A recent incident in Taiwan revealed that a 17-year-old high school dropout used an NFC reader to tamper with an EasyCard balance, cashing out over 40 times within six months, illegally gaining nearly 700,000 yuan. This event brought the long-dormant MIFARE Classic vulnerability back into focus, forcing authorities and cybersecurity experts to re-examine the "old problems" in payment infrastructure.
MIFARE Classic Was Already Cracked
Cybersecurity expert Huli noted that NTU Electrical Engineering Professor Cheng Chen-mou had already demonstrated the cracking of the CRYPTO1 algorithm used in MIFARE Classic during a lecture at HITCON and CCC in 2010, with the title 'Just Don't Say You Heard It From Me: MIFARE Classic IS Completely Broken', showing that the current EasyCard specification was fully compromised 15 years ago.
The vulnerability of CRYPTO1 encryption, side-channel attacks (SPA, DPA), and the open-source tool Proxmark3 formed a "trilogy" that significantly lowered the barrier for copying, tampering with, and cloning EasyCards.
Expert Huli pointed out:
"The value record is stored on the server, and discrepancies will eventually be discovered; the real risk is how easily the chip can be modified, with detection and law enforcement costs effectively outsourced to the police."
Recalling a 2011 case where a security consultant named Wu was arrested for cracking an EasyCard during a convenience store purchase, the previous method involved direct cash-out, while this high school student used a refund mechanism. "Since the transit company doesn't directly bill the EasyCard after a refund, there's a time gap and it won't be immediately detected. According to news reports, it was only discovered after a few months of reconciliation? And the amount was quite large, reaching hundreds of thousands."
Huli added: "The new EasyCard has changed its underlying technology, but as long as old cards are still in circulation, such incidents cannot be completely eliminated. To solve this, the only option might be to recall and retire all cards using the old system."
High School Student's EasyCard Tampering Method
Police investigation revealed that the student purchased a Chinese-made NFC reader online, self-taught the method of modifying the card's balance field, repeatedly writing 1000 yuan to the card, and then going to the metro station for a refund, with each cycle taking less than 3 minutes.
EasyCard Corporation discovered the anomaly through backend reconciliation in late 2024 and reported it to the police, arresting the student in February this year. The company stated that they have enhanced monitoring logic, but as the case is in judicial proceedings, they cannot disclose more details.
Additional External Reading:
《Thesis: Card-Only Attack on Mifare Classic》
《NFC Cybersecurity Practical - NCHU Information Society Course》
