Clipper Cards

November 30, 2019

After posting this information on Twitter, my account was suspended.

Over two years ago, I reported to Clipper Card, a very obvious flaw in the design of their system that lets anyone add unregistered clipper cards to their account and transfer or refund money on the card. You can also easily monitor the whereabouts of a card owner without them even knowing. Clipper Card has done nothing to address these concerns.

Step 1: Registering cards

Add an unregistered clipper card to your account. Notice that there’s no secret pin needed in order to verify that you physically have the card. The ID’s follow a simple pattern and you can programmatically iterate through thousands of ID’s to see if they’re unregistered.

Step 2: Balance & Reporting

Once the card has been added, you can see the balance of the card as well as the transaction history, revealing the card owner’s whereabouts. Because most people don’t register their cards, in theory it's very easy to register an endless supply of cards with high balance.

Step 3: Hijacking the card

Finally, you can hijack the card by reporting it as lost / stolen. They’ll cancel the old one and send you a new card with the same balance (minus the $5 restoration fee). Ironically, by reporting it as stolen, you’ve effectively stolen it from the rightful owner. A greedy hacker can also ask for a complete refund and pull out the balance in cash.