It's a designed as an easier way to get though the fare gates at MBTA stations.
"I use my phone to pay," one T rider told us. "It works great. It's really convenient."
The long-awaited tap-to-pay technology was rolled out in August 2024. In just the first five months, the T said it hit 10 million taps. Riders can pay with a physical credit or debit card or with their phone's digital wallet.
But two Boston University graduate students discovered a flaw that allowed them to go through for free.
"Essentially, anyone with a phone and a banking app could travel across Boston," said Sumanth Kamath, one of those BU grad students.
Kamath and co-researcher Damodhar Pai discovered it as they were traveling around Boston last year.
"I was just trying to pay from my debit card, but eventually the transaction was declined as I was tapping on the payment system," Pai said.
Local
In-depth news coverage of the Greater Boston and New England area.
They found that it's a flaw with the phone's digital wallet and discovered that if your card is declined, the system, at times, will still let you go through.
Kamath showed NBC10 Boston what happened when he knew his debit card would be declined.
"We can see that the transaction has been declined and we got the notification right after we did it," he said.
They found that the bank account showed the transaction was declined, but only after they were already through the gates.
"It was shocking," Kamath said. "It was shocking."
According to the MBTA's terms of use, the agency said it might temporarily or permanently block access to the system if the charge is declined by the bank. But Kamath said they found that with a debit card in your phone, the Device Primary Account Number, or DPAN -- a unique 16-digit number generated by a digital wallet -- changes each time, and they were able to use the same card repeatedly.
"The system treats this card as a new card every single time, and you are getting the access every single time," Kamath said.
Ted Rossman, a principal analyst with Bankrate, said there could be an issue with the hand-off.
"The ability to tap my phone or card on the turnstile and go through, I think, is amazing, but what we're talking about here is some of the vulnerability," he said.
Rossman said the speed of the transaction could be a factor. Since the transactions are instantaneous, tap to pay systems rely on something called deferred authorization, which is when a card is processed without waiting for real-time approval from the bank.
He said when you're at a store, a transaction with a debit or credit card or digital wallet usually takes a little longer to go through compared to the instant nature of tap to pay at a train station.
Cubic Transportation makes the MBTA's tap-to-pay system. It uses something called open-loop ticketing, according to the company's website. Experts say when a card is flagged as invalid or it sees a transaction is fraudulent, that response is designed to go immediately to the transit operator, allowing it to stop misuse after it's denied.
NBC10 Boston reached out to Cubic. The company referred us to the MBTA.
A spokesperson for the agency said, "The MBTA is committed to protecting the systems that support our riders and daily operations."
To strengthen cybersecurity, the T said it started what is called the Vulnerability Disclosure Program, or VDP, which they say provides a safe way for people to report issues.
"As a result, we gain valuable insights that help us fix issues before they can be exploited," an MBTA spokesperson said.
"If you're using an invalid card in theory, they shouldn't let you keep using it," Rossman said. "So there could be kind of a back-end technology fix there."
The BU researchers said they came forward with their findings because they want the T, along with other large transit systems, to be aware so they can work to fix the issue so they won't lose money.
"I would say join hands, come together and try to solve this," Kamath said.
We reached out to both Apple and Samsung, along with a banking industry group, but we did not hear back.