Presentation of a TRB 2020 paper (available at http://bit.ly/trb-cyber-mobile-fare-app): Mobile fare payment applications are becoming increasingly commonplace in the public transportation industry as both a customer convenience and an effort to reduce fare management costs and improve operations for agencies. However, there is relatively little literature on vulnerabilities and liabilities in mobile fare payment applications. Furthermore, few public agencies or supporting vendors have policies or established processes in place to receive vulnerability reports or patch vulnerabilities discovered in their technologies. Given the rapidly increasing number of data breaches in general industry IT systems, as well as the fact that mobile fare payment apps are a nexus between customer and agency financial information, the security of these mobile applications deserve further scrutiny. This paper presents a vulnerability discovered in a mobile fare payment application deployed at a transit agency in Florida that, due to the system architecture, may have affected customers in as many as 40 cities across the United States – an estimated 1,554,000 users. Lessons learned from the vulnerability disclosure process followed by the research team as well as recommendations for public agencies seeking to improve the security of these types of applications are also discussed.

1. Cybersecurity Vulnerabilities in
Mobile Fare Payment Applications:
A Case Study
Kevin Dennis, Maxat Alibayev, Sean J. Barbeau, and Jay Ligatti
Center for Urban Transportation Research and the Department of Computer Science and Engineering
University of South Florida

2. Introduction and Motivation
 Cybersecurity is a significant concern across all industries
 Many high-profile attacks have been reported:
• Ransomware attacks in Atlanta ($2.6 million)
• Equifax data breach (over $1.4 billion)
 Transportation is no exception:
• Colorado Department of Transportation shut down 2,000
employee computers due to SamSam ransomware
2/20

3. Introduction and Motivation
 This presentation introduces a new vulnerability discovered
in a mobile fare payment application deployed in Florida
 This vulnerability could have possibly impacted up to 1.5
million users across 40 cities
 While patched quickly, this incident revealed that public-
facing policies for vulnerability disclosure are lacking
3/20

4. Background
 The vulnerability investigation was informed
by a literature review conducted in 2018
 The literature review examined various
technologies deployed in Florida, including
mobile fare payment applications and
electronic ticketing
 The literature review and corresponding
survey showed that 64% of Florida agencies
have deployed mobile fare payment
applications
4/20

5. Mobile Fare Payment and Ticketing Systems
 Mobile fare payment is a form of contactless
electronic ticketing
• Enables riders to purchase a ticket and validate
the purchase using their mobile device
 Mobile fare payment may reduce
production and cash‐handling costs
 Some mobile fare payment apps integrate
trip planning and real‐time information
5/20

6. Methodology
6/20

7. Application Programming Interface (API) Call
7/20

8. Vulnerability Description
3. The attacker sends the modified request.
4. The server validates the new credentials
without verifying the user ID. The victim’s
information is then sent to the attacker
and can be viewed directly or forwarded
to the mobile device.
No rider
history
exists for
attacker
1. The attacker captures valid credentials
for a session by creating their own
account.
2. The user ID in the valid request is
modified by the attacker.
8/20

9. Exploited Application
 Compromised Data:
• Name
• Phone number
• Last 4 digits of credit card
• Parking location and time
• License plate number
 The targeted account
belonged to the research
team Compromised research team
transit account
Compromised research team
parking account
9/20

10. Affected Multiple Organizations
 The application vendor also
publishes applications for
parking services
 The same API is used to serve
data for both applications
 An attacker can retrieve
private information for users
of either application
10/20

11. Impacted Users
 May have impacted customers
in as many as 40 cities if the
vulnerability was present in all
versions
 If vulnerable, an estimated
1,554,000 users may have been
exposed 580,000
959,000
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
Number of impacted users
Number of users potentially impacted by the
getParkerHistory API vulnerability
MyJTA app Passport Parking main app Other Passport whitelabeled apps
11/20

12. Vulnerability Disclosure Process
 The research team reported the vulnerability to a personal
contact at the agency
 The vulnerability was patched within 4 weeks
Vulnerability
discovered
Early October
Vulnerability report
sent to transit agency
October 30th
Vulnerability patched
by vendor
Early December
12/20

13. Improving the Vulnerability Disclosure Process
 Problems encountered during the process:
• No point of contact available for vendor or agency
• No clear guidelines or process for disclosing the vulnerability
• No notification was provided about the vulnerability’s
resolution
 A brief review of other Florida transit agencies and their
vendors did not find any publicly-available responsible
disclosure processes
13/20

14. Implications for Transit Agencies
 Discuss with your vendors how vulnerabilities are addressed
• Does the vendor have a plan?
• Will you be charged?
• Do they inform users of breaches?
• Do they inform agencies of breaches?
• Do they conduct independent security audits?
 The research team is discussing new policy guidelines with FDOT
that may address:
• Above issues in agency contracts with vendors
• Agency disclosure to riders
14/20

15. Discussion
 Publicly available vulnerability disclosure policies may allow vulnerabilities to
be quickly patched and improve communication between agencies,
researchers, and vendors
 Safety requirements may provide starting point for introducing cybersecurity
requirements
• Many processes, such as vulnerability disclosure and safety reporting, may be very similar
 Potential requirements include:
• Standards for data encryption
• Publicly available vulnerability disclosure policies and contacts
• Notification of affected parties, including customers, other agencies, and vendors
• Audits and cybersecurity employee education
15/20

16. Recommendations for Agencies
 Follow best-practice recommendations for mitigating vulnerabilities
• Review existing policies and procedures
• Use secure authentication and encryption
• Log access to sensitive infrastructure
• Backup critical data in case of ransomware
 Identify opportunities to improve employee training
 Create vulnerability disclosure process (internal and external)
 Track and report metrics (e.g., incidents)
 Review and comply with state and federal requirements in case of data
breach
 Participate in information exchange with peers
16/20

17. Recommendations for DOTs
 Quantify and track metrics for cybersecurity incidents from agencies
 Offer resources to improve training and funding opportunities
• These are the top two agency-reported challenges for better
cybersecurity
 Consider incorporating cybersecurity into or alongside existing safety
and security assessments
17/20

18. Conclusions
 Cybersecurity is a significant concern across all industries and
should be a top priority of transit agencies and FDOT
 Lack of training and funding were top cited challenges by agencies
for improved cybersecurity
 Risks and improvements should be reported and, when possible,
measured to assist with resource allocation and to track efforts to
improve cybersecurity
 Many avenues for attack on existing transit systems require
additional analysis
• Existing vulnerabilities were identified for most technologies
18/20

19. Acknowledgements
 This paper is part of the project BDV25-977-51 “Enhancing Cybersecurity
in Public Transportation”
 Funded by the Florida Department of Transportation and supported by
the National Center for Transit Research, a program of the Center for
Urban Transportation Research at the University of South Florida
 The opinions, findings and conclusions expressed in this publication are
those of the author(s) and not necessarily those of the Florida
Department of Transportation or the U.S. Department of Transportation
 The authors would like to thank Gabrielle Matthews for serving as the
FDOT project manager
19/20

20. Thank You!
Kevin Dennis
kevindennis@mail.usf.edu
20
Sean J. Barbeau
barbeau@usf.edu
Jay Ligatti
ligatti@usf.edu