A rail company replaces tickets with a chip in your hand. The conductor scans the chip with a phone (presumably it's an NFC chip). The phone identifies the customer from the ID number stored on the chip then looks in the database to find out whether the customer has paid for the journey.It means you can't lose your ticket, I guess, but it leaves a trail which is hackable by criminals and governments and is presumably subject to court orders from law enforcement agencies. It's not for me, but I won't judge people who find the convenience is worth all the leaking privacy. And I have to admit that this kind of thing is still pretty cool, even though it's generally a bad idea.
There's an almost criminal lack of detail in this short video (which was filmed for the Travel Show of all things), but there's enough to get the general idea. The WARNING WILL ROBINSON part comes where the presenter asks the guy from the company about privacy. He says it's OK because the chip doesn't transmit and that it only contains a customer ID so nobody "outside the company" will be able to find out anything about you.
Yeah, that's all bollocks. Of course the chip transmits, otherwise how could the phone read it? What he means is that the chip doesn't have a power source so it only transmits when an NFC reader (presumably such as the one on my phone) is in close proximity and powers up the chip itself. Surely there's no way to scan someone's chip without their knowing, right? Yeah, and pockets never get picked.
But that's not the main issue. The company guy is arguing that the ID number is not very useful by itself because all the information about the customer is in a database somewhere else, which is assumed to be secure.
It isn't. Someone will get at it sooner or later. Let's look at how this system might work:
Let's give the company the benefit of the doubt and say that the conductor's phone contains only a list of IDs of the customers who have paid for a particular journey. That would be the most secure option and the only thing the conductor needs to know. Live access by the phone to the company's database, for example, would be a very bad idea for lots of reasons. In the interest of brevity, I won't cover them here (ask in the comments if you're interested).
But that list will need to be updated before and during the journey. This could happen via wifi or mobile networks. So perhaps the train has a server which is constantly updated by a mobile signal and the phone talks to the server by wifi. Or maybe the phone itself is directly updated by a mobile service. It doesn't matter what scenario is used, these connections are all points at which attacks are very attractive. The chances of there being a way to attack those points of vulnerability are not particularly slim.
Once someone has got into that system, there's a good chance that mischief will be possible. Even if the network interface strictly implements the rule that customers are referred to only by their ID numbers, what's the betting that the company that supplies the kit and software won't be able to resist bundling extra features? What if the customer wants a physical receipt to claim expenses? Will the conductor be able to print one? In which case the transaction and customer data will need to be on the air at some point, where it is vulnerable. We can think of many other scenarios where the customer's data would not be 'safely' behind a firewall.
And that's before someone has managed to get hold of the conductor's phone, in which case all security bets are off.
But all of these potential attacks are a needlessly elaborate way to get access to sensitive personal and travel information. It's all right there in a server somewhere, ripe for stealing. Hackers, unfriendly governments (domestic and foreign) and law enforcement agencies would be able to get access to all the customer information and the journeys they'd made by hacking the company's servers or getting a court order. Ill-intentioned people within the company might also be able to get this data. It's not as though that sort of thing doesn't happen all the time.
Why would this matter? Here are a few scenarios:
- This is data you don't want to get into the hands of stalkers or abusive exes. I know of at least one case where an abusive ex-husband got hold of his ex-wife's location via her lease car's built-in tracking system (which was there to disable it in case she stopped making payments, itself a security threat). Or what if the conductor took a shine to a customer and abused the system to find out where they lived, what other journeys they make and so on?
- Blackmailers (who might be criminals, governments etc) could search for unusual journeys by brute force and might, with a tiny amount of additional detective work, find targets. They could also determine to some degree which customers might have been traveling together.
- Law enforcement agencies might search the database to find targets for further inquiry, putting everyone who traveled on a particular route under suspicion. Once someone is a target of suspicion, they might be subject to additional scrutiny and when mining data from several sources, it's hard not to find a fit, even if it's not for the crime under investigation.
- People will be able to tell whether you actually traveled on that train. You may buy a paper ticket for someone else. You might send an e-ticket to their phone. A ticket is a transferable document, even if it isn't physical. But a chip-ticket is not. I might buy a ticket for someone fleeing violence, for example, so that person could not be traced by their persecutors. But not if it's a chip-ticket.
I don't mind the fact that many people will find this a convenient way to pay although I wouldn't encourage it (especially if you're up to something). What bothers me is the blasé attitude of the guy from the company who is lying to the BBC when he says there isn't a privacy issue. He goes on to spout the usual nonsense about unlocking your car and house and so on. Yeah it can be done, but yeah it's a stupid way to do it.
No comments:
Post a Comment