Invasion of THSR's Ticketing System by “Genius Hacker” Solved by Investigation Bureau

Release date 2019/01/19 09:45:55 Update date 2019/05/06 17:23:16 Public Affairs Office
In December, 2018, Taiwan High Speed Rail Corporation (THSRC) actively reported the attack on its T-Express mobile ticketing system by a hacker to the Taipei City Field Division of MJIB. The hacker purchased one ticket from Nangang to Taipei at the fare of NT$40 and immediately canceled the ticket. When applying for refund, the hacker tampered with the parameter of the system's refund amount column, changing it to NT$200,000, all in order to deceive the system into carrying out the transaction. Fortunately, the back-end accounting system of THSRC identified the anomaly and promptly suspended the refund.
Invasion of THSR's Ticketing System by “Genius Hacker” Solved by Investigation Bureau

  In December, 2018, Taiwan High Speed Rail Corporation (THSRC) actively reported the attack on its T-Express mobile ticketing system by a hacker to the Taipei City Field Division of MJIB. The hacker purchased one ticket from Nangang to Taipei at the fare of NT$40 and immediately canceled the ticket. When applying for refund, the hacker tampered with the parameter of the system's refund amount column, changing it to NT$200,000, all in order to deceive the system into carrying out the transaction. Fortunately, the back-end accounting system of THSRC identified the anomaly and promptly suspended the refund.
  After research and analysis, the Taipei City Field Division found the case was committed by the suspect with surname Chang, nicknamed as “Taiwan genius hacker”, who claimed to hack the Apple Pay system for iPhone purchase and to find a loophole in the Facebook Payment service. The suspect Chang was sentenced to a 60-day confinement by the Taichung District Court for hacking the ticketing system of United Highway Bus (Ubus) in 2015. However, unrepentant, the suspect hacked the THSR's ticketing system in December 2018. At first, Chang used the T-Express mobile ticketing app on his cellphone and attempted to buy tickets at NT$0 or NT$1 but failed. Therefore, Chang booked one local train ticket at NT$40 and applied for cancellation and refund right after completion of the purchase. By way of intercepting and tampering with the specific parameter of the ticketing transaction system to invalidate the system's verification mechanism, Chang intended to defraud the THSRC of NT$200,000.
  Chang's offenses included breach of computer security and fraudulence under the Criminal Code. The Taipei City Field Division applied to the Taoyuan District Prosecutors Office for directions before searching Chang's place on the morning of January 9, 2019 and seizing one laptop and one cellphone involved in the case. Chang confessed to hack the THSR's ticketing system and tampering with the parameter of the refund amount with intent to defraud NT$200,000. After interrogation by the Taipei City Field Division, Chang was transferred to the Taoyuan District Prosecutors Office for questioning in the evening. The prosecutor ruled on a NT$100,000 bail in the court.
  With the approach of the Chinese New Year, transactions on public transportation ticketing systems are increasingly frequent. Actions, such as attacking transaction systems, deleting or tampering with electronic records, and falsely using the names of other people to purchase tickets, could seriously affect financial transactions and social order. The Investigation Bureau exhorts the people to abide by the law and urges institutions or enterprises to provide the Bureau with information if they encounter illegal attacks and criminal activities. The Investigation Bureau will spare no efforts to probe into such cases and timely prevent cybercrime to maintain national security and social stability.