They tested the app's success on two transit systems, New Jersey Path and San Francisco Muni trains. Benninger and Sobell said that other systems might be vulnerable to such an exploit, in the form of an Android application that could make it possible for holders of a card to get free rides in Boston, Seattle, Salt Lake City, Chicago, and Philadelphia. Those other systems were not tested by the researchers,
Their discovery was announced at the EUSecWest security conference in Amsterdam, where they told those attending that if they ever thought smartphone tricks could get them public transit rides, then they would be correct. "A number of cities are rolling out RFID/NFC enabled access control as they move away from magstripe cards. This comes at a time when smartphones are also being enabled with NFC capabilities," they said.
They also said it was unfortunate that mass transit systems in the cities that could be vulnerable did not appear to understand how the security around the systems needs to be implemented—it is not a matter of bad technology but of proper implementation. Both of these systems tested, they said, were not using the security features of these cards correctly, allowing the two researchers to re-set the cards' data.