Monday, November 13, 2017

Time expired on parking meters


You approach the parking meter. It is a standalone machine in the parking lot; not connected to a building or a visible wired connection. While the meter does accept cash, it also has a credit card slot. You unsheathe your card and slide into the slot as instructed by the screen instructions. The meter reads your card and communicates, wirelessly, with the bank. If the card is authenticated, the transaction is approved and the meter distributes a receipt. Transaction complete. So what just happened? 

In the digital communication-everything is hackable world we live in how are parking meters safe? Research on this topic seems to indicate a risk reward scenario or more likely a Not worth the effort scenario. As we have seen in recent years, any system of any entity is subject to hacking. No matter the type of hardware or the owner. This article continues the discussion regarding the security of parking meters raised in the post Skimmers, August 2017.

The parking meter

Before we get into the security of the parking meter, first a little history.

According to Wikipedia, Massachusetts entrepreneur Roger Babson filed the first patent for a parking meter in 1928. The electric meter was meant to be powered from the battery of the parked car. Either due to design or necessity at the time the Babson meter never caught on. In 1935, Oklahoma City newspaper publisher Carl C. Magee had identified parking issues in the business district and was asked to find a solution. His idea was to regulate parking through coin operated meters associated with spaces determined by lines painted perpendicular to the curb. Magee asked Oklahoma State University engineering professors Holger Thuesen and Gerald Hale to develop a machine. The result was the Park-O-Meter, which Magee received a patent in 1938. The first Park-O-Meter was installed in downtown Oklahoma City in July 1935. Retailers loved the meters as they encouraged a quick turnover of cars and potential customers. Drivers, initially opposed, were forced to accept them. The cost for that first hour was five-cents.

The first meters accepted coins and had a dial to engage the timing mechanism with a red flag to indicate expiration of time. Those meters required a service person to keep the mechanism wound. Later iterations by other companies provided a system that remained wound by the action of the user setting the time, eliminating the need for service personnel. Since the parking meter made its debut there have been many styles and mechanisms deployed. All of which have completed the same task, measuring an amount of time for a price. Manual mechanisms remained in service for fifty some years until advancement in technology allowed for digital operations in the 1980’s.

At this point in our history lesson drivers looking to park their cars still had to use coins. Some machines only accepted one kind of coin. Different variations of the parking meter existed depending on the maintenance and replacement by local governments.  

Again Wikipedia tells us that in 2007 the IPS Group from San Diego, California introduced the solar powered credit card accepting parking meter. (Wikipedia is used as a source because there isn’t much out there in the way of the history of the parking meter)  The so called smart parking meter was born.

Smart parking meters

Advances in wireless technology have been applied to parking meter design to develop the “smart meter”. These meters are solar powered with wireless connectivity. This gives the meters the capability to talk to maintenance crews and banks, allowing for service calls and electronic transactions. This type of technology also allows drivers to pay through the use of phone apps and single machines to regulate multiple spaces. They also can be designed to alert enforcement personnel when cars are over parked.

The market is flooded with types and styles from a variety of vendors. Some municipalities use single pole meters per space and others use machines that regulate multiple spaces. All use wireless connectivity. Which brings up the question-Can they be hacked?

Are smart parking meters secure?

Shortly after the introduction of the smart parking meter three hackers revealed at the Black Hat conference in Las Vegas in 2009 that they had hacked meters in San Francisco. In an attempt to prove the security flaws of the new technology, the hackers’ reverse engineered the technology and found that the machines had little in the way of protection or encryption. They were able to “trick” a variety of meters into providing free parking. This infiltration manipulated the meters but did not attempt to intercept or steal credit card transactions.

Since this report was made public parking meter manufacturers have worked to improve the technology to protect electronic data transfer. Even the FTC issued a report in 2015 encouraging all manufacturers of smart devices (Appliances, thermostats, etc.) to invest more into securing the “Internet of things”

The International Parking Institute released a report titled, "What's What in parking Technology" in 2016. The report describes a point-to-point credit card encryption method, which delivers end-to-end encryption. The method instantaneously converts credit card data into an indecipherable code at the time the card is swiped to prevent hacking. Similar to how Apple Pay creates a token that has no exploitable meaning or value except to the key holders at either end of the transaction. This allows the meters to communicate directly to the banks.

This also means that any credit card data stored on the meter is encrypted as well so that it cannot be read by anyone, including maintenance personnel. As with any electronic transaction it is recommended that you keep your receipt as it contains a bank authorization number on your receipt to reference your transaction with your credit card company.

Hacking the wireless connection to obtain credit data may not be fruitful but there have been a few instances reported regarding skimming. This is when a thief attaches a device over or into the manufacturers credit card slot. The device collects credit card data as they are swiped. The problem is that parking meters are smaller than ATMs and gas pumps. So it is harder to hide the skimming devices. Not that it cannot be done or tried. On ANY type of machine that accepts credit cards you should check for evidence of tampering before swiping your card.  

So, our journey brings us back to the question, is it safe to use your credit card in a smart parking meter? For the most part, yes. The meters themselves either do not store data or the data is encrypted. The transactions also are encrypted. The machines themselves offer little space for skimming devices. Can they be hacked? More than likely a resounding yes as anything can be. Is it worth the criminals’ effort? Other than bragging rights probably not. The pay off is not worth the effort.

Another source of curiosity are vending machines that accept credit cards. There have been no indications that they’ve been targeted. But with what we’ve learned about parking meters, we’ll chalk those up to the pay off is not worth the effort as well.

Please feel free to share any and all posts. See the blog archive for more posts about wireless and personal security
Skimmers August 2017
Pain at the pump October 2016
Taking your identity on vacation June 2013


No comments:

Post a Comment