if they scan your ticket when exiting the train.

~~~
zodiac
> I don't see how you can do that if they scan your ticket when exiting the
> train.

On the BART system you scan your tickets while entering/exiting the station,
not the train

------
teddyknox
RFID isn't spoofable? I thought it was.

~~~
conradev
> The card operates on the 13.56 MHz range putting it into the Near Field
> Communication category (rather than RFID, as is commonly misconceived).

[https://en.wikipedia.org/wiki/Clipper_card#Technology](https://en.wikipedia.org/wiki/Clipper_card#Technology)

~~~
hueving
The important distinction isn't really the frequency. It's that the card has
an actual circuit that performs some crypto handshake with the reader. It's
not just static information encoded that anyone can just read and duplicate.

------
jploh
Reminds me of a time in Hong Kong when I accompanied a friend buy or trade
used games at the train station. We were outside of the paid area and the
other guy was inside the paid area of the concourse. It seems to be common
practice there.

~~~
kiwidrew
Yep, happens all the time in HK. [1] The MTR (metro system) charges based on
the station where you enter and the station where you exit. The ticket is
valid for 150 minutes after you enter, which is plenty of time to take a train
to a distant station and come back again. As long as you don't actually leave
the distant station, the fare system has no idea where you went. :)

[1] [http://www.urbanphoto.net/blog/2010/12/06/online-shopping-
in...](http://www.urbanphoto.net/blog/2010/12/06/online-shopping-in-the-mtr/)

------
karmicthreat
Couldn't you just do the equivalent of a remote attack like you might do on a
car?

Could probably do this with a group of cooperating people if you really wanted
to trade time for a little bit of money.

~~~
brenns10
Unfortunately I don't know enough about the hardware or encryption used in the
Clipper Card to say whether that sort of attack is feasible. It's interesting
but ultimately I'm not looking to execute this sort of attack!

------
rosstex
Does this mean BART doesn't check your tickets while riding?

~~~
ffumarola
Correct, BART is not a proof of payment system. You must scan your clipper
card or transit pass to enter the gated BART platform.

~~~
delazeur
It's been a few years since I've used it, and that was only a couple of times
between going between a couple of stations, but that's not how I remember it.
Some stations had ticket scanners at the entrance to the platform but some
didn't.

I remember the Palo Alto station very clearly because I got on once thinking I
had grabbed my ticket from the vending machine when I had actually grabbed the
previous person's receipt because I was in a hurry. I got on the train and
once I realized I was worried about the fare inspectors coming on and catching
me, so that station definitely does not require a ticket to get on the
platform. Maybe that's just classism with respect to Palo Alto?

Edit: never mind, it was Caltrain not BART.

~~~
Oogoo
I believe you are thinking of Caltrain, which is a proof-of-payment system.
BART does not go to Palo Alto.

~~~
delazeur
That makes sense, and explains some other memories I have about transferring
trains. I did not realize they were separate systems.

------
gpvos
Doesn't BART have onboard ticket inspectors? That would easily foil this.

------
0xmohit
This will probably attract downvotes, but I'd call it an algorithm for
_collective, mass fraud_.

One might find it surprising, but I've seen people do this several years back.
The only difference being that it was on a much smaller scale, with only a
handful of friends involved.

------
nthitz
Discounts = Theft. Way to give back to the community.

~~~
srice
_One final note before I dive in: this algorithm is essentially large scale
ticket swapping, which is obviously illegal and unethical. I don’t believe
that it would be ethical to use this in the real world... and since Clipper
cards are not cloneable, this work can’t be used to facilitate this large-
scale theft._

