During a short business trip to New York City this week, it dawned on me that I’ve often gotten practical security lessons in New York taxicabs.
In the late 1990s, I frequently went to New York for consulting engagements. I generally took one of the air shuttle services that operated hourly flights between Washington and New York, like winged buses. Upon arrival, almost without fail, I’d find that I had received dozens of texts, emails, voicemails, etc. In the taxi to Manhattan, I’d call back the customer or my office as quickly as I could.
Back in those days, cellphones weren’t really anyone’s main communication device, so when I used mine, I tended to be on the road, or more precisely, on a New York street in the back of a taxicab. Of course, I was using an analog cellphone. Remember those? They were a security nightmare. Many times my monthly statement would include charges for thousands of dollars’ worth of calls to people all over the world that I never made.
Those old cellphones lacked any reasonable form of strong authentication. The phones carried an electronic serial number (ESN) that identified them to the network, but there was no authentication of that ESN. The bad guys could easily capture a valid phone’s ESN and “clone” it to make fraudulent calls.
When digital phone systems were developed, the designers were no doubt told they must thwart the biggest threat of the day: fraud. They implemented things like subscriber identity modules (SIM) for doing cryptographically strong authentication of the client (phone) systems.
What they failed to do was to strongly authenticate the network to the phone, which allowed the bad guys to set up rogue base stations and trick phones into connecting to them, making unencrypted calls and what not. (There’s a strong case to be made that this lack of mutual authentication was on purpose, so that law enforcement and other entities could intercept, presumably lawfully, phone calls for investigative purposes.)
In any case, I learned my lesson about authentication the hard way, in a New York taxi.
This week, more cabs, and another security epiphany. In two separate New York taxis between Manhattan and La Guardia Airport, I was able to use Apple Pay to make a contactless payment for my fare and a tip for the driver. Both the cars had a credit card point-of-sale terminal in the passenger compartment. I could swipe a traditional credit card through its magnetic strip reader, or I could make a contactless payment. (For the record, I did not see a chip option for an EMV-compliant card — could the payment industry here in the U.S. be leapfrogging right over EMV and going from magnetic strip directly to contactless? Seems plausible.)
Why was this a big deal? Well, those same lessons of identification and authentication from the 1990s telecommunications industry are just as valid today for the payment industry. Magnetic strip payment cards are like the analog cellular phones of the 1980s and 1990s. They identify themselves, but do not authenticate anything. The contactless payments, including Apple Pay, use not only strong mutual identification and authentication, but they have further advanced to using a technique called tokenization. With tokenization, the customer’s real account credentials are withheld from the merchant (the taxi driver). Even if either of my taxi drivers had been usurped by the bad guys to try to skim passengers’ credit card data, neither of them ever saw my actual credit card account information. All in a New York taxi.
My conclusion from all of this is that we are indeed making some progress, at least in pockets where observed threats are at their highest levels — in other words, New York.
Does that mean that contactless payments using tokenization are perfect? Of course not. I have the utmost confidence that someone is going to come along and find weaknesses (yes, plural) in those protocols. But all of this raises the costs to successfully attack the systems, and that is the game we all play.
All in a New York taxi.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.