NFC is growing around us. In several EU and US countries Mifare Ultralight cards have been adopted as standard for cheap single-ride or multiple-rides tickets for transport systems. In the past year we’ve studied and successfully exploited three different types of vulnerabilities in these systems. In this talk we will demostrate how an abuser can easily get free rides in a transport system, just using his/her NFC-enabled smartphone; moreover, we show that it is also possible to forge (and sell) tickets very cheaply. We will show practical examples of how such attacks can be performed, and how they can be fixed in a cheap and secure way, using an Arduino board which acts as a ticket-stamping machine.