I urge all the PATH SmartLink cardholders to register their cards with the PATH online. The registration is free, and it protects your card from being stolen electronically.

The main benefit of the registration is that if you ever lose your card, you can report it lost, and the PATH would reimburse you for the unused balance on the card. As soon as a card is reported lost, it stops working.

If you don't register your card, someone else might. Your card might be registered by another person who had never seen your card. That person then can report the card lost. Your card would be immediately deactivated, and the person who had registered it would receive all the money on the card.

Each SmartLink card has a 20-digit Serial Number on the back, as shown in the photos below. Only a tiny fraction of all possible 20-digit numbers are valid Serial Numbers. However, the rule that determines whether a 20-digit number is a valid Serial Number can be discovered with relative ease.

It all started when I lost one of my recently purchased SmartLink cards before registering it. I did not have the Serial Number of the lost card written down. Nevertheless I decided to try figure it out. All I had were the serial numbers of the cards purchased together with the lost card at the same vending machine. I have also asked my friends for the Serial Numbers of their cards, in order to have a larger sample from which I could deduce the pattern formed by the Serial Numbers.

The PATH allows unlimited number of attempts for registering a card. You can enter an arbitrary 20-digit number and receive one of four replies:

1. This is not a valid Serial Number.

2. The Serial Number is valid but the card is not in circulation, i.e. it has not been sold yet.

3. The card has been already registered.

4. Success. Your card has been registered.

After examining the Serial Numbers in my possession and validating my guesses by using the PATH's interactive system, I could reliably identify valid Serial Numbers. In the process of looking for my card, I have registered in my name a number of cards belonging to others. Here are the Serial Numbers of some of these cards:

0161 1046 9443 8241 9206

0161 1046 9873 3209 2169

0161 1047 0302 8176 5128

0161 1047 1161 8111 1040

0161 1047 2020 8045 6965

0161 1047 2450 3012 9927

At a minimum, the above cards are now protected from having been registered by wrongdoers.

I have contacted the PATH and notified it about the vulnerability of its system caused by a weak rule determining validity of Serial Numbers. I have received no reply.