Medford man charged with forging T passes

Transit Police report the arrest of Casey Kolenda, 27, on charges he used a magnetic-strip reader to create hundreds of bogus $70 Link Passes starting sometime last year.

According to police:

Authorities identified multiple monthly Link Passes that were purchased legitimately and subsequently used to create hundreds of forged tickets used by riders.

Authorities allege that Kolenda orchestrated a scheme to fraudulently create counterfeit $70 monthly MBTA subway and bus passes, known as “Link Passes,” between October 2013 and March 2014. The investigation revealed that the electronic data stored on the Link Pass magnetic strip was copied using a magnetic strip reader, also known as a “skimmer.” The electronic data was downloaded onto the magnetic strips of hundreds of MBTA stored-value cards that Kolenda purchased for as little as five cents at ticket kiosks. Kolenda then disguised the forged passes by applying contact paper that bore the production history of the original Link Pass, as well as the MBTA’s trademarked “T” logo. Similar in appearance and now encoded with the electronic data copied from the Link Pass, the counterfeit cards could be used at any MBTA fare gate in the same manner as the original pass.

The joint investigation revealed that hundreds of counterfeit passes bearing the electronic data of the original were distributed and used on a monthly basis by MBTA riders, sometimes more than 15,000 times in one month. Investigators estimate that the lost revenue attributable to the forged tickets manufactured and distributed by Kolenda approaches $200,000.

Kolenda was scheduled for arraignment in Somerville District Court today on five counts of counterfeiting with value over $10,000.

Innocent, etc.

In 2011:
State: Revere man made, sold millions of dollars' worth of unauthorized T passes.



Free tagging: 


    So its now no longer possible to do this?

    That the stored computer record verifies the card data when swiped? Then doesn't open the gates and alerts someone in the booth? I hope that is how they caught people who purchased the cards who then gave up the seller. Otherwise, the T will continue to lose a lot more money. I wonder how many loopholes the MBTA has yet to fix, and how many more years to fix them.

    Why now?

    By on

    When those MIT students warned them about the vulnerability several years ago apparently all they did was go after the students. If they didn't fix it then, why would they fix it now?

    Oh, and of course having not fix it allows Martha another chance to come swooping in as the Avenging Angel of Justice...


    She's too busy threatening

    By on

    She's too busy threatening businesses for shipping perfectly legal goods into the state that she doesn't like. Abusing consumer protection laws to ban random products on a whim. Running for any other office which would grant her further power. And of course her favorite pastime, scapegoating underlings or political targets for fun and profit of friends.

    It's why she is too busy to investigate fraud, corruption, and the major illicit market in pain medication scripts right under her nose.


    CAN they fix it?

    I recall recently there was talk about how patching the programming the CharlieCards run on was nearly impossible. The original company went belly up and anyone new who comes in and meddles with the programming could screw up the system and be liable for it. So the best they can do is use preexisting abilities such as blocking cards on an individual basis based on any detected abnormalities. But as for going in and patching up security holes before they're abused, that might not be possible. Or, rather, no one would want to step forward and attempt it. Especially at the risk of screwing things up real good.



    By on

    It can be done.. it just requires a ton of QA and a testing environment that is disconnected from the production system (the "Live" system) so patches can be tested and deployed to make sure they work before deploying the patches.

    But the show stoppers are two things

    1. Access to the source code for the AFC software OR someone with a clear understanding how it all works and how it's coded (so it can be patched). This could be next to IMPOSSIBLE to do since the company went belly up and typically most proprietary code isn't released in this manner because it still has value as an asset from the former company that can be sold (to pay off debtors)

    2. Money. Everything costs money. Man power, setting up a test environment, deployment, etc. Sure its easy to say "but the T will lose money because of fare evaders", but when you compare that to the cost of trying to patch a system, it will cost more to FIX something than it would to just allow the fare evasion to happen.

    This is very typical of any legacy system where the original company went belly up. My company works on a record system that is so out dated, we were told "no more support" from the vendor, so now we manage, develop, patch this system ourselves at a cost to us. (So much so, the original vendor came to us and asked us what we did to patch some nasty bugs in our system)

    What I am surprised about is.. unlike a lot of software packages.. AFC is pretty unique and I am sure there's very few companies that do that. Why some other company bought out the existing code and service contracts yet? You'd think there would be a market out there for this and SOME company would suck this because its 'instant, existing, lifetime customers' because AFC on transit isn't going away.

    PS - This is typical of the software development life cycle. This is what I do for a living.. (as many people on this board do also)


    Code generally put in escrow

    Access to the source code for the AFC software OR someone with a clear understanding how it all works and how it's coded (so it can be patched). This could be next to IMPOSSIBLE to do since the company went belly up and typically most proprietary code isn't released in this manner because it still has value as an asset from the former company that can be sold (to pay off debtors)

    For this, the buyer usually asks that the source code be put in escrow, just in case vendor does go belly-up. When I worked for a startup, we had to set up an escrow account and send them tapes with our code. The joke at the time was that we could send them blank tapes and nobody would know.

    Now, a heap of source code isn't going to do anybody much good without investing one boatload of time (i.e. $$$$) trying to figure out what it does

    The company went belly up?

    By on

    The company went belly up? After all those lawsuits suing the MBTA and other transit agencies insisting that they use their services because the better company the MBTA (and others) wanted to use was not American, the crappy American company goes under? You would think a business model based on lawsuits forcing organizations to use them would be a great business model.




    Is this why the older cards were all programmed to expire earlier this year?


    Scheidt and Bachmann (who

    By on

    Scheidt and Bachmann (who made the new fare collection system) is not out of business. Neither is NXP Semiconductors (who makes the MIFARE chip in CharlieCards).

    But they own the source code, so the T is stuck dealing with them, and can't get competitive bids for upgrades.

    The real problem is that CharlieTickets (not cards) have basically no security. If this small-time criminal from Medford can copy them with a cheap magstripe reader, it shows that anyone can.

    The police can data-mine to figure out which tickets are duplicates (for example, if the same serial number is used hundreds of times a day all over the system), and figure out who did it by reviewing ticket machine camera footage and setting up an undercover sale. But that's only possible (and cost-effective) for cases of widespread fraud done by amateurs.

    In this day and age, there's really no excuse for rolling out a system that's so easily defeated.

    In this day and age

    By on

    They're really no excuse for installing a customized fare collection system that's so computer dependent and while still allowing the original supplier to retain the source code.

    Computer Dependant

    By on

    I don't see being computer dependent a bad thing. Everything is computerized, and at least there's accountability now. Remember the 'money room' problems from the previous system? Yeah AFC kinda does away with that because more people are apt to use electronic payments and less likely to use cash.

    Now the source code on the other hand, I agree with. I'm sure that AFC is so customized that its specifically written for the T, so no sense WHY the T doesn't own it.

    I worked for a company years ago that was a retail store with cash registers. The company BOUGHT the source code for the cash registers so they owned it and could customized it as they see fit.

    But that idea may have changed because once you give someone the source code to modify, it no longer is a money maker (i.e. lifetime support contracts).

    Maybe the answer is 'poo poo' on the T for not negotiation code release in their contract. (and why on earth would not do such a thing considering the old system had been in place since the 1940s)


    Probably they could have

    By on

    Probably they could have avoided this problem if their multimillion dollar fare card replacement system had used crypto stronger than the decoder ring out of a box of Cracker Jack.


    Perhaps they could have avoided

    By on

    ALL the problems they've been having with their multimillon fare collection system by sticking to proven low-maintenance technology instead. Who cares if it's not the "latest and greatest high tech, as long as it works reliably. Tokens did, this system doesn't.


    Trouble is tokens didn't work

    By on

    Trouble is tokens didn't work. Cash was regularly stolen by employees and shredded by the old fareboxes. The entire world has moved away from tokens for good reason. Boarding is much faster and transfers easier when people use the smartcards properly.

    To be fair, the magstripes on

    By on

    To be fair, the magstripes on the old monthly passes were just as easy to copy as CharlieTicket passes. Though they did have a multicolor design that changed every month, making it easier to spot a fake visually.

    How much?

    By on

    The lost revenue was estimated at $200,000, but how much was our perp selling the bogus passes for? He's certainly selling for a sharp discount and got nowhere near $200,000. Seems like a lot of effort and capital investment - and risk of course - for not a tremendous amount of return.