Clipper Payment Problems

New Muni Faregates
Photo by Jamison Wieser

Muni rider Scott ran into a rather complicated bit of trouble with his Clipper card recently. His account was set to auto load $20 ecash for when he uses the card on transit systems other than Muni. But then he got a new debit card and forgot to notify Clipper. Then, on Aug. 4 …

Clipper attempted to charge $72 for my August Fast Pass against the card that was closed. Because Clipper credits your card before the transaction is actually processed, I did not realize my mistake until Aug. 12, when I received an email to tell my that my charge was declined. I immediately signed on to my account on the Clipper website and updated my credit card info.

But because the charges for his Fast Pass were declined, Clipper blocked that part of Scott’s card until they processed the transaction on his new card. Because the ecash part of his card was not blocked, every time he used Muni between until Clipper cleared his new card, he was deducting $2 per ride.

It seems there is a problem with the Clipper website, where updated billing information is not saved correctly, so when the cash balance on my Clipper card was depleted and when they attempted a new charge, they used my old debit card number and the charge was declined. But, Clipper credited my card. And because there is so much lag time between when the transactions are declined to when they notify the customer, I continued to deplete the Clipper card balance and they initiated more transactions against the closed debit card.

Finally, he tried using the card and found that it was completely blocked. He called Clipper and they informed him of the error with their website. Scott was assured that his account was not corrected and Clipper would expedite having his card unblocked.

Since this was 4:40 p.m. on a Friday, I didn’t have much hope. Sure enough, the card was not cleared until the morning of Aug. 30, when I used my card on the 24, I saw on the display that my monthly pass was used. Then at 1:07 p.m., on the same day, I received an email that charges to my debit card were declined. I called Clipper and sure enough my card is blocked again. Once again, I was told that it was fixed and that it should be available to use in 24 hours.

Scott adds: “I’m not holding my breath.” My god.

We contacted Scott to hear about any possible resolution to his story. We at Muni Diaries are no strangers to Clipper fuckery ourselves. How about you? Has something similar to Scott’s ordeal happened to you? It appears that the website at least sometimes fails to process user updates.

Broken Clipper Machine on a Crowded Bus: Should you be cited? (update)

New Clipper Card and Carrying Case
Photo by Agent Akit

Update (12:39 p.m.): SFMTA got back to us on this. Turns out Kazuko was wrongly cited.

The actions described in this account are not consistent with our policy. If the reader is out of service, the patron is not cited if they have a valid Clipper card. The supervisors will remind all TFI’s of this policy.

Sadly, Kazuko will have to protest the citation. Not an easy chore.

Original post: A few days ago we checked in with SFMTA to see whether the fare policy concerning broken Clipper readers had changed. The SFMTA assured us that the policy has not changed: when a Clipper reader on a Muni vehicle is broken, the vehicle’s operator is instructed to allow passengers with Clipper cards to board.

But rider Kazuko said that the policy is still not being enforced systemwide, particularly on crowded buses:

I got on 38L at Geary and Divisadero around 5:10 pm on August 17, 2011. As you can imagine at the height of a rush hour, the bus was completely packed. I entered the bus from the middle entrance. I swiped my Clipper card which had more than $20 left on it, but the machine was not responding. I tired a few times to swipe it to no avail.

When the bus stopped at Van Ness, a few officers got on the bus to check everyone’s ticket. As I presented my clipper card, the officer told me to get off the bus, even though he had scanned my card and knewI had more than enough fare left on my card. Confused, I asked him why. He said I needed to get off the bus. I had no choice but to obey. Outside, the officer told me he had to issue me a ticket.

I told him repeatedly that I have swiped the card but the machine was broken. He said, “There are three machines on the bus. You should have walked up to ALL of them to see if they are working. As it stands now, you got on the bus without paying so it is my job to issue you a ticket.” As I had stated earlier, the bus was extremely packed. After he finished writing me the ticket, he then proceeded to tell me that, “With this ticket, you have one COMPLEMENTARY bus ride. You don’t have to pay for your next ride.”

If this some kind of joke?

We’ll get in touch with SFMTA about readers in the back of vehicles, and the policy for when buses are jam-packed. It doesn’t seem fair to me if  fare inspectors are instructed to ticket under any circumstance and let riders fend for themselves protesting their citations.

SFMTA’s Broken Clipper Machine Policy Unchanged

Back in July 2010, we reported on official SFMTA policy for when a Clipper reader onboard a Muni vehicle is broken: the vehicle’s operator had to allow passengers with Clipper cards to board. We even posted the official memo from SFMTA for you to print out and carry with (much as it made our stomachs turn to encourage dead-tree-ism).

But, lately, there were mumblings that the policy wasn’t being enforced systemwide. So, we got in touch with SFMTA, who verified that the policy hasn’t changed:

The policy has not changed.

Any customer who receives a citation that they feel is unwarranted may certainly protest the citation. Here is a link from our website to the page about paying or protesting a transit fare citation: We appreciate customers alerting us to malfunctioning Clipper readers via 311.

So, when you encounter a broken Clipper reader, insist on boarding the vehicle. Protest a citation if you receive one, using the guidelines in the link above. It’s probably a good idea to note the coach number, the driver number, and the date and time for reference.

The more you know, and all that.

Clipper Card citation nightmare

For your safety.
Photo by Michela

Rebecca recently had a terrible experience with Clipper. Unheard of, right? She’s hoping to find others who’ve experienced something similar in hopes of bolstering her case against getting ticketed.

I live in the East Bay and take BART into work regularly, but I take Muni only rarely. However, I purchased 10-ride ticket for my Clipper Card about six months ago because I do take Muni on occasion.

One night last month I stayed in San Francisco after work for an event, and I decided to take Muni to Embarcadero BART. I got on at 3rd and King, and tagged my card to the reader at the middle door. It beeped and I sat down. When I got off at Embarcadero, a transit officer stopped me and asked to check my Clipper Card. I was stunned when she said that the last time I had tagged in was that morning at El Cerrito del Norte BART. She did not have a record of me tagging out at 16th and Mission that morning, or tagging on at 3rd and King.

I did nothing illegal here besides use the damn card that they are asking us to use. For heaven’s sake, I have more than $200 in general funds on that Clipper Card, *plus* seven rides of a ten ride muni ticket — why would I cheat? But my protest was denied and so I’m going in for a in-person hearing.

Has this happened to you? If so, let us or Rebecca know.

What Does Your Clipper Card Say About You?

Photo by Akit

Editor’s Note: Can your Clipper card leak private information about you, or are people just being paranoid? Rider Devin Carraway did some research into the privacy issue of RFID devices and even looked into the raw data that Clipper cards contain. Some of that data is accessible with some smartphone apps. Take a tour inside the Clipper card with Devin and decide for yourself.

If you pay attention to tech news, you’ve probably heard about the increasing ubiquity of RFID devices — small chips attached to antennae and embedded inside plastic housings, capable of simple storage and a little limited computation. Chances are you’re carrying a few around with you — RFID is used in card keys to open doors and key fobs to unlock cars. Companies use them for inventory, supply chain management, and theft prevention. Car-sharing companies use them to let you into the cars you’ve rented. FasTrak uses them to charge bridge tolls, and transit agencies use them in fare cards, like Clipper.

If you pay a little more attention to computer security news, you’ve probably also heard concerns over RFID’s security when it comes to your private information. Cards like Clipper are meant to be readable only with a tap, but as you probably know, usually a few inches will do. That’s with the power levels and antennae in the readers that SFMTA/BART are deploying.

With more power and a larger antenna, the range increases; the practical limits vary with the frequencies and chips involved. At Clipper’s 13.56MHz, you can read the card from a few feet with an antenna that can fit in a backpack. The most common concern is that RFIDs can then be read by anyone who can mount a reader on something that you walk past, without your knowledge or control.

When an RFID device is being read, most do nothing but announce a long number — but it’s a unique number, and it’s enough to recognize you next time. There are some innocuous uses for that, and some malicious ones.

Clipper is a fancier beast — Clipper cards contain MMIFARE DESFire chips. They have a
rudimentary operating system, with a file system capable of reading and writing data and simple cryptographic authentication. That’s pretty much all you need to implement a contactless fare system. They implement a standard protocol, part of a range of technologies emerging in portable gadgets. Some Android phones support it now, and the next iPhone is rumored to be adding it too. You might have heard of MIFARE one other place — the MIFARE Classic chip was used in London’s Oyster cards, and was badly flawed in ways that could be exploited to evade fares, clone cards, etc. NXP Semiconductor, who devised the chips, unsuccessfully sued to stop publication of research demonstrating those flaws.

To date there have been no published attacks against the DESFire in Clipper cards. Chances are there are still flaws — most software is like that. The Associated Press reported that an employee of Cubic Transportation Systems, the same vendor that makes and distributes Clipper cards, had a cottage industry selling perfectly usable forged fare cards in Boston, though not enough details have come out to know whether the methods involved could affect Clipper (the MBTA, meanwhile, terminated Cubic’s contract and plans to seek reimbursement for $5M in suspected losses).

I’ve been interested in what’s actually stored on these cards, and what could be read from it. So, I did a bit of experimenting. I paid cash for a fresh Clipper card. I ran up some trips on it, and then scraped it out using FareBot for Android. Here’s what you can read from my Clipper card, with equipment no more sophisticated than a cellphone:

  • Various unique card IDs, manufacturing dates, batch numbers, versioning data, etc.
  • Card balance
  • Passes loaded (which I didn’t test, but it’s in there)
  • What trips you’ve taken. For Muni, it’s when you tagged the reader. For BART, the card records every station you visited and when. Caltrain, Golden Gate Transit, and the ferries record fare zone and time at either end of the ride.
  • History of cash reloads. This includes the amount, the agency and the specific machine you visited.

Looking over the raw data a bit, the designers allocated themselves enough space to record 16 trips and six refill histories. There’s also a large (1280 byte) buffer of no documented purpose, but my sample card did have data with some clear patterns written there.

The good news, I suppose, is that Clipper isn’t storing very much about Muni trips — it’s pretty much nothing but what time you tagged to board the vehicle. On the other hand, BART is storying a large amount of information, especially on a card that can be read by anyone who can hold a phone up to your pocket. Records of past trips are useful for all sorts of nefarious parties and of no use to legitimate fare inspectors. Payment history really shouldn’t stored on the card either — all a fare inspector really needs is a fare balance, not a history of my financial transactions.

Clipper’s privacy policy doesn’t distinguish what they store on the card versus on their own servers. On the subject of security, the policy says that Clipper “will take all reasonable steps to safeguard personal information through physical, electronic and procedural means.” For me, it’s hard to interpret a universally readable card as meeting that standard.

How accessible is the data on your Clipper card? It depends. If you’re using it to stalk someone on BART using nothing but a cellphone, you’d have to get within a few inches of their pocket or purse when they’re not looking. Doable, if you’re motivated. Embarassingly easy on packed trains or buses, really, where it’s hard not to get close. If you wanted to scan a dozen people on a 38-Geary to see who just refilled their card and is likely to be carrying cash, you might have to do some conspicuous squirming around. To scan everyone coming out of Montgomery BART in the morning to see what station they live near, you might build a larger antenna and reader into a briefcase or newspaper box.

Would you? Enh.

The good part about technological crime is that those with the skills and equipment to do it usually have no motivation for petty crimes. The bad part is that it tends to facilitate major complex ones, and economies tend to generate around vulnerabilities these days. Security researchers worry about RFID because it enables clandestine spying on people’s activities, which I think Clipper certainly makes easier. Use of RFID in fare systems is also worrisome because transit systems are usually run by government agencies and built by contractors, which is an environment prone to fallible design and poor security design decisions.

At any rate, it was an interesting little tour. With NFC chips moving inside cellphones and controllable from software, I hope to see transit fare cards replaced with on-phone equivalents that are properly backed up against loss and only allow the data to be read when I authorize it.

1 2 3 4 5 6