Anytime a card is used as a credential for transferring money, or as an electronic purse, or as a debit/credit card, you are running a big risk that the person with the card in their hand can manipulate the card and add/delete money to the card without your knowledge. They can also potentially use the card to enter data into your device (be it a pay on foot, pay and display, stand alone meter, or ATM for that matter.
The “Black Hat” group of legitimate hackers decided to attack some meters in San Francisco. Here’s what they had to say:
“We’re not picking on San Francisco,” Grand said. “We’re not even claiming to get free parking. We’re trying to educate people about … how they can take our research and apply it to their own cities if they are trying to deploy their own systems or make them more secure…. Cities all over the nation and all over the world are deploying these smartcard meters (and) there’s a number of previously known problems with various parking meters in other cities.”
The problem in SF noted is that the meters worked either in batch mode, or they work off line. The meters in SF read the card, asked the person how much parking they want to buy, and if that amount was on the card, they deducted that amount from the card.
You are presenting the card to a potential thief and you are giving them all the time in the world to figure out how to hack the card, change it, and then come and park for free. It is conceivable that the kids in the engineering department at Stanford, Cal, or USF (or for that matter UCLA, Harvard, Cal Tech, UW or pick a school) have not paid for parking in years.
The only sure way to stop this is to have the information about the amount of money on the card held at a central computer and have the meter look there every time a transaction takes place. Some will say that the new “smart” cards with computer chips inside them are fool proof. Possibly, but I am waiting for the headline like the one above about “smart” cards.
If your system uses credit/debit cards and it is on line, my guess is that you are pretty safe. If it uses debit cards that are off line, you had better have your IT people check it out pretty closely. You could have a big problem on your hands.
The process that the folks at “Black Hat” went through is good for the industry. It keeps us on our toes and ensures that manufacturers don’t take too much for granted.
