Monday, November 13, 2017

Time expired on parking meters

You approach the parking meter. It is a standalone machine in the parking lot; not connected to a building or a visible wired connection. While the meter does accept cash, it also has a credit card slot. You unsheathe your card and slide into the slot as instructed by the screen instructions. The meter reads your card and communicates, wirelessly, with the bank. If the card is authenticated, the transaction is approved and the meter distributes a receipt. Transaction complete. So what just happened? 

In the digital communication-everything is hackable world we live in how are parking meters safe? Research on this topic seems to indicate a risk reward scenario or more likely a Not worth the effort scenario. As we have seen in recent years, any system of any entity is subject to hacking. No matter the type of hardware or the owner. This article continues the discussion regarding the security of parking meters raised in the post Skimmers, August 2017.

The parking meter

Before we get into the security of the parking meter, first a little history.

According to Wikipedia, Massachusetts entrepreneur Roger Babson filed the first patent for a parking meter in 1928. The electric meter was meant to be powered from the battery of the parked car. Either due to design or necessity at the time the Babson meter never caught on. In 1935, Oklahoma City newspaper publisher Carl C. Magee had identified parking issues in the business district and was asked to find a solution. His idea was to regulate parking through coin operated meters associated with spaces determined by lines painted perpendicular to the curb. Magee asked Oklahoma State University engineering professors Holger Thuesen and Gerald Hale to develop a machine. The result was the Park-O-Meter, which Magee received a patent in 1938. The first Park-O-Meter was installed in downtown Oklahoma City in July 1935. Retailers loved the meters as they encouraged a quick turnover of cars and potential customers. Drivers, initially opposed, were forced to accept them. The cost for that first hour was five-cents.

The first meters accepted coins and had a dial to engage the timing mechanism with a red flag to indicate expiration of time. Those meters required a service person to keep the mechanism wound. Later iterations by other companies provided a system that remained wound by the action of the user setting the time, eliminating the need for service personnel. Since the parking meter made its debut there have been many styles and mechanisms deployed. All of which have completed the same task, measuring an amount of time for a price. Manual mechanisms remained in service for fifty some years until advancement in technology allowed for digital operations in the 1980’s.

At this point in our history lesson drivers looking to park their cars still had to use coins. Some machines only accepted one kind of coin. Different variations of the parking meter existed depending on the maintenance and replacement by local governments.  

Again Wikipedia tells us that in 2007 the IPS Group from San Diego, California introduced the solar powered credit card accepting parking meter. (Wikipedia is used as a source because there isn’t much out there in the way of the history of the parking meter)  The so called smart parking meter was born.

Smart parking meters

Advances in wireless technology have been applied to parking meter design to develop the “smart meter”. These meters are solar powered with wireless connectivity. This gives the meters the capability to talk to maintenance crews and banks, allowing for service calls and electronic transactions. This type of technology also allows drivers to pay through the use of phone apps and single machines to regulate multiple spaces. They also can be designed to alert enforcement personnel when cars are over parked.

The market is flooded with types and styles from a variety of vendors. Some municipalities use single pole meters per space and others use machines that regulate multiple spaces. All use wireless connectivity. Which brings up the question-Can they be hacked?

Are smart parking meters secure?

Shortly after the introduction of the smart parking meter three hackers revealed at the Black Hat conference in Las Vegas in 2009 that they had hacked meters in San Francisco. In an attempt to prove the security flaws of the new technology, the hackers’ reverse engineered the technology and found that the machines had little in the way of protection or encryption. They were able to “trick” a variety of meters into providing free parking. This infiltration manipulated the meters but did not attempt to intercept or steal credit card transactions.

Since this report was made public parking meter manufacturers have worked to improve the technology to protect electronic data transfer. Even the FTC issued a report in 2015 encouraging all manufacturers of smart devices (Appliances, thermostats, etc.) to invest more into securing the “Internet of things”

The International Parking Institute released a report titled, "What's What in parking Technology" in 2016. The report describes a point-to-point credit card encryption method, which delivers end-to-end encryption. The method instantaneously converts credit card data into an indecipherable code at the time the card is swiped to prevent hacking. Similar to how Apple Pay creates a token that has no exploitable meaning or value except to the key holders at either end of the transaction. This allows the meters to communicate directly to the banks.

This also means that any credit card data stored on the meter is encrypted as well so that it cannot be read by anyone, including maintenance personnel. As with any electronic transaction it is recommended that you keep your receipt as it contains a bank authorization number on your receipt to reference your transaction with your credit card company.

Hacking the wireless connection to obtain credit data may not be fruitful but there have been a few instances reported regarding skimming. This is when a thief attaches a device over or into the manufacturers credit card slot. The device collects credit card data as they are swiped. The problem is that parking meters are smaller than ATMs and gas pumps. So it is harder to hide the skimming devices. Not that it cannot be done or tried. On ANY type of machine that accepts credit cards you should check for evidence of tampering before swiping your card.  

So, our journey brings us back to the question, is it safe to use your credit card in a smart parking meter? For the most part, yes. The meters themselves either do not store data or the data is encrypted. The transactions also are encrypted. The machines themselves offer little space for skimming devices. Can they be hacked? More than likely a resounding yes as anything can be. Is it worth the criminals’ effort? Other than bragging rights probably not. The pay off is not worth the effort.

Another source of curiosity are vending machines that accept credit cards. There have been no indications that they’ve been targeted. But with what we’ve learned about parking meters, we’ll chalk those up to the pay off is not worth the effort as well.

Please feel free to share any and all posts. See the blog archive for more posts about wireless and personal security
Skimmers August 2017
Pain at the pump October 2016
Taking your identity on vacation June 2013

Monday, October 30, 2017

All systems down

Computer customer service

‘The credit card system is down. Our database is down. We’ve been having problems with our system. It’s the system. We don’t have any control over that.’  It is beginning to sound like a conspiracy thriller in which one computer network is controlling all retail. The last few months I’ve been having customer service issues in which the employee I’m interacting with blames the problem on “the system”.
            One dealt with annoying computer generated reminder calls. I went to the physical store only to be told they cannot interact with “the system” locally. I’d have to call a help center to correct the problem.
            A second was a similar situation in which calls were made to announce the availability of a multiple item order for pick up. Upon arriving at the store I was told that only some of the items were in. Not the entire order. When I explained the call I received, guess what the answer was?, “The system is automated and we can’t interact with or change it.”
Add to these examples all the other now forgotten times when there is a problem with an account and the customer service rep blames it on “the system”.

Does automation equal poor customer service?

Are computers and the systems they support becoming an excuse for poor service? Something the employee can pass on to the customer as to why there is a problem? It shouldn’t be. Employees may not be intentionally using the excuse to pacify customers. It may be lack of information, poor training, or the culture of the company. The problem is exacerbated when customers also interact with the system and no one on the front lines can help.

After several interactions with broken or ill performing systems I’m beginning to learn that the front line person either doesn’t care or doesn’t have the access or training to handle the complaint. However, the employee on the front lines is the face of the company. They may not be empowered to resolve the problem, but they are the person trusted by the employer to deal with customers. They are “the company” from the perspective of the customer. As far as a disgruntled customer is concerned the employee is the CEO, CFO, COO, the chief of everything. Customers who own a business or are in the customer service industry understand the necessity of quality customer experience. When they are on the other side of the counter, they want the problem fixed now or at least some definitive answer as to when and how the problem will be fixed. To shrug and say, “I’m sorry, but there’s nothing that can be done. It’s how the system is set up”, does not send the customer off in a good mood. Nor are they likely to say anything good about the interaction, either in a conversation or online. Which is probably where the frustration will be vented.

A “system” being down affects the commerce of the company. Especially in the short attention span that is now our culture. If someone visits a site and can’t perform the function they’re attempting, they quickly move on to a competitor that can get the job done. Companies cannot afford to have malfunctioning computer systems.

Empower employees

Decision makers need to monitor their operations systems. Be aware of those that are aging or malfunctioning. Educate employees up and down the hierarchy to ensure everyone knows the capabilities and weaknesses. Get feedback from the employees that have to execute the plan and use the system to interact with customers AS the system is being developed. Get their buy in before implementation. Seek out feedback from employees after launch to find bugs and problems in the process so that they can be quickly addressed.

Please feel free to share any posts. See the blog archive for other posts regarding customer service.

Tuesday, October 17, 2017

“Real” ID

The other day I jumped in a friend’s car for a quick errand. Doing the quick pocket check I noticed that all I had was my cell phone. Oh well, where we were going didn’t require the need for money or identification. If I did need money I could probably use the mobile pay feature. The thought did cross my mind though,  “What if I needed to identify myself to authorities”? Would security officers or the police accept the personal contact card on my phone as my identity?

Without a government issued ID isn’t your phone just like a wallet full of credit, library, reward cards, etc.? Lots of stuff with your name on it but no official identification. For the most part I doubt any police officer would accept information about you on a phone in your possession as a positive ID. They’d probably take it into consideration and just do it old school. Get all of the pertinent details and run a computer check to verify your identity.

Driver’s licenses as ID

When automobiles started roaming the countryside they and their operators were unregistered. In 1901 New York was the first state to require automobiles to be registered. Many states followed suit and required licenses for autos but not the drivers. Massachusetts and Missouri required the first personal U.S. driver’s licenses in 1903. Since that time driver’s licenses have been used not only as an affirmation that the state approved the holder to operate an automobile, but also as a form of personal identification.
Since the U.S. has no national identification cards, the driver’s license has filled that void.

Digital driver’s licenses, to be displayed on phones, are being considered in several states, Maryland being one of those. Security and privacy issues are at the forefront of these considerations. In the Apple v FBI standoff we saw how difficult it is for law enforcement to unlock and/or view information on a persons phone. So until your state adopts a digital driver’s license using your phone to identify yourself probably wouldn’t be taken as official.

Security? Using your phone probably a definite no, as you need a government issued photo ID to get in to facilities and to travel. Airlines accept digital boarding passes when backed by government issued photo DI’s. Even your standard driver’s license is changing. To combat fraud and counterfeits states have been updating licenses and the way they are issued. Although many states took up the license issue themselves, Congress ensured that all states would have to get on board passing the REAL ID Act in 2005.


The REAL ID Act set the benchmark for personal forms of identification establishing minimum security standards for driver’s license issuance and production. Further, the act prohibited federal agencies like the TSA from accepting driver’s licenses from states that do not meet the standards. The deadline set by the act is January 22, 2018. After that date residents of all states will need a Real ID Act compliant driver’s license or a passport to pass through airport security.

The act requires that driver’s licenses include all the identification features you would assume but also digital photographs, physical security features that prevent tampering or counterfeiting, and machine readable technology (barcodes/magnetic stripers). As the concept of digital driver’s licenses is being studied, the effective date of the REAL ID Act in 2018 will either extend or quash those studies.

List of REAL ID compliant states can be found on the Department of Homeland Security page, REAL-ID 

While you could probably identify yourself with the contents of your phone it is doubtful you’d get through a serious police encounter. You certainly couldn’t board an airplane. Probably better to add “license” to your pocket checklist.

Read the blog archives for another post about personal identification.
Can I see some ID? February 2014

Monday, October 2, 2017

Backup Safety

There was another report of a family member backing up in the driveway, running over, and killing their own child. When a parent loses a child the pain must be unfathomable. To be the cause through an accident is beyond imagination.

The child safety advocacy reports that over fifty children are backed over every week in the U.S., resulting in an average 232 fatalities. In 70% of the incidents a parent or close relative is the driver.

When learning to drive we were taught a safety checklist before turning the key. Over the years we become hurried, preoccupied, complacent. We drive the same cars every day. The seat and mirrors are always in the same place. Just start and go. Years of driving experience and familiarity with our surroundings blind us to what is right in front of us. Or behind. The safety checks become forgotten- second nature. Just like you can obscure a motorcycle with your thumb, has an interesting example of thirty children standing and sitting behind a SUV-All out of the view of the driver.

Children playing behind vehicles have no idea of the dangers. Bigger SUV’s and trucks that have high clearances can create a welcoming, shady, private area for a child to play. Electric and hybrid vehicles exacerbate the hazards, as they create little to no sound.

Children being left in cars are yet another issue that is increasingly in the news. Sometimes it is forgetfulness. Some are purposeful in the sense, “It’s only for a minute”. If casinos are nearby the chances go up. Maryland covers approximately 12,400 square miles with a population of about six million, with six casinos spread throughout the State. According to a March 2017 Baltimore Sun article, Gamblers leave their kids in cars almost everywhere there are casinos, have chronicled more than 300 cases of child abandonment at casinos nationwide since 2000. There have been fourteen incidents of children abandoned outside casinos in Maryland over the last two years.

As responsible adults we need to stop and review our driving habits and preparations. It takes less than a second to check behind your vehicle before getting in. Checking the surrounding area and the interior before getting in the car should be part of a personal security/safety check anyway.

Simple changes to our routines, education and awareness, go a long way. They may literally save a young life.

Monday, September 18, 2017

Is your business ready for wild weather?

FEMA Photo library-Liz Roll

Note: This post was originally published in 2012 and has been updated with current information.

The last two weeks Mother Nature has unleashed her fury on the southern U.S. and eastern Mexico with three hurricanes and a major earthquake. As of this posting, two more hurricanes have the potential to strike the Eastern seaboard. Millions have lost homes and businesses. Between hurricanes Harvey and Irma everyone seemed to know at least one person, if not more, directly affected by the storms. Our prayers continue to be uplifted.

When this particular post was written in 2012 the Mid Atlantic was preparing for another storm as we patiently watched the track of hurricane Sandy. While Sandy made more of an impact farther north, the Mid-Atlantic region had experienced some past wild weather. There were three blizzards in one winter, two back to back. In 2011, there were back to back tropical storms. In 2012, we experienced a derecho storm. A derecho type of storm and the name itself being new to the area. Going back to 2003 we all remember the massive flooding associated with Isabel. All of these weather events caused power outages, some for several days or a week plus. 

Getting back to business

In 2012, as now, you see businesses staying open as long as possible to service their communities. After the storm they open as quickly as possible to resume operations. Sometimes a business is lost. In addition to ensuring that their family and homes are safe, small business owners must also protect their businesses, which in many cases are their livelihoods.

We become so accustomed to having electricity we forget all that is electric dependent, e.g.-gas pumps, ATMs, cash registers and credit card machines to list a few. We also become complacent as to how dependent our businesses are to electricity.

Power outages are reported in number of customers without power, not business loss. So there is not one source to determine how small businesses suffer. There are few businesses that can operate without power. Depending on your product you may be able to conduct some business with cash transactions. In the current economic climate any business loss is crucial. Add to that the possibility of losing inventory due to damage or loss of refrigeration and small businesses can really be hurt.

Preparation for business restoration

No different than a home, business owners should prepare for storms and power outages. The logistics of preparing your business for a storm and the loss of power after the storm can be complicated. Having a written plan of action can make the task easier. Take the lessons learned from past outages and make a simple outline. The adage of “being prepared” is true and can significantly reduce either your loss or time your business is down.

Depending on your location and the type of storm you may need to prepare your facility for flooding. This may include boarding windows, sandbagging, moving inventory and equipment. Your business has many unique facets that have to be examined when developing your plan. Here are a few operational items that should be considered.
  • Purchase generators or ensure generators are in place and operational.
  • Be prepared for cash transactions.
  • What type of telephone system do you use? Newer systems do not work without power or have limited hours battery backup.
  • What type of security do you have? As with the telephone system, security systems often have only limited hours backup. 
  • Backup computer business files. Sudden and/or prolonged power outages can result in data loss. When complete, store the files offsite. 
  • Review insurance policies and coverage’s annually with your provider. Update as necessary.
  • Make sure insurance and business documents are easy to locate and safe from harm.
  • In the winter, prepare for safe ways to provide heat to your business.  

The biggest mistake business owners can make is not heeding warnings and being caught off guard. We can all learn from the recent storms and past winters heavy snows. Having a recovery plan of action to protect your business assets may be the some of the cheapest insurance available.

Monday, September 11, 2017

Cleaning Up Your Online Presence

Ever been asked at checkout for your phone number? You haven’t been in the store for a long time, if ever by your recollection, but the clerk wants to know if you’re in the system. You provide a phone number and surprise surprise you are in there! Phone number, name, and address. It’s probably not a retail conspiracy to create a super database of shared data. What it does reveal is how our lives and personal data are intertwined within the world of information.

When information was written on paper there was less of it and it was more fragile. Tear it up, burn it, poof it’s gone. Carbon paper, mimeographs, and copy machines (Younger readers will have to look those up) changed that. Documents were being copied and filed in triplicate. Computers, of course, made it all easier but it wasn’t until the ol’ World Wide Web came along that hiding in plain sight became difficult.

In the old days it was easy to disappear. You simply moved to another town. Started using a new name and slowly built your new persona. As technology progressed information began being stored on computers. Those computers could be accessed for information stored about you, but only for the specific information the entity had stored. Once computers became connected one entity could access another’s information. Then they began sharing information between each other and saving the data locally. The more digitally involved you are the bigger your online presence. As young people enter adulthood they have little to no digital footprint in the context of financial databases. What they do have is a social footprint, more on that later.

Google yourself

Have you ever searched your name? If not, give it a try. You might be surprised what pops up or how many of you are out there. The more you are in the public eye the more information that is going to be out there and, thus, the harder to clean up your online presence. A regular Joe should have limited occurrences as the result of a search. But even regular Joe’s can have an online presence depending on their interaction with social sites and images associated to their name. And that is what you need to be controlled.

Information for sale

Think about the seed system of a watermelon. You can take out a portion from the middle, but there are going to be all those strands extending throughout the melon. That is how it is in the digital world. Things truly do live forever on the Internet. You can have a record expunged from a database, but any reference to or sharing of that record in other databases is going to give it new life. Data has become a big commodity. Everything is for sale on the Internet. Data is being collected on every interaction you have on the Internet. The data collected by brick and mortar businesses is sought after. Once government databases went online (real estate, court information, etc) information brokers snatched up this data. All of this information is bought and sold and resold. The original purveyor of the data may have deleted it but the new entity has it saved and published it their own way.

Everyone that has data is looking for revenue sources, especially governments. Data mining companies buy data from phone companies (landline and wireless) and the government (real property and court records). The information is legitimately offered for sale on the Internet through pay sites or resold. Ever get those mailings and wonder how Joe Realtor knows how long you’ve lived in your house and what you can sell it for?

Your Job image

Younger people may not be in databases for real estate or financial institutions but they are using social media and sharing the media. Even someone with little life experience will pop up in a simple Google search, most likely under images. This is what haunts the 20-somethings when they start their job searches. Over the last few years’ different surveys have revealed that 40% of college admission offices and 40% of HR professionals research social media regarding applicants. Staying aware of your online presence is especially import when trying for a job.

Cleaning up online presence

You’re first step should be stop the flow of information. Review and change your social media privacy settings. Remove information from online shopping and other accounts that are old or unnecessary.

Whether it’s the garage, the basement, or the Internet before starting any clean up job you have to assess the situation. Start by searching your name and then different variations with your name, town, occupation, and any other identifier that you feel has a strong attachment to your name. Would suggest using Google as it is the most powerful, but using other search engines wouldn’t hurt. You’ll probably get different results.

Make note of the sites in which you pop up and what they are referencing. Find the source of the material you want removed and contact the source directly. Many will want sound reasoning why the post/picture should be removed. May want to read the companies privacy statements before you make the call to know where you stand and/or how to make the request.

Even though the source removes the post once it has been shared it lives on in other sites. You’ll have to track the posts digital trail and contact those companies as well. The tedious part is finding every link that’s associated with your name and going through the process each time. As with any situation where you are fighting an issue Document Document Document. Keep copious notes of your efforts in case you need to prove your attempts later or make subsequent requests.

After all that you are still going to be able to “find yourself” on government public access sites like real property and courts. People search sites and phone number search sites sell the information you are trying to keep private. Matters of public record like newspaper articles in which you’ve been mentioned are going to pop up.

To get your name removed from marketing lists there are organizations that can help. Similar to the national do not call registry, these services allow consumers to opt of marketing offers. You would be adding your name to another database, which may be counterproductive to what you’re trying to accomplish, but it does keep marketers from contacting you. Maybe. Who knows if it really works?

One such service is run by the Direct Marketing Association and allows consumers to have their names and addresses removed from direct marketing mailing lists. There is a fee-$2 for 10 years if you register online. The site can be found at The second removes the consumer from credit card and insurance offers. The service is provided in a joint venture between Experian, Equifax, Innovis, and Transunion. The site can be found at

You won’t be able to eradicate everything. If you’re serious about removing yourself from the Internet you’ll have to have as much as possible redacted. The rest will have to get buried in the voluminous amount of data filling the Internet. The less that is out there the more specific the search will have to be to find you. Not gone but harder to find.

Your personal information may be in myriad retail databases but at least you can try to keep what others read about you to a minimum. You can’t just completely disappear but can clean up your online presence so that you’re not easily searched.

See our blog archive for more posts about online presence.

Monday, August 28, 2017

Ideologies in the workplace

Watching what unfolded in Charlottesville in mid August I noticed one of the protestors wearing clothing marked with the Verizon logo, their uniform. Later Verizon issued a statement stating that the company in no way supports the white supremacist groups or the hate and bigotry associated with the groups. It may be sometime, if at all, when we hear if this person was an actual employee and was disciplined or terminated. Obviously, this person, whether an employee or not, put Verizon in an awkward position.

Publicly representing the company for which one works does limit what an employee can do in their off duty hours. Some businesses have policies specifically stating that employees cannot express political views while representing the company. What the employee does off duty when not representing the company and whether the company can control these activities has come under court scrutiny. Most notably in the use of medical marijuana. (Smoke ‘em if you got ‘em {Marijuana in the workplace})

If an employee is wearing the company uniform and participating in activities that go against the company values the company may have legal precedent to terminate or discipline the employee. The question that came to mind is what if the employee keeps the off duty activity anonymous? They do not espouse their ideologies at work and is a solid employee/coworker. Somehow their off duty activities are exposed and now the workplace becomes a hostile environment. Are there grounds to terminate that otherwise productive employee?

What are employer’s rights?

Allen Smith, J.D., wrote an excellent article for the Society For Human Resource Management website, Can or Should Employers Fire Employees Who Participate in Hate Groups? Smith reinforces what I have found, that the answer is not clear. When what employees do off duty creeps into the workplace several legal precedents have to be considered before an employee can be fired. Allen Smith makes the following points.
No federal law is violated if a worker is fired for being a member of a hate group or verbally expresses beliefs. Courts have rejected KKK members claim of religious protection under Title VII of the Civil Rights Act of 1964. Freedom of speech protections under the First Amendment does not apply to private employers.
Most states are work at will states meaning that employees can be terminated for any lawful reason. California, Colorado, New York, and North Dakota have laws protecting workers against being discriminated against while participating in lawful activity outside of work. However, if it becomes known at work that an employee was participating off duty in a hate-based protest, an employer may choose to terminate. Basing their action on violations of non harassment policies.
When dealing with customers who are offended by an employee’s ideologies, businesses have to consider the impact on the business. If the person continues to be employed will that affect business? Or is firing the employee at the risk of being sued better for the company?

Human resource issues are not cut and dried. Even though similar issues may have arose in the past, each case must be examined on their own. Always contact an employment law attorney before making termination decisions.