Anecdotal stories have New York City cab drivers using all kinds of excuses to discourage riders from paying with a credit card. But news reports of a rider apparently hacking the credit card reader display screen could do more to discourage plastic payments than any tall tale told by a cabbie.
InformationWeek and New York’s WNBC report that a New York software engineer was able to gain access to the operating system for the credit card reader’s touch-screen display, which is meant for presenting ads and short videos to riders, as well as enabling them to pay their fare with a credit card.
Artist and software engineer Billy Chasen got in a cab recently only to find an error message on the display screen. So Chasen decided to experiment a bit. As he explains in his blog, Chasen and was able to gain “full administrative access to everything on the PC.” He writes, “It was not only a security flaw, but people also pay with the screen if they use a credit card. That information could potentially be stored locally.”
VeriFone Transportation Systems, the display system’s vendor, explained to InformationWeek that passengers’ encrypted credit card data is not stored locally in the system, adding that the cab in question used an outdated modem, which was installed when the city was testing the display systems. In a post on Chasen’s blog, VeriFone said the outdated modem was subsequently replaced.
But security experts say Chasen’s story raises doubts about the security of the credit card payment systems.
“What if somebody was able to download coding to that machine that could record and transmit whatever you put in, including credit card numbers?” Al Brill, a computer security expert at Kroll Associates, asked WNBC. The theft of large numbers of riders’ credit card information would prove a nightmare scenario for VeriFone and would likely make New Yorkers think twice about swiping their plastic to pay a cab fare.
Weak security around credit card information has proved a disaster before. Earlier in 2007, the parent company of T.J. Maxx admitted that hackers had raided its computer system, making off with nearly 100 million credit card numbers. I’m sure that’s not the type of record the New York City Taxi & Limousine Commission is hoping to top.