Spanish transport system was hacked. Bus and tram cards cloned and recharged with fake money

According to vulnerability testing specialists, there has been a considerable increase in the number of scams related to refills on cards used to travel on the public transportation system in Spain. After a decline in this activity, thanks to the implementation of a new system, the hackers seem to have found the method to bypass the new security measures.

After this report was revealed, the concessionaire company and the Spanish government released a joint statement mentioning that some monitoring measures will be put in place in the system to detect any suspicious movements. The intention is to permanently block cards that are identified with this “false balance”.

The Spanish authorities mention that their vulnerability testing teams have detected an increase in this activity over the last two months, especially in the Aragon region. Previously, government and private companies began taking action against the use of fake balance on these cards, such as integrating a blacklist with more than 3,000 fraudulent cards and renewing payment card reader devices.

According to various local media, the sudden increase could also be related to hundreds of thousands of high school and college students going back to school; as reported, the students can increase the balance of these cards to levels unsuspected by using just one APK.

Although the authorities and the concessionaire announced the implementation of new technology, vulnerability analysis experts from the International Institute of Cyber Security (IICS) say that the way to defraud the transport system of Spain is the same as that practiced a few months ago, although it is now carried out in a stealth manner; due to constant monitoring against this practice, perpetrators are limited to making fake refills of between 5 and 10 Euros, when a few months ago fraudulent recharges were detected for more than 200 Euros.

The concessionaire has reported that for now it does not intend to install new hardware or develop new systems for the payment of public transport. Instead, they mention that they will continue with the suspicious activity detection approach. “Any public transport system is vulnerable,” a spokesman said.

Hacking incidents of this type occur more and more frequently. A few weeks ago, an unidentified hacker group managed to generate hundreds of free trips using the Manchester, UK transport system app. Thanks to poor security, hackers managed to use the same QR code over and over again, used as proof of payment.