Scammers find quirky exploit in OVpay system for free public transport rides
It is possible to travel for free on Dutch public transport with OVpay, the new system to check-in and check-out, reported RTL News on Friday. By creating a virtual card via an app, it is possible to travel without paying by simply deleting the card quickly after checking out.
OVpay is the contactless payment option for public transport that launched in February. It allows passengers to pay for their trip with a contactless bank card or smartphone. It is already used for about 4 percent of all public transport trips.
RTL conducted several tests over the last few weeks and found that passengers only need a virtual debit card to pull off the trick and get out of paying a fare. These cards can be used to travel with OVpay. They are usually used for one-time purchases online, and can easily be created via an app. There are multiple services to create a virtual debit card. RTL Nieuws did not disclose the service they used in their testing.
The exploit is simple. The OVpay processes travel expenses during the overnight hours. Passengers can avoid payment by using a virtual card if they then delete it after checking out, but before the charge has been finalized. That prevents the money from being debited from their account. Public transport workers cannot detect this, as they only see the check-in time and location.
"This is very embarrassing," IT expert Brenno de Winter told RTL Nieuws. "If you develop a new system, you have to know how it can be abused. If people do this en masse, you have a problem."
Translink, the company responsible for the app, informed RTL News that they are aware of the loophole but have no plans to stop or limit abuse, stating that most travelers use public transport “in good faith.” The company warned that banks could act against fraudsters, who would eventually have to pay for the losses and might be excluded from most services provided by card providers or banks for an extended time.
De Winter expects Translink will certainly try to track down some of the fraudsters. "That will be difficult if there are thousands of them, but you only have to catch 25 to have an impact. That deters. Because if you get caught, you do have a big problem. It becomes harder to open a bank account, or get insurance or a mortgage."
Translink stated that if widespread abuse occurs with a bank's payment cards, all of that bank's cards could be blocked by OVpay. In that case, none of the bank's customers would be able to travel using their bank cards.