Hackers have violated ticketing system based on NFC in Chile

Unknowns have hacked the NFC based electronic payment system used in Chile, the “Tarjeta BIP!”, spreading an Android hack that allows users to re-charge cards for free

In Chile NFC electronic payment is already a reality, “Tarjeta BIP!” is the name of the payment system used to pay for public transportation with users’ smartphones that support the standard. The adoption of NFC standards for NFC ticketing application is a reality worldwide, many companies enable NFC ticketing payments due to its numerous advantages. We all know that when a technology is in so rapid diffusion, security issues are unfortunately are neglected and cybercrime is always ready to exploit the lack of the implementation of security requirements.

The news of the day is that according security expert Dmitry Bestuzhev cyber criminals have reversed the “Tarjeta BIP!” cards and discovered the mechanism to re-charge them for free. Someone has spread on the Internet an application, which allows users to re-charge their credits to use for NFC electronic payment with their Android devices.

“So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum  equal to approximately $17 USD.” reported Bestuzhev in a blog post published on SecureList portal with 

The users just need to install the application on their NFC Android device, put the ticket in proximity of the smartphone and push the button “Cargar 10k”, the operation refill the card with 10,000 Chilean pesos.

The experts that analyzed the Android app discovered from the metadata of the .dex file package that it was compiled on October 16th, 2014, it is a tiny app (884.5 kB size) which interacts directly with the NFC port:android.hardware.nfc. The authors of the fraud are also able to change the card identifier, called “número BIP”, a feature that makes hard for law enforcement to block illegally refilled BIP cards.

The principal features implemented by the author of the application are:

“cambiar número BIP” – allowing the user to change the card number altogether.

“número BIP” – to get the number of the card, “saldo BIP” – to get the available balance,

“Data carga” – to refill available balance and finally, maybe the most interesting is

Despite the original links available online to download the Android App were taken down, it is still possible to download a new application, that implements the same feature, from the new servers. The new application was compiled on October 17th, 2014, it is derived from the original one bit its size is greater due to the presence of an advertisement component.

“Since both apps allow users to hack a legitimate application, they are now detected by Kaspersky as HEUR:HackTool.AndroidOS.Stip.a” explained Bestuzhev.

As explained in the blog post, due to the high interest in the application in the country, cyber criminals could spread a malicious version of the app that is able to infect NFC Android mobile devices, in this way threat actors could run targeted attacks in Chile, compose a botnet or realize any other type of scam based on mobile technology (e.g. Premium SMS scam, premium call scam).

Dear Chilean friends, beware!

Pierluigi Paganini

(Security Affairs – NFC payments, hacking )