Security eureka moments in New York taxicabs

There’s something about a New York cab that lends itself to imparting lessons on technology and security

During a short business trip to New York City this week, it dawned on me that I’ve often gotten practical security lessons in New York taxicabs.

In the late 1990s, I frequently went to New York for consulting engagements. I generally took one of the air shuttle services that operated hourly flights between Washington and New York, like winged buses. Upon arrival, almost without fail, I’d find that I had received dozens of texts, emails, voicemails, etc. In the taxi to Manhattan, I’d call back the customer or my office as quickly as I could.

Back in those days, cellphones weren’t really anyone’s main communication device, so when I used mine, I tended to be on the road, or more precisely, on a New York street in the back of a taxicab. Of course, I was using an analog cellphone. Remember those? They were a security nightmare. Many times my monthly statement would include charges for thousands of dollars’ worth of calls to people all over the world that I never made.

Those old cellphones lacked any reasonable form of strong authentication. The phones carried an electronic serial number (ESN) that identified them to the network, but there was no authentication of that ESN. The bad guys could easily capture a valid phone’s ESN and “clone” it to make fraudulent calls.

When digital phone systems were developed, the designers were no doubt told they must thwart the biggest threat of the day: fraud. They implemented things like subscriber identity modules (SIM) for doing cryptographically strong authentication of the client (phone) systems.

What they failed to do was to strongly authenticate the network to the phone, which allowed the bad guys to set up rogue base stations and trick phones into connecting to them, making unencrypted calls and what not. (There’s a strong case to be made that this lack of mutual authentication was on purpose, so that law enforcement and other entities could intercept, presumably lawfully, phone calls for investigative purposes.)

In any case, I learned my lesson about authentication the hard way, in a New York taxi.

This week, more cabs, and another security epiphany. In two separate New York taxis between Manhattan and La Guardia Airport, I was able to use Apple Pay to make a contactless payment for my fare and a tip for the driver. Both the cars had a credit card point-of-sale terminal in the passenger compartment. I could swipe a traditional credit card through its magnetic strip reader, or I could make a contactless payment. (For the record, I did not see a chip option for an EMV-compliant card — could the payment industry here in the U.S. be leapfrogging right over EMV and going from magnetic strip directly to contactless? Seems plausible.)

Why was this a big deal? Well, those same lessons of identification and authentication from the 1990s telecommunications industry are just as valid today for the payment industry. Magnetic strip payment cards are like the analog cellular phones of the 1980s and 1990s. They identify themselves, but do not authenticate anything. The contactless payments, including Apple Pay, use not only strong mutual identification and authentication, but they have further advanced to using a technique called tokenization. With tokenization, the customer’s real account credentials are withheld from the merchant (the taxi driver). Even if either of my taxi drivers had been usurped by the bad guys to try to skim passengers’ credit card data, neither of them ever saw my actual credit card account information. All in a New York taxi.

My conclusion from all of this is that we are indeed making some progress, at least in pockets where observed threats are at their highest levels — in other words, New York.

Does that mean that contactless payments using tokenization are perfect? Of course not. I have the utmost confidence that someone is going to come along and find weaknesses (yes, plural) in those protocols. But all of this raises the costs to successfully attack the systems, and that is the game we all play.

All in a New York taxi.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleindeedManhattanMellonPara-Protect

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place