Getting a free ride on Muni no longer requires boarding through the back door and hoping a fare inspector doesn't ask to prove you paid. Technologically skilled transit riders with the right type of smartphone can tinker with Muni's paper limited-use fare cards and restore their values without paying.

A firm specializing in security for mobile applications and devices has discovered a flaw that could allow some transit fare cards - including the Municipal Transportation Agency's limited-use tickets but not plastic Clipper cards - to be abused by fare cheats.

Corey Benninger of Intrepidus Group of New York was on an unrelated job in San Francisco last year when Benninger noticed Muni was using smart cards. He discovered that he could use a new mobile phone to read the data on the cards but couldn't reset it to get a free ride. Back in his hotel, he found that he could use his laptop to do that, then created an app that allowed him to use his phone to tweak the tickets and get free fares.

Max Sobell, another Intrepidus analyst, made a similar discovery one day on his way home from work on the Path subway system between New York and New Jersey, when he noticed that the transit system used the same type of transit ticket for certain fares. Benninger said it appears that Muni and Path are the only U.S. transit agencies currently at risk.

The application created by Intrepidus, "is just for us to test and demonstrate just how easy it could be for someone to perform this attack," Benninger said. "We have no intent to release the full version."

Intrepidus staffers met with Muni and Path officials last year to notify them of the potential for abuse. The firm also presented the information at a security conference in Europe last week.

"We had hoped this would be fixed on both systems before we released this data, but our understanding is that's not planned for possibly years down the line," Benninger said.

Since other transit agencies could adopt a similar payment system, they wanted to highlight the security issues.

A limited version of Intrepidus' app is available to transit agencies that want to test whether their smart cards are vulnerable. But it doesn't have the capability to change or reset the cards' data, Benninger said.

Fixing the glitch could require costly software changes to Muni's limited-use fare cards as well as its fare gates, Benninger said. The paper tickets were never intended to be refillable, as they are on Muni, and could require security devices now used on the costlier Clipper cards.

Muni spokesman Paul Rose said that the transit agency is aware of the vulnerability and is working on a fix with the Metropolitan Transportation Commission, which helped create the San Francisco fare card for Muni riders not interested in getting Clipper cards. Rose said the agency isn't aware of anyone taking advantage of the flaw allowing free rides and is monitoring the situation.

John Goodwin, a commission spokesman, said the regional transportation agency has asked Cubic, the contractor that designed and operates the regional, cashless fare-collection system, to investigate whether anyone has been abusing the Muni limited-use tickets and to determine the extent of the problem.

"We have not seen any discernible change in limited-use tickets," he said. Cubic has also been asked to explore possible fixes and their cost. The commission would then need to decide whether it's cheaper to live with, or repair, the flaw.

Relatively few Muni rides are paid for using the limited-use tickets, Goodwin said. The tickets are sold only at the nine Muni Metro stations, where riders cannot pay cash to enter, and each fare card can only hold one or two trips at a time, meaning there is limited incentive to abuse the system. One approach, Goodwin said, could be to reduce the 90-day life of the limited-use tickets. Another, which nobody wants to consider, would be to eliminate them.