This app was mentioned in 5 comments, with an average of 7.40 upvotes
Rozumiem, czyli czegoś oficjalnego nie musimy się czekać
Ale to przecież możliwie bo widzę taką warszawska kartę ta aplikacja
It's not really "hacking" but Metrodroid (free) can read and display the credit card number and expiration date of any credit card you can scan
Since we were previously talking about a movie theater and an I-HOP (International House of Pancakes) franchise restaurant, the Department of Labor can just ask for the roster of employees, everybody's timesheets, and every receipt for that week + previous weeks for comparison purposes.
Of course, it would be nice if the former employee could submit a copy (or a picture taken with his phone) of the original timesheet he submitted, plus if he brought along a witness when he went to pick up his last paycheck (even if such a witness can only submit hearsay evidence, it may still be useful for the Department of Labor to know about).
Either that, or the former employee may want to bring his phone, turn on the video recording, and audio record his conversation with his former boss when he asks for his paycheck (this one is tricky because 12 States require consent of all parties involved, but there have been exceptions, especially if you know that a crime is about to be committed. So be careful with that one, record the conversation for your own protection, but seek legal counsel before formally submitting such evidence anywhere if you're in one of those 12 States).
Plus, if the former employee had any other corroborating evidence that he traveled to and from work, like an NFC transportation card, toll transponder logs, Chariot/Uber/Taxi receipts, gas receipts, coffee shop receipts (if the employee was a coffee drinker), and I personally know of one example where the employee was a smoker, so she got affidavits from the other smokers in her building that she regularly saw during smoke breaks.
This is the correct answer.
EZ-Link and FlashPay both implement CEPAS i.e. the Contactless E-Purse Application Specification. CEPAS is a protocol built on top of ISO-DEP, which is itself part of the NFC specification ISO 14443. You can buy the CEPAS specification to read if you want.
I have not read it, but there are public, open source implementations of reading the value and history off the card, and you can try it out if you have an Android phone with NFC.
Generally, the card stores a balance and transaction history, but it is tracked on a backend server as well, and ~~I believe the server is the authoritative source should the card and server disagree.~~ See /u/dont_throw_me's comment.
Of course buses probably do not access the server in real-time but instead store the transactions that have happened and reconcile them later on, so if someone were to figure out how to credit their card themselves without actually paying money, they would be caught later on. POS terminals and train gantries may actually verify whenever a transaction happens. I have no idea.
I would guess that some sort of authorisation is required to credit a card (perhaps some signature e.g. maybe ECDSA or RSA on the transaction by the card issuer). But I don't know.
I'm using this android app, no registration required:
https://play.google.com/store/apps/details?id=au.id.micolous.farebot