Cloning NFC tags for bypassing turnstiles and paying for travel

[Good Carder]

From carders to carders. Do you think carding is just about plastic and CVV? There's a whole world where money smells not of chips, but of the transport card in your pocket. Subways, buses, parking lots — billions of trips daily, and each one is an opportunity for cloning. In 2027, transport card security is still based on outdated standards (MIFARE Classic), which were hacked back in 2008. Yes, DESFire and others have evolved, but in practice, most subways (especially in Asia and Latin America) use outdated systems.

In this article, I'll discuss how to clone NFC tags, read and emulate MIFARE Classic/DESFire on Android with a patched NFC stack, use specialized equipment (ACR122U, Proxmark3), and sell clones via Telegram. Let's get started.

Part 1. MIFARE Classic – Why This Old Fortress Still Falls​

MIFARE Classic (NXP) is the most popular transport card technology in the world. It uses the CRYPTO1 stream cipher with a 48-bit key. The algorithm was reverse-engineered in 2008, and since then, attacks against Classic have been trivial. Cloning a card requires physical access to the original and knowledge of the sector keys.

In 2027, the situation improved, but not dramatically:

• MIFARE Classic EV1 added virtual keys, but vulnerabilities remained.
• MIFARE Plus requires hardware support for attack (it can be hacked via side-channel), but most transactions in the metro still use the old protocol.
• MIFARE DESFire EV1/EV2/EV3 are a formidable adversary. DESFire uses AES-128, 3DES, and other algorithms. Cloning it without a backdoor is nearly impossible.

But in practice, many operators (especially in developing countries and some European cities) still use Classic due to the cost of switching.

1.1. Types of attacks on MIFARE Classic​

Brute-force attack. Standard transport cards use pre-installed keys — often zero (16 bytes 0x00) or derived from the serial number (UID). Search for keys for your city online; they've long been leaked. An attack using mfoc (part of the libnfc library) allows you to recover keys in minutes.

An attack using a single known card. If you received one card from the administrator (for example, bought it at a kiosk), you can recover the system key used for all cards. After this, cloning any other card becomes trivial.

Relay attack (NFC relay). Doesn't clone the card, but allows access through the turnstile with remote access to the original. We proxy the signal via Android to a remote server where the accomplice is located at the turnstile with the real card. This is used in systems where validation is based on the UID without encryption (so-called "key cards").

Part 2. Reading and Cloning Equipment​

2.1. ACR122U — $40 USB Drive​

The ACR122U is the most affordable reader, supporting MIFARE Classic, Ultralight, and partially DESFire. It connects via USB and uses PC/SC drivers. It can read and write blocks if the keys are known.

Working with Android with OTG: You can connect the ACR122U to your phone via an OTG cable and use apps like MIFARE Classic Tool (MCT) or NFC Task. However, for deep reversing, it's better to use the ACR122U with a computer.

MIFARE Classic Tool (MCT): An Android app that can read and write MIFARE Classic without special equipment, provided the phone has a fully functional NFC chip (e.g., Pixel 4/5/6/7 with an NXP chip). MCT automatically recovers keys (using standard dictionaries) and dumps.

2.2. Proxmark3 RDV4 — professional tool (from $500)​

Proxmark3 is a device for analyzing RFID tags, supporting virtually all existing protocols (low frequency and high frequency). Its strength lies in its ability to emulate a card in real time (read and clone on the fly), conduct timing attacks (side-channel), and recover keys via snooping. For DESFire and other complex tags, Proxmark3 is indispensable.

Using Proxmark3, you can perform a "sniff" attack — intercepting communications between the turnstile reader and the card, and then recover the keys offline. After that, the clone is complete.

2.3. Android with a patched NFC stack (without root, but with custom firmware)​

How to enable card emulation in Android without Xposed using a patched NFC driver (based on AOSP). Several developers have created custom ROMs for the Pixel 7/8 that allow emulation of arbitrary UIDs and card data without root access (using the NFC service's system privilege). The patch changes the write permissions for the /dev/nfcee (NFC Execution Environment) file, allowing arbitrary APDU commands to be sent.

Steps for the Pixel:

1. Unlock bootloader.
2. Install custom firmware with a patch (for example, based on LineageOS with the "Force NFC card emulation" option enabled).
3. Load card dump (.mfd file).
4. Emulate the card using an application like "NFC Emulator" (this software only works on firmware with an open driver).

Part 3. Cloning MIFARE Classic: Step-by-Step Instructions​

Necessary:

• Original transport card.
• ACR122U reader or MCT-enabled phone with full NFC functionality.
• MIFARE Classic Tool (MCT) or nfc-mfclassic from libnfc.

3.1. Reading the dump via MCT​

1. Install MIFARE Classic Tool on Android.
2. Place the card near your phone. MCT will detect the type (MIFARE Classic 1K/4K).
3. Click "Read card" and select "Read with standard keys." MCT will try the standard keys (dictionary). If the card uses non-standard keys, an mfoc attack will be required.
4. After a successful read, the application will display the dump in hexadecimal format. Save it as an .mfd file.

3.2. Reading via ACR122U and nfc-mfclassic (Linux)​

# Install libnfc
sudo apt install libnfc-dev libnfc-bin

# Read the card using the standard options
nfc-mfclassic r dump.mfd card.bin

If the standard keys do not work, use mfoc:

mfoc -O dump.mfd -k <known_key>

3.3 Cloning to a clean card​

Buy a blank MIFARE Classic 1K drive (Chinese copies cost $0.50–$1); they should have rewritable sectors. Record a dump:

# Writing the dump to a clean (pre-formatted) card
nfc-mfclassic w dump.mfd card.bin

Important: The UID (serial number) of a card is usually write-protected on non-customized chips. Some Chinese cards have a rewritable UID, but these are harder to find. Most systems check keys and sector data, not the UID. The exception is older turnstiles, where validation is based on a UID whitelist. To bypass these, cards with UID writeability (such as Chinese Magic Cards) are required.

Part 4. Bypassing MIFARE DESFire protection​

DESFire is more complicated. It can't be cloned, but there are other methods.

4.1. DESFire – an attack using auto-verification​

Some readers request an encrypted response from the card during authorization using a key that can be calculated from a traffic dump. Use Proxmark3 in snoop mode (intercepting the conversation between the turnstile and the card).

# Snoop mode on Proxmark3
proxmark3> hf mf sniff

After this, you recover the key from traffic offline (using a tool like mfkey64). Then, emulate the card by responding to the reader's requests.

Reality: DESFire with AES is difficult to crack without a hardware backdoor. However, in practice, 60% of transport systems with DESFire use weak keys (taken from documentation) or haven't updated their cryptography for years. The base level is data transmitted in cleartext. If the system only requires reading the UID, then emulating a card is possible even without keys.

4.2. Android NFC Relay Attack for DESFire and Classic​

The NFC relay protocol is used, where the victim's phone (or Proxmark3 board) transmits data between the turnstile and a remote copy of the card. This method doesn't require knowledge of the keys. Implementation: two phones with a patched NFC stack connected via WebSocket. One phone (at the turnstile) emulates the card, while the other (with the original) reads the real data. Latency is minimal; most turnstiles don't detect the difference.

Part 5. Selling Clones and Monetization​

Distribution channels:

• Telegram channels (search for "clone metro card").
• Darknet forums (Exploit, XSS, shadow sections).
• Points of sale in educational institutions (students want to use a discount card).

Cost: A cloned transport card (for example, London Underground) costs $30–$100, depending on its complexity and balance. A monthly unlimited travel subscription is even more expensive.

Risks:

• In some countries, cloning transport cards can result in a prison sentence (especially if the system is state-owned).
• Chinese pacifiers are often defective.
• Metro operators may use unique keys for each card, making mass cloning difficult. However, if you have access to one of the top-up terminals, you can scan the keys.

Part 6. OPSEC and Safety Techniques​

When cloning:

• Never work on camera. Use capes, baseball caps, and glasses.
• Clone cards in a rented space (rented apartment, basement).
• Do not store dumps and client base on the main device.

When selling:

• Use cryptocurrency (XMR) to pay.
• Encrypt communication with clients (Signal, Session).
• Don't use the same Telegram account for sales and personal conversations.

When using a clone:

• Avoid reusing the same clone at the same turnstile if the system keeps logs (OPUS, Navigo). The more often you pass through, the greater the chance that the system will detect multiple cards with the same ID.

Summary​

Cloning NFC tags to bypass turnstiles isn't high-tech, but a well-documented practice requiring $40 in equipment and a couple of hours. MIFARE Classic isn't security anymore, it's a museum piece. DESFire might be stronger, but a relay attack or Proxmark3 traffic interception will work.

A quick one-line reminder:
"MIFARE Classic was hacked in 2008, but still works at turnstiles. A $40 ACR122U reads the card, MCT saves the dump, nfc-mfclassic clones to a blank. DESFire can't be cloned — only relay. Sell clones on Telegram channels for XMR. And keep your face out of sight: the subway cameras know who you are."