The security of an RFID system, as with almost any payment or information technology system, depends on how it is set up. If a transit company is issuing transponders with unique serial numbers and allowing people to ride its busses as long as the ID in a transponder appears valid, then a criminal could buy an RFID card on the Internet, write the ID of a legitimate card to the transponder with an RFID reader-writer and then use it like the original. This would not require a lot of technical skill.
However, there are ways to prevent this kind of fraud. One would be in the physical design of the card. You could put the card-holder’s picture on the card, for instance, and bus drivers could then ask to see each card after it was used to pay for a fare. This would not be an ideal solution, however, since it would slow the boarding process down, and one of the big selling points of RFID is that it speeds up boarding processes by eliminating the need to find change and deposit it in a collection box.
Another option would be to use the tag ID (TID) in the transponder along with the serial number. Each RFID chip has a unique serial number that cannot be changed, which identifies the chip as unique. A serial number is then written to the tag’s memory. You could read the TID and serial number and make sure there was a correct match, in order to ensure the tag was not cloned. This, again, would not be the ideal scenario, since the read and lookup steps would take longer than just reading the serial number.
A third option—and, in my view, the best option—is to use a software layer for security. If a serial number were used twice a day to travel on bus number 1 on the east side of a city, for example, and suddenly a card with the same serial number started being used for random trips in the west part of the city, this would show up in the software. This could indicate that the original card had been cloned and was being used fraudulently. This is similar to how credit card companies detect credit card fraud (though magstripe credit cards are easier to clone than RFID transponders).