Recharging the OPUS card with a cell phone | A student beats the pawn at the ARTM

Transit users have been asking for it for years. In the end, it was a student from McGill University who succeeded in programming software that allowed him to recharge the OPUS card online directly with his cell phone.

This computer feat comes as the Regional Metropolitan Transport Authority (ARTM) has just granted 1.13 million to the Parisian company Spirtech to develop a similar application. The key, the contract provides for royalties paid on each of the approximately seven million annual transactions projected for the purchase of transport tickets on mobile.

The hacker code snippet, programmed for Android phones only, surfaced last week on GitHub, a collaboration forum for programmers. The Press was able to test it, with the help of its IT development team, and confirm that it works.

The ARTM quickly asked its author to remove it from GitHub and launched a “cybersecurity investigation” to assess “the risk and potential for fraud in this situation”. “The ARTM does not recommend using this module,” the organization said in an email sent to The Press.

The Opusenligne.ca transactional site, which requires a smart card reader connected to the computer, was temporarily suspended on Friday and is subject to “preventive checks”.

“Outdated card reader”

The software was developed by Alex Lai, a software engineering student from McGill University. “It took me roughly three months to program it,” says Mr. Lai, who immediately complied with the ARTM’s request to withdraw the software.

Its module allows you to buy tickets on the Société de transport de Montréal (STM) website and transfer them to the contactless OPUS card. It is the NFC (Near Field Communication) communication module of the cellular telephone which transfers the transport tickets to the smart card by radio waves. All you have to do is stick the OPUS card on your phone for the operation to be completed. It is the same technology that allows, in particular, to make contactless payments by credit card in shops thanks to ApplePay or GooglePay.

By comparison, the outdated technology by which OPUS card users have been able to obtain transit passes online since 2015 requires the possession of a blue chip card reader, which the ARTM sold for $20, but which hasn’t been offered for several months. The transfer of tickets with this device was not very user-friendly and required the use of a computer.

The ARTM has been working for several months to develop a solution using this contactless technology. The organization tested a first prototype in the fall of 2021 with 1,674 users. But the deployment of the technology in the Montreal metropolitan area, as well as in Quebec, Lévis and the MRC of Joliette, is not planned before 2024.

Documents from a call for tenders concluded last June indicate that “the possibility of purchasing transport tickets with their smart phone is by far the most awaited feature of customers”. A survey conducted by the ARTM in 2022 shows that 95% of respondents said they would definitely or probably use such an application. “Customers have long wanted to be able to buy their transit tickets via their smart phone,” reads the call for tenders specifications.

Transaction fees

With the current online purchasing system, the ARTM claims that it records only 350,000 transactions per year. The organization predicts in its call for tenders that the number of transactions will explode with mobile purchasing, reaching a range of five to seven million transactions per year.

It is the software developer who will be responsible for operating the sales servers, indicates the ARTM. The amount of the fee paid for each transaction “to operate the sales server” was not disclosed. In the event of a system failure, the ARTM specifies that it will retain 2% of the monthly fee for each hour of inactivity.

“The supplier receives a lump sum for the integration of the software, and an amount per transaction in order to operate the sales server”, specified the Authority when questioned on this subject, without going any further.

An industry source who spoke on condition of anonymity because she is not authorized to reveal confidential business information says such royalties can add up to significant revenue. “The company that won the contract risks becoming the main supplier of transport tickets overnight. We estimate it will replace 80% of retailers, such as pharmacies and convenience stores, that sell tickets,” the source said.

The ARTM marketing team will dedicate a “significant promotional budget to publicize it when it becomes available”, underlines the call for tenders.

A limited risk

Beyond the risk, the ARTM recalls that the sales transaction server of its system “is being designed according to the new banking standards which are to come into force next year in 2024”.

“Launching a new product like this also involves setting up adequate customer service,” explains the organization in response to our questions about implementation times.

According to computer security expert Jean Loup Le Roux, the appearance of the software programmed without explicit authorization by Mr. Lai does not mean that the technology used for the OPUS cards is at risk. “It’s a technology that’s hard to abuse. It remains impossible to forge credits without having the signing keys, ”he summarizes.

However, it is not impossible that ill-intentioned individuals take Mr. Lai’s software and add lines of code to it that would contain a “snitch” that collects banking data entered by the user at the time of the transaction. “If this modified version started to spread, yes, we could have a problem,” says Mr. Le Roux.