Credit: Andrea Di Falco, CC BY-SA 2.0, via Wikimedia Commons
During a short business trip to New York City this week, it dawned on me that I’ve often gotten practical security lessons in New York taxicabs.
In the late 1990s, I frequently went to New York for consulting engagements. I generally took one of the air shuttle services that operated hourly flights between Washington and New York, like winged buses. Upon arrival, almost without fail, I’d find that I had received dozens of texts, emails, voicemails, etc. In the taxi to Manhattan, I’d call back the customer or my office as quickly as I could.
Back in those days, cellphones weren’t really anyone’s main communication device, so when I used mine, I tended to be on the road, or more precisely, on a New York street in the back of a taxicab. Of course, I was using an analog cellphone. Remember those? They were a security nightmare. Many times my monthly statement would include charges for thousands of dollars’ worth of calls to people all over the world that I never made.
Those old cellphones lacked any reasonable form of strong authentication. The phones carried an electronic serial number (ESN) that identified them to the network, but there was no authentication of that ESN. The bad guys could easily capture a valid phone’s ESN and “clone” it to make fraudulent calls.
When digital phone systems were developed, the designers were no doubt told they must thwart the biggest threat of the day: fraud. They implemented things like subscriber identity modules (SIM) for doing cryptographically strong authentication of the client (phone) systems.
What they failed to do was to strongly authenticate the network to the phone, which allowed the bad guys to set up rogue base stations and trick phones into connecting to them, making unencrypted calls and what not. (There’s a strong case to be made that this lack of mutual authentication was on purpose, so that law enforcement and other entities could intercept, presumably lawfully, phone calls for investigative purposes.)
In any case, I learned my lesson about authentication the hard way, in a New York taxi.
This week, more cabs, and another security epiphany. In two separate New York taxis between Manhattan and La Guardia Airport, I was able to use Apple Pay to make a contactless payment for my fare and a tip for the driver. Both the cars had a credit card point-of-sale terminal in the passenger compartment. I could swipe a traditional credit card through its magnetic strip reader, or I could make a contactless payment. (For the record, I did not see a chip option for an EMV-compliant card — could the payment industry here in the U.S. be leapfrogging right over EMV and going from magnetic strip directly to contactless? Seems plausible.)
Sign up for CIO Asia eNewsletters.