Tuesday, February 6, 2018

Are you being watched?

Do you feel safe in your home? Your exterior is probably pretty well defended against intruders with metal doors and deadbolts, locking windows, and maybe an alarm system. How about intruders from within?  “…The call is coming from inside the house”, an oft repeated quote from the 1979 movie, When a Stranger Calls, can still make your skin crawl when you’re all alone, think you heard a noise, and then the phone rings. Just the thought of an intruder with you in your home can be terrifying. There may not be physical intruders inside your home at this moment, but someone may be listening or quite possibly watching.

Internet of things

Kevin Ashton of Procter & Gamble first coined “Internet of things” in 1999. It is defined as network of devices, appliances, vehicles, etc. that connect and exchange data through the Internet. It is estimated the Internet of things will be populated with 30 billion devices by 2020.

Technology has always invaded our homes as we excitedly open the boxes to the latest modern conveniences. In the early days of the 1900’s telephones began appearing in homes. The 1950’s saw televisions showing up in living rooms. People started bringing home desktop computers in the 1980’s. Those computers were connected to the Internet in the 1990’s.  Phones went on our belts and into our pockets in the 2000’s and then became handheld computers. The first Internet connected appliance was a LG refrigerator released in 2000. According to Statista.com, there were nearly 36 million smart home devices sold in the U.S. in 2017. Over 40 million smart TV’s were sold in the U.S. in 2016 and 244 million worldwide.


The remote accessibility of household devices creates new security issues everyday. As appliances get “smarter” their vulnerability also increases. Smart devices only work to their full capability if they are connected to the Internet. Once that occurs they are searchable and hackable. When the device reaches out to the web it declares itself open for business. Hackers are always looking for unsecure networks and devices to exploit. If not for gain then just because then can.

We first heard about these types of intrusions in 2015 two years after consumers starting bringing home smart TV’s.  Samsung released TV’s in 2013 that could listen to voice commands from their owners. The problem? The TV has to be listening all the time to pick up the commands. What was “heard” was being transmitted via the Internet. Samsung warned consumers, through privacy policies, that spoken words are being captured and transmitted through the voice recognition system. Consumers were further warned not to hold personal conversations in front of the television. But who read or reads the privacy policies, right?

Another popular device entering our homes are web accessible cameras. We set these up to watch the nanny, housekeeper, or house in general. There are even petcams available that not only allow owners to watch their pets but speak to them and deliver treats remotely. The first cameras imbedded in teddy bears, sold as a “nanny cams”, began appearing on the market in 1992. The first cameras to transmit remotely via IP were sold by Axis Communications in 1996. Today, the market is flooded with cameras and phone apps that allow web transmission of live video. It’s fun to watch Mr. Snugglekins romp around the house. But if you can access your webcam remotely, so can someone else.


The device most people have heard stories about and are aware is the camera on your computer. Yes, they can be used against you. Unlike the movies, your home computer usually has to be “infected” with malware that you allowed in my clicking on a link or visiting a sketchy website. As with all of your devices, locally, you have to let someone in for them to be monitored. Not to say that you and your devices could not be specifically targeted and intruded. With the effort it could be done. Hackers and, yes, governments have the capability to access the television microphones, computer and remote cameras, turning them on and off and recording at will. However, most likely you’ve been the victim of malware.

The privacy and security issue with smart appliances is the collection and transmission of data. First, your viewing habits, conversations, actions are being collected. Second, the data is being transmitted to the Internet and held on third party servers. All of which can be hacked. So no matter the security measures you take at home, your personal data is vulnerable once it hits the WWW.

The thing is, you allow them into your home with the purchase, unpacking, and setup to connect to your network. Data transmissions you are unaware of because you have most likely allowed the device to set itself up per the manufacturer’s settings. Any warning or setup recommendations were clicked through and unread. Admit it. You’ve done it. Who reads the privacy settings on a new device? Or whenever you allow an update? That’s what the manufacturers are counting on. The key word in the previous paragraph is “allow”. You’re inviting the snooping by purchasing the device, bringing it into your home, and allowing self setup.

Your appliances aren’t the only ones listening. There’s been conspiracies floated the last couple of years that Facebook is listening to your conversations to better target ads. While feasible it is unlikely and has been debunked by several sources. Facebook may not be overhearing conversations but they, as is Google, “listening” by recording your search habits and even communications in messaging and emails apps to better address advertising. Netflix was recently caught by tweeting about the number of times a few viewers had watched one of its programs, trying to be funny. Netflix admitted that it did track viewing habits of subscribers.


When you invite smart appliances into your home you give up your privacy. You have to consider these devices as other persons and guard your privacy accordingly. Take the time to read the manufacturer privacy policies. Read the manual setup instructions and adjust the device settings accordingly. Block cameras in sensitive areas or turn them towards the wall when you’re home.

This reads like an Orwellian or tinfoil hat conspiracy. It wasn’t meant to be or to keep you from enjoying the conveniences of technology. Just be aware of the surroundings you’ve created. Any smart device has to be considered to be listening or watching. Alexa, Siri, Google, they all have to be listening all the time to be able to pick up your commands.

Please feel free to share. Read other posts about security in the blog archive.

Tuesday, January 16, 2018

Ban the box update

NOTE: This post was originally published in August 2016 and has been updated with more recent data.

The Ban the Box movement was initially reviewed in this blog in the 2013 post, Should the box be banned? As the movement has continued to grow this blog has updated the progress. The attention drawn to employment applications has now carried over to college admission applications as well.

What is “Ban the Box”?

For the last several years there has been a movement to remove from employment applications the “box” that asks the question, “Have you ever been convicted of a crime” or any inquiry about criminal history. What has become known as  “ban the box”, the campaign feels that one’s criminal history should not be a consideration of employment at the time an application is submitted, rather, at a later time during the interview process. It is felt that asking this question on the application reduces the chances of those with criminal records to be employed. Employers should meet applicants first, get to know them, give a chance to explain themselves and then get to the criminal history. The Equal Employment Opportunity Commission (EEOC) has updated its policies, issuing guidelines in 2012 suggesting that employers wait until after a personal interview before making inquiries about criminal history.

In January 2014, there were fifty-six cities that had “banned the box”. As of January 2018, that list included over 150 cities and counties, and 30 States (Ten of which have laws that include private employers)

Arizona             Louisiana               Ohio
California*       Maryland                Oklahoma
Colorado          Massachusetts*    Oregon*
Connecticut*   Minnesota*           Pennsylvania
Delaware          Missouri                 Rhode Island*
Georgia             Nebraska              Tennessee
Hawaii*             Nevada                  Utah
Illinois*             New Jersey*         Vermont*
Indiana              New Mexico          Virginia
Kentucky           New York               Wisconsin
*States with laws that also cover private employers

Maryland Ban the Box

Maryland’s law took effect October 1, 2013, and applies only to State of Maryland employment applications. State government cannot ask about criminal record or criminal history of an applicant until the applicant has been provided an opportunity for an interview. Exempt from the law are positions in the Department of Public Safety and Correctional Services. Baltimore passed a similar law in 2014, restricting employers with 10 or more workers from asking a candidate about criminal records until after a conditional employment offer is made.

Colleges Ban the Box

In 2016, the U.S. Department of Education requested that colleges and universities voluntarily remove criminal history questions from applications. Throughout the U.S. some colleges and universities have taken the request into consideration and removed the questions. States have been slow to act.

In 2017, Louisiana became the first state to enact a ban the box law for state institutions. Maryland passed a law in 2017, but the Governor vetoed it. In January 2018, the Maryland legislature overrode the Governor’s veto, reinstating the law. 

Please share.
See the blog archive for other posts relating to Ban the Box:
Should the box be banned? February 2013

Tuesday, January 9, 2018

The mighty have fallen

One of the biggest and repeated subjects of news for 2017 were charges of sexual harassment. Most notably the coming forth of victims in the entertainment industry. The topic so dominated the news that Time magazine made their 2017 Person of the Year all the women who came forward about sexual harassment.

Although it seems obvious, not everyone may know what constitutes sexual harassment. Especially in businesses with a small, familiar workforce. This is not a defense of the aggressors. Any reasonable person knows that touching and sexual comments have no place in the workplace, especially between supervisors and employees. But lesser degrees of harassment too include verbal, written, or pictorial may be thought of as accepted behavior. When in fact they meet the definition of harassment. This applies to the harassers and the victims. Victims either don’t realize that simple offenses rise to the level of complaint or do not feel that they can report the smaller incidents. Lines get crossed everyday.

Small business owners have to stay educated on changing cultures, how to protect themselves, and provide safe work environments. What was perceived as an acceptable work environment in the past is not today. This post hopes to address some of those questions.


Sexual harassment is a violation of Title VII of the Civil Rights Act of 1964, which applies to all employers with 15 or more employees. The Equal Employment Opportunity Commission (EEOC) defines sexual harassment as:
unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature and also can include offensive remarks about a person’s sex (male/female/orientation). Harassment is illegal when it is so frequent or severe that it creates a hostile or offensive work environment. Both victim and the harasser can be either a woman or a man, and the victim and harasser can be the same sex. The harasser can be the victim's supervisor, a supervisor in another area, a co-worker, or someone who is not an employee of the employer, such as a client or customer.

In 2016, EEOC received 6,758 charges alleging sexual harassment. Although the majority of cases are female victims, males filed 16.6% of the charges. The EEOC figures do not include charges and complaints filed with state authorities. Also not tabulated is the number of cases handled within the workplace and, of course, unreported cases.

Mind of the harasser

Dr. Ellen Hendriksen, provided four characteristics of a sexual harasser in an article written for the Psychology Today website Four Psychological Traits of Sexual Harassers November 9, 2017. Briefly, Dr. Hendriksen described harassers as someone who has a personality that enjoys exploitation, deception, and manipulation. They have the ability to disengage morally allowing them to justify their actions and create their own version of reality. Next harassers are employed in a male dominated field. This is important because women are the minority gender and more significantly targeted as victims of harassment. The last characteristic described by Dr. Hendriksen is an overall hostile attitude towards women. Harassers justify their actions as being normal and/or deserved. They feel they have done nothing wrong. Dr. Hendriksen summarizes by saying that, “harassment indicates a willingness to exploit and manipulate as a way to maintain or gain power. It demonstrates carelessness toward the victims and aims to keep them in their place.” Which might explain the powerful men who have had their harassment exposed.

Not reported

The majority of victims do not feel safe reporting any inappropriate behavior. Fear of retaliation is one of the main reasons victims do not come forward, that and humiliation. #WhyWomenDontReport has been viral several times since being started as an outlet for victims to share their stories. Just reading a few of the posts explains why victims may not report attacks for years or decades. Most of the posts support the reasons of retaliation and humiliation. Others relate how the victims believe that nothing will happen even if they do report the incident.

Unless the aggressor is publically boisterous with their behavior incidents of harassment rarely have witnesses. The strength in the complaints comes from the victims speaking out and sharing their stories. Even if complaints are made, the aggressors do not usually see a courtroom. Many states do not have specific sexual harassment laws or even workplace nondiscrimination laws. Charges are usually filed under the umbrella of other laws or in civil court. In order to get the complaint heard at the federal level charges must be filed with the EEOC. This is why you see quick dismissals with lawsuits filed at later times.

Companies are protecting themselves from legal action as well as their brand. They do not want to be seen as having a culture of harassment. If it can be shown that a company encouraged or did nothing to stop sexual harassment the employer could find themselves in court along with the aggressors.

Training and Education

A 2012 Supreme Court ruling held that a company could not be held responsible if there was an exercising of reasonable care to prevent and correct sexual harassment incidents.

A lot of small businesses view training as requirements for certifications or skills associated with the job functions of their employees. They sometimes miss the need to educate employees on issues facing the workplace. Employees not only need to improve their job skills, they need to learn how to conduct themselves in the workplace.

Be proactive. Don’t wait for a legal requirement to provide training. Twenty-five states have no requirements for sexual harassment training in the workplace. The other half range from: encouraging employers to provide training - only training supervisors - training for all employees. Some states, such as Maryland, will take into consideration a company’s training and education efforts when hearing complaints of sexual harassment. If a complaint is made against your business, you’ll want to be able to show the steps taken to prevent incidents and support provided to victims.

Training and education of employees should be held at regular intervals. Ensure all employees are made aware that any type of harassment will not be tolerated. They have to know that owners/executives/managers do not approve of and will not tolerate any form of harassment. Do not assume that everyone knows what constitutes harassment. Educate everyone on the basic definitions and provide the outlets necessary to receive and process complaints.

Have outreach efforts to ensure victims feel they have a safe environment in which to report incidents. This goes back to the company’s stance on the issue. If victims do not feel that they will be taken seriously and no action will be taken against aggressors, they will not file complaints. And even though a training and education program is in place, a hidden culture may still exist.

All reports must be taken seriously and employees must feel that they can make reports against any employee or supervisor without fear of retaliation. Which itself is a crime. But it is not enough to only take complaints. Management must conduct serious investigations and implement penalties when warranted.

Please share this and any post. See are blog archive for other posts on this topic.
Workplace safety November 2017

Tuesday, December 26, 2017

What's in this punch?

NOTE: This post was originally published in 2013 and has been updated with new information. 

The holiday season is upon us. Many employers are planning office parties or allowing employees to plan parties. You’ve heard the stories of bars being liable for their patrons after they leave the establishment or parents who have allowed parties to take place at their homes. These same liabilities are being applied to employers who serve alcohol at office parties.

Party on!

A 2015 survey conducted by the Society for Human Resource Managers (SHRM) found that approximately 59 percent of companies having holiday parties plan to serve alcohol. Less than half of those plan on regulating alcohol consumption by employees. While the parties can serve as an employee reward, team building, or morale booster when alcohol is involved they can also set the scene for inappropriate behavior and/or injuries. The aftermath of which employers have to deal with or could be held liable.

Many employers seek to hold the functions at offsite locations to further enhance or show commitment to the employee event. The location doesn't release the employer of liability and may sometimes encourage inappropriate behavior by employees as the offsite location and alcohol consumption lower inhibitions.

In the most notable case to date, a California Appellate court ruled in August of 2013 that an employer was liable when an employee caused a fatal accident after becoming intoxicated at the employer sponsored party. The ruling was based on vicarious liability and the employer’s responsibility for their employee’s actions. Not all courts may rule the same in all situations, but the precedent has been set.

Why take the chance with your livelihood?

The possibility of legal action should not dampen the festivities or cause employers to cancel parties. Employers have to be aware of the issues and plan accordingly. A little preparation and foresight now may save a lot of money and heartache later.

When planning the party, consider the need to serve alcohol. If alcohol is served manage the consumption by setting limits. Do not pay for alcohol at offsite locations. Arrange alternative transportation for those who do consume.

Review company policies, update as needed, and publish. Ensure employees are aware and reminded of policies regarding alcohol consumption, harassment, and behavior. Make sure social media policies are up to date and include information about the posting of photographs/videos and are sensitive to privacy concerns.

Every effort you make will help later if you were to be sued.

Tuesday, December 12, 2017

Recipe for history

This is a little off topic for this blog, but struck me a good subject. My daughter has been encouraging me to write a food blog so maybe this will be the start or the transition. Don’t expect a recipe at the end though. This is a story about what is behind a worn recipe card.

Several years ago I became interested in my paternal family history. A distant relative had already completed the maternal side and no one had looked in to the paternal side of my family. Great grandparents were traced back to Italian villages. Birth/death/marriage certificates, passenger manifests, and sundry documents were located and collected. What was discovered right in my cupboard was the impetus for this blog.

I have always treasured family recipes that live on in my daily and holiday cooking. Every family has a worn cookbook or recipe card from a relative. Sometimes more than photographs these are our connections to our heritage. The dish from the past can be created and brought to life in the modern world, living anew within our kitchen. The smells and tastes transport us to that relative’s kitchen where we helped or anxiously awaited the results from the oven or stovetop.

What set me on this culinary journey was a pastry. A little cookie that is sometimes filled with a minced citrus nut concoction. The cookies were remembered from my childhood but more recently as the cookies made their way into my children’s lives. We always knew them as Gloves as that was the name passed down by my Italian grandparents. There was a lull in the glove eating business until one day a package arrived from an aunt and uncle. Stuffed full was a box of gloves! Going Christmas tree hunting the next day the gloves accompanied us on the hunt. Every year we looked forward to the treat.

Making gloves is a little labor intensive and time consuming. Although we looked forward to the arrival of the package it did not come every year. We always got a little food gift but not always the gloves. I had family recipes but I did not have this one.

When I asked about the recipe, my aunt was quick to share. She hadn’t realized how much the gloves had become a part of my family’s holiday traditions. The preparation takes a lot of work and we all get busy during the holidays. Sometimes there just wasn’t the desire or open schedule to make the cookies. I, myself, make pizzelles every year. Some years it just seems like too much of a chore. Sometimes it takes a lot to drag out the pizzelle iron and set aside the time to make them. So I understood. I also found out from my aunt that the main reason our source dried up was because the uncle in the equation didn’t leave enough to share.

Like I needed another holiday treat to make, I never attempted to make the gloves. I did get the recipe and tucked it away. Last Christmas my daughter got me a blank recipe book for me to fill with old and new family recipes. That way they are all in one book, which could become our family’s recipe book to pass on. Certainly, all of the old recipes went in. While transcribing the glove recipe I noticed that there was an omission as to how to shape the cookies and the tool to use. Knowing that we would be visiting my aunt and uncle I put the recipe on hold until I could speak to them in person.

Once together, my aunt was more than happy to pull out her cookbook. I had family recipes, but to see the original pages and cards in her and my grandmother’s handwriting was touching. It was like visiting the family homestead in the old country or holding a certificate of marriage or birth of an ancestor. History. In your hands.

I found the information I was missing but also learned some more family history that I had never known. Turns out the crimping tool that is used to make the edges of the cookie was fashioned out of car parts by my grandfather. He wasn’t much of a conversationalist but he had an engineer’s mind and apparently (another family tidbit) was helpful in the kitchen when it came holiday baking time. When observed, the crimping tool is like any you’d see for crimping the edges of ravioli, wavy metal wheel on a wooden handle. Except it was hand made by my grandfather. Another thing to hold and behold.

Also learned was that in addition to gloves, the family called the cookies ewans. Never had I heard that reference. They were always gloves and I never questioned the meaning or origin. Just ate them. Well, my aunt and uncle could not provide any insight into the naming of the cookie. We just chalked it up to Italian-English translation diluted into family colloquialism.

But I couldn’t let it go. So once home I started researching the ingredients and names I had for the cookies to no avail. Thinking about the translation angle and no “W’ in the Italian language I was curious about the family name for the cookie “ewan”. I tried searching the Italian word for gloves, guanto or guanti. Now I know I should of started there but sometimes your mind processes the way it processes. Anyway, once that search was begun-Bingo! The recipes were filling up the search returns. Continuing the search I came across similar recipes for “wandies” and one that explained the family called the cookies “ewands”. Finally! A connection. 

Once I had all of this information I could see how the literal translation of gloves to guanti would become wandie or ewands or even ewan. 

It was an interesting journey that made me realize all of the family history that is packed into a recipe card. Although I had enjoyed the cookies for many years and passed them on to my children I had never sought the meaning behind the recipe. 

This year will be my first attempt at these cookies. Fairly confident I’ll get it close. Maybe I can encourage some family help. Make some new traditions. But I do know that they will definitely be going into the holiday baking rotation.

Tuesday, November 28, 2017

Workplace Safety

I’ve held off writing about this topic waiting for the appropriate time, which seems may never be. Prayers are offered to the victims of the senseless violence that has been taking place all too often. Public spaces and, sadly, places of worship have become unsafe. We have to be alert and on guard at all times, no matter where we go. The intent of the article began as a response to the sexual harassment accusations surfacing in the entertainment industry. Then a man shot several people at business locations in Maryland and Delaware. And the horrific murders in a Texas church. Every week brings more of these stories in the news. Staying on topic I’d like to speak about the hostile work environments caused by both violence and harassment. This article is posted with all due respect and prayers for the victims of recent violence. 

The workplace environment can be unsafe or hostile for several reasons. When the term, workplace safety, is used the first thought goes to accidents and hazards, which are some of the leading causes of injury and death. There can also be violent physical attacks against the business or the employees. Probably the most overlooked is the environment itself which can be toxic because of sexual harassment, bullying, or mistreatment. 

Hostility does not necessarily have to result in violence or injury. Many workers fear the workplace due to environments created due to sexual harassment and bullying. A survey conducted by the Rand Corp., Harvard Medical School, and the University of California, Los Angeles determined that one-fifth of Americans find the workplace environment to be hostile.


This type of workplace hostility has come to the forefront with the revelations playing out in the entertainment industry. Everyday more victims are coming forward and not only in that specific industry. The celebrity victims have empowered women and men across all industries to come forward. The Equal Employment Opportunity Commission (EEOC) defines sexual harassment as:
unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature and also can include offensive remarks about a person’s sex (male/female/orientation). Harassment is illegal when it is so frequent or severe that it creates a hostile or offensive work environment. Both victim and the harasser can be either a woman or a man, and the victim and harasser can be the same sex. The harasser can be the victim's supervisor, a supervisor in another area, a co-worker, or someone who is not an employee of the employer, such as a client or customer.

The EEOC reported 28, 216 incidents of harassment in 2016 with 6,758 of those being sexual harassment incidents. These numbers do not include charges filed with state or local agencies.

Employers are responsible for providing a safe workplace. This goes well beyond ensuring the physical location is safe and employees are trained in the performance of their duties. Employers are also charged with providing a safe and healthy work environment. This starts with the owners and managers and how they conduct themselves. They must be held to the company standard and train employees on how to make an inclusive workspace.

Training and education of employees should be held at regular intervals. Ensure all employees are made aware that any type of harassment will not be tolerated. All reports must be taken seriously and employees must feel that they can make reports against any employee or supervisor without fear of retaliation. Which itself is a crime.


Workplace violence can be more than employees returning to work and shooting co-workers. Violence can manifest itself in many forms. The Occupational Safety and Health Administration (OSHA) defines workplace violence as:
any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that occurs at the work site. It ranges from threats and verbal abuse to physical assaults and even homicide. It can affect and involve employees, clients, customers and visitors. Homicide is currently the fourth-leading cause of fatal occupational injuries in the United States.
Following the above definition, OSHA reports over two million incidents of workplace violence every year, with many cases unreported. The Bureau of Labor Statistics reported that there were over 400 workplace homicides in 2015. However, that number does not differentiate between being a victim as a result of the job or the victim of an attack, i.e.-Killed during a robbery of the business v. killed during an attack on the workplace. With this broad definition and the way statistics are captured it is hard to differentiate the specific acts of violence, how they occurred, and against whom. The point being, the workplace can be a dangerous place. Not just physical violence, but less graphic acts of violence can occur as well.

In August 2017, a Sterling, VA woman was convicted and sentenced to three and half years in jail for poisoning co-workers. An investigation into why co-workers had become ill after drinking coffee from the break room machine revealed that the coffee had been tainted. The woman later admitted that she had poured Windex, Ajax, and soap into the coffee machine water tank in an effort to make her supervisor sick. She also admitted to putting cleaning products directly into her supervisor’s coffee cup.

Small business owners have to realize that a violent act can happen anywhere to any type of business. Whether it is a disgruntled employee or customer, or the perpetrator just chooses the business for the act, a violent attack can happen anywhere. Therefore, workplace violence is everybody’s problem. More importantly, prevention is everyone’s responsibility.

Awareness and Prevention

FBI studies have concluded that individuals do not "snap" and suddenly become violent without an antecedent or perceived provocation. Instead, the path to violence is an evolutionary one. There are subtle indicators of the potential for violence. The trick is being aware enough to detect the indicators.

Prevention is everyone’s responsibility. From top to bottom. Every employee must feel that it is there responsibility to protect the workplace. Employers/managers have to know their employees and the atmosphere of the workplace. Watch for changes in behavior and disruptions. Monitor the post disruption atmosphere.

As with harassment issues training is paramount. Make employees feel safe in reporting potential threats.  Drill them on how to handle and respond to incidents. Review company policies. Practice what if scenarios.

Being aware of the possibilities is a good first step to a safe workplace. The weekly incidents in the news show us that we cannot hide our heads in the sand any longer. But being aware is not enough. Business owners have to take the initiative to make changes and educate their employees.

Please feel to free any post. See the blog archive for other posts regarding workplace safety.

Monday, November 13, 2017

Time expired on parking meters

You approach the parking meter. It is a standalone machine in the parking lot; not connected to a building or a visible wired connection. While the meter does accept cash, it also has a credit card slot. You unsheathe your card and slide into the slot as instructed by the screen instructions. The meter reads your card and communicates, wirelessly, with the bank. If the card is authenticated, the transaction is approved and the meter distributes a receipt. Transaction complete. So what just happened? 

In the digital communication-everything is hackable world we live in how are parking meters safe? Research on this topic seems to indicate a risk reward scenario or more likely a Not worth the effort scenario. As we have seen in recent years, any system of any entity is subject to hacking. No matter the type of hardware or the owner. This article continues the discussion regarding the security of parking meters raised in the post Skimmers, August 2017.

The parking meter

Before we get into the security of the parking meter, first a little history.

According to Wikipedia, Massachusetts entrepreneur Roger Babson filed the first patent for a parking meter in 1928. The electric meter was meant to be powered from the battery of the parked car. Either due to design or necessity at the time the Babson meter never caught on. In 1935, Oklahoma City newspaper publisher Carl C. Magee had identified parking issues in the business district and was asked to find a solution. His idea was to regulate parking through coin operated meters associated with spaces determined by lines painted perpendicular to the curb. Magee asked Oklahoma State University engineering professors Holger Thuesen and Gerald Hale to develop a machine. The result was the Park-O-Meter, which Magee received a patent in 1938. The first Park-O-Meter was installed in downtown Oklahoma City in July 1935. Retailers loved the meters as they encouraged a quick turnover of cars and potential customers. Drivers, initially opposed, were forced to accept them. The cost for that first hour was five-cents.

The first meters accepted coins and had a dial to engage the timing mechanism with a red flag to indicate expiration of time. Those meters required a service person to keep the mechanism wound. Later iterations by other companies provided a system that remained wound by the action of the user setting the time, eliminating the need for service personnel. Since the parking meter made its debut there have been many styles and mechanisms deployed. All of which have completed the same task, measuring an amount of time for a price. Manual mechanisms remained in service for fifty some years until advancement in technology allowed for digital operations in the 1980’s.

At this point in our history lesson drivers looking to park their cars still had to use coins. Some machines only accepted one kind of coin. Different variations of the parking meter existed depending on the maintenance and replacement by local governments.  

Again Wikipedia tells us that in 2007 the IPS Group from San Diego, California introduced the solar powered credit card accepting parking meter. (Wikipedia is used as a source because there isn’t much out there in the way of the history of the parking meter)  The so called smart parking meter was born.

Smart parking meters

Advances in wireless technology have been applied to parking meter design to develop the “smart meter”. These meters are solar powered with wireless connectivity. This gives the meters the capability to talk to maintenance crews and banks, allowing for service calls and electronic transactions. This type of technology also allows drivers to pay through the use of phone apps and single machines to regulate multiple spaces. They also can be designed to alert enforcement personnel when cars are over parked.

The market is flooded with types and styles from a variety of vendors. Some municipalities use single pole meters per space and others use machines that regulate multiple spaces. All use wireless connectivity. Which brings up the question-Can they be hacked?

Are smart parking meters secure?

Shortly after the introduction of the smart parking meter three hackers revealed at the Black Hat conference in Las Vegas in 2009 that they had hacked meters in San Francisco. In an attempt to prove the security flaws of the new technology, the hackers’ reverse engineered the technology and found that the machines had little in the way of protection or encryption. They were able to “trick” a variety of meters into providing free parking. This infiltration manipulated the meters but did not attempt to intercept or steal credit card transactions.

Since this report was made public parking meter manufacturers have worked to improve the technology to protect electronic data transfer. Even the FTC issued a report in 2015 encouraging all manufacturers of smart devices (Appliances, thermostats, etc.) to invest more into securing the “Internet of things”

The International Parking Institute released a report titled, "What's What in parking Technology" in 2016. The report describes a point-to-point credit card encryption method, which delivers end-to-end encryption. The method instantaneously converts credit card data into an indecipherable code at the time the card is swiped to prevent hacking. Similar to how Apple Pay creates a token that has no exploitable meaning or value except to the key holders at either end of the transaction. This allows the meters to communicate directly to the banks.

This also means that any credit card data stored on the meter is encrypted as well so that it cannot be read by anyone, including maintenance personnel. As with any electronic transaction it is recommended that you keep your receipt as it contains a bank authorization number on your receipt to reference your transaction with your credit card company.

Hacking the wireless connection to obtain credit data may not be fruitful but there have been a few instances reported regarding skimming. This is when a thief attaches a device over or into the manufacturers credit card slot. The device collects credit card data as they are swiped. The problem is that parking meters are smaller than ATMs and gas pumps. So it is harder to hide the skimming devices. Not that it cannot be done or tried. On ANY type of machine that accepts credit cards you should check for evidence of tampering before swiping your card.  

So, our journey brings us back to the question, is it safe to use your credit card in a smart parking meter? For the most part, yes. The meters themselves either do not store data or the data is encrypted. The transactions also are encrypted. The machines themselves offer little space for skimming devices. Can they be hacked? More than likely a resounding yes as anything can be. Is it worth the criminals’ effort? Other than bragging rights probably not. The pay off is not worth the effort.

Another source of curiosity are vending machines that accept credit cards. There have been no indications that they’ve been targeted. But with what we’ve learned about parking meters, we’ll chalk those up to the pay off is not worth the effort as well.

Please feel free to share any and all posts. See the blog archive for more posts about wireless and personal security
Skimmers August 2017
Pain at the pump October 2016
Taking your identity on vacation June 2013