Automated fare collection (AFC) systems have been widely applied to practical transportation due to their convenience. Although there are many potential threats of NFC such as eavesdropping, data modification, and relay attacks, NFC based AFC systems are considered secure, due to the limited 10cm communication distance. Nevertheless, the proliferation of NFC-equipped mobile phones make such system venerable. We introduce and implement an attack on AFC cards that permits an attacker to top up his smart card and get a refund. We also propose possible countermeasures to defend against these attacks.