NTU graduate jailed for hacking Kopitiam cards for free items, causing S$80,000 in losses

SINGAPORE — While pursuing a computer engineering degree at Nanyang Technological University (NTU), Tee Chin Yue began hacking his stored-value card for free air-conditioning services in his residential hall room.

He later used the same method to hack four Kopitiam cards 137 times, managing to get free food, drinks and cigarettes worth about S$12,000. The card is issued by food court operator Kopitiam for customers to make cashless payments at its outlets.

Finally, using the credits in those cards, he topped up 186 prepaid SIM cards from telco Singtel for users on e-marketplace Carousell, earning almost S$34,000 in total.

His actions led to Kopitiam suffering losses of S$80,812. He has since made restitution for the full amount. 

On Wednesday (April 1), Tee was sentenced to 10 months’ jail after pleading guilty last month to one charge under the Computer Misuse and Cybersecurity Act. Another similar charge was taken into consideration for sentencing. 

The 25-year-old Malaysian committed his offences between Aug 18, 2015 and Dec 13, 2016.

The court previously heard that Tee was staying in an NTU residential hall in 2015. Students staying there have to top up a stored-value card with cash before using the card to pay for air-conditioning services in their rooms.

Tee decided to modify his card so that it would register as having a stored value even though he did not top it up. 

He researched the card brand, bought a card reader, and downloaded a specialised computer programme and mobile phone applications.

After successfully hacking the card, he realised that he could use the same method to modify Kopitiam stored-value cards, which were from the same brand.

To avoid detection, he changed the last four digits of the card numbers. He then used the cards to get food, drinks and cigarettes.

Later, while checking the card value at Kopitiam card kiosks, he realised that he could top up Singtel prepaid SIM cards there as well.

He posted this service on online marketplace Carousell, offering to top up cards for S$8 for $10 in credit.

His customers gave him the prepaid card numbers, indicated how much credit they wanted and paid him via bank transfers. 

Sometime in 2016, he realised that the four Kopitiam cards were no longer working. Realising that the chain may have changed or upgraded its card system, he stopped accepting requests for SIM card top-ups.

Tee was also concerned that the authorities would catch up with him so he disposed of the cards.

His offences came to light when a Kopitiam staff member at its Lau Pa Sat outlet noticed another person making suspicious transactions. A police report was made on Dec 12, 2016.

Kopitiam then conducted internal investigations, focusing on cards where spending exceeded the top-ups made. 

The police also tracked down one of Tee’s Carousell customers, before arresting Tee in July 2017. He had graduated from the university by then.

Deputy Public Prosecutor David Koh sought 14 months’ jail for Tee, while his lawyer Edmond Pereira previously asked the court to call for a report to assess Tee’s suitability for probation.

Mr Pereira revealed that as part of his final-year thesis, Tee had written about a solution to the loophole. 

On his online LinkedIn profile, he is said to be now working as a senior software developer at Temasek Management Services, an IT service management firm.

Tee will begin serving his sentence on April 15 and remains out on a bail of S$15,000.

He could have been jailed up to three years, fined up to S$10,000, or both.