February 5, 2008
Paying Taxi Fare with Plastic: Now More Secure (Maybe)
Last year a taxi-patron was able to hack into a car's computer system, discovering people paying via credit card would have their information stored locally, right there for any enterprising passenger - or driver - to access. As if getting punched in the face for using plastic wasn't enough to worry about!
Yesterday, the NY Sun reported one credit card technology provider would change "its security policies" after this discovery. VeriFone is responsible for 45% of the touch-screen payment units and admitted drivers have access to itemized transaction logs: "[Up] until recently, those merchants had only to type in a user name and password on VeriFone's Taxitronic Web site and click through a list of truncated credit card numbers to receive the full, unencrypted numbers and expiration dates of customers' cards."
Now only the taxi fleet owners will have access to the information, and not each individual driver (though we'd be curious if the screens can still be hacked). Verifone VP Dave Faoro claimed the recent change "was on the business side, not a security thing." The NY Taxi Worker Alliance's very own Bhairavi Desai addressed their change by saying, "I don't know why fleet operators would be more trustworthy than an owner-driver. So many fleets have so many employees that would still have access to information that should be secure." Yeah...so we're gonna keep paying cash.
UPDATE: VeriFone contacted us to say "The NY Sun story was referring to an online system that is accessible only by participants classified as merchants," and that credit card information was not housed in the system in the cab and accessible to passengers.
Photograph from an error occurred while processing this directive
|
"Now only the taxi fleet owners will have access to the information, and not each individual driver"
What about those drivers that own their cabs?
The Sun article says that they're taking away access from owner-operators but keeping it for large fleets.
I don't think individual non-owner drivers ever had access to the data.
Also, this change has absolutely nothing to do with the previously reported "hack."
The "hack" was simply a malfunctioning taxi tech system that allowed a passenger to access locally-stored information (and there was no evidence that any sensitive information was actually stored locally).
The NY Sun report is about the online system one of the credit card processors provides to its merchants, which allows those merchants to access more data than some people think they should have. There is no hack involved.
Also, the previously-reported "hack" has nothing to do with this NY Sun article.
The "hack" (if you can even call it that) involved a malfunctioning screen that allowed a passenger to get into the hard drive. If sensitive data was stored locally, this might present an issue, but there is no evidence that sensitive data is stored locally.
The NY Sun article talks about the online system one of the credit card vendors provides to its merchants, which apparently gives them access to more data than some people think they should have. There is no hack involved.
Cabbies hate these things, partly because they have to pay the 5% or whatever to the card companies. I tend to agree. If the city wants to force cabbies to use these things, let the city pay the surcharge.
I know one good way for cabbies to fix this:
Get a dozen or so cabbies together to install card skimmers on these things (if it's possible.) A couple of news stories about card numbers being skimmed in cabs and sold to crooks: VIOLA! Card problem solved. I know I wouldn't use one in a cab if that kind of story got out.
Just a thought for all you Gothamist reading cabbies out there.
Oh, FWIW, can we have one story anywhere on the net that uses the term 'hacker' that doesn't end up with every "need a bath and a girlfriend" jackass arguing over the EXACT meaning of the word? Take it back to Slashdot, LOSERS!