Taxi-window sticker: our security stinks and your credit card will be sniffed

On my way to Dallas-Fort Worth airport today, I snapped this picture of the sticker on the inside of the back-seat passenger-side window of my taxi. It warns "The method used to authenticate credit card transactions for approval is not secure and personal information is subject to being intercepted by unauthorized personnel." There's some history there, I'm guessing. Consumer warnings are very nice, but I'm left wondering why they don't just update the firmware on the credit-card box with some decent crypto (unless this is because they use a CB radio to call in card numbers, which is pretty danged foolish).

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Business • dallas • sign • Technology • texas

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

http://www.mrericsir.com MrEricSir

How much you wanna bet the driver stuck that there to scare people into paying cash?
- rekoil
  
  DING. Taxi drivers are required to accept credit cards now in most cities, but they get hit with the transaction fee. I’ll say, this is more clever than the typical “sorry, the card reader’s broken” excuse I get in San Francisco on a regular basis.
  - http://twitter.com/bradgall Brad Gall
    
    I doubt it is the transaction fee as much as it is that they like to keep as much money off the books as possible.
    - toyg
      
      This. I was talking to a friend yesterday, he said hotels in Italy ask people to pay cash where possible, “to avoid the banking fee”. Yeah right, like we didn’t know that tax evasion is a national sport.
      - http://celestialweasel.livejournal.com/ Celestial M Weasel
        
        My favourite example was the ‘put the elderly grandfather who doesn’t know how to use the card machine on duty when people are checking out’ version. Fortunately the cash machines (presumably thanks to collaboration between banks and hotels) have very high withdrawal limits.
  - badc0ffee
    
    San Francisco taxis suck. I had one take me outside of city limits, and he put the overcharge (1.5 x) on the tip section. He also yelled at me for paying with a credit card. My final receipt (including the real tip I wanted to pay) was then a handwritten total on a business card. Vegas had the same handwritten receipts, and only 50% of their taxis even accept credit cards.
    What the hell is wrong with those places? Here in Calgary 100% of taxis will accept credit and debit, and you will always get a proper electronic receipt, with all charges and mileage. The driver doesn’t even think twice about it. Unless he’s a crook, why would he care about a paper trail?
- jaakha
  
  I agree. I’ve seen signs from local cab companies trying to encourage cash payments. Cabbies usually have to pay for gas and lease fees in cash. Credit settlements can take days.
- Cowicide
  
  Warning: I am likely to skip out without paying if I see a stupid sign like this.
- ialreadyexist
  
  Yeah, but if you pay cash then you’re a potential terrorist and he’ll have to report you.
bobstreo

Because the sign is cheaper than fixing the software and hardware.
- digi_owl
  
  Reminds me of the old saw about accountants doing the numbers to see if it is cheaper to do a product recall or just settle the eventual lawsuit.
http://twitter.com/timcameron52 Tim Cameron

Really enjoyed your talk at UTA last night. I hope our shady cab service won’t deter you from visiting Texas again!
http://twitter.com/smapd Isolation Mechanism

Someone call the PCI people and rat on them. I am sure this violates either PCI rules or their processor agreement.
- relawson
  
  …as someone that has personally been responsible for PCI-DSS compliance and conversion of merchant accounts and systems, I whole heartedly agree and approve of your statement.
  
  I would have asked the cabbie to take me to his boss and then ream his ass for it!
  
  see, I try to repress these memories but they keep finding a way to come back :(
  
  *cries in corner*
  - retepslluerb
    
    Meh. I’ve actually seen PCI compliant systems too. Passed every audit on paper, but in practice about everyone with access to the VPN could have broken in.
    - relawson
      
      Yeah, that pesky VPN to get to the network…. be sure to hide any extra active data jacks! lol
      
      When i’m out i’ll still see receipts with the full cc# on them sometimes… ugh! I quickly cross it out, though :)
      - retepslluerb
        
        I was thinking more of the legitimate VPN users of the involved companies.
Charlie B

Cory, I would have interpreted this as someobody – praps trhe driver, praps his boss – wanted me to know that the wads who are above him won’t spring for decent shit.

Hurried, sorry…
mskurnik

Yeah their system would violate PCI compliance and therefore be illegal.
- flosofl
  
  No, not illegal, but against the terms of service of the card providers. PCI is a bunch of industry policies enforced by the card issuers (VISA, MC, etc…)
Jay Converse

Read the paragraph carefully. There is no mention of any fancy technology. How do we know that this driver doesn’t have an old fashioned swipe box, with three copy carbonless paper? The extra copy is subject to interception, you just pull it out of the trash can.
- John Harland
  
  I’m not sure that an electronic card reader really counts as ‘fancy technology’ these days.
  - digi_owl
    
    Not when you can nail it to a smartphone.
That_Anonymous_Coward

We put up a sign, we don’t have to do any more.
Was this cab company run by Sony?
- invictus
  
  Actually, they’re worse off for having put up that sign. It shows they were aware of the issue, and can thus be held responsible. It’s much like you shouldn’t put up a “beware of dog” sign. If your dog bites someone, their argument that you knew the dog was vicious is that much stronger due to the presence of the sign.
  - That_Anonymous_Coward
    
    Oh nono…. you knew there was a very good chance your information would be compromised and still opted to use the method they warned you was unsecured.
    Remember laws protect businesses… not people.
    - morkl
      
      But people are corp–
      
      Oh…
    - Fnordius
      
      I prefer a French wit’s statement that the law, in its infinite wisdom, prevents the rich as well as the poor from sleeping under bridges.
http://ianbrooks.tumblr.com/ Ian Brooks

Yeah I’m gonna go with simple cabby laziness, not wanting to take credit cards because of the extra work/waiting time/tax purposes. Any time I’ve taken a cab they’ve always given me shit about paying with credit… one guy even went so far as to claim that he couldnt take it, even after I made sure to confirm with the company that they accept cards, when I called. I then told him I have no cash, so you dont get paid and he *begrudgingly* took the card right away.
rprivetera

One thing I *always* do when visiting a new place is find out about taxi laws. Credit cards must be taken? Or places like overseas, say Thailand: if a meter exists you can insist to use it and they must use it?

Taxis just seem to be a profession where it’s universally accepted to try and screw passengers. Everywhere. Well, maybe Japan’s an exception. But even in NYC where I’m from I can’t tell you how many times it’s happened. “i have no change, the route is better this way, no take credit cards, credit card machines broken”. On three occasions I feel asleep in a taxi and woke up at my destination with an extra 5-10 bucks on the tab that I knew it wouldn’t have charged.

If no laws exist, caveat emptor. But I argued with a Bangkok cabbie and threatened to jump out at a light. He turned meter on and the trip was a third what he said it would be. When I arrived and saw this and called him out, *smirk* *shrug*.

I can’t vouch for countries/states I haven’t been, but any place I have, if I didn’t confidently step in, bark an order and take no guff from the get go, the cabbie tried to hustle me.
- Wreckrob8
  
  Can’t beat a London black cab, mate. Cabbies are required to be acquainted with all streets within a 6 mile radius of central London, must always have a fully functioning meter, and are not allowed to refuse a fare.
  I always pay cash – it is easier to tip that way – but presume they take other forms of payment, too.
  They are as strictly regulated as any other business despite being self-employed – which is the real problem with the legal status of most taxis – you could say the same of plumbers or mechanics.
  - blueelm
    
    But regulation is bad!
  - Xof
    
    This doesn’t entirely explain why a black cab driver attempted to take me from Paddington Station to Queensway in Bayswater via Oxford Street.
- http://www.facebook.com/people/Chris-Stevenson/573517733 Chris Stevenson
  
  “I can’t vouch for countries/states I haven’t been, but any place I have, if I didn’t confidently step in, bark an order and take no guff from the get go, the cabbie tried to hustle me.”
  
  As a driver myself, I commend this. In a position as crazy as mine, it’s refreshing to be given a heads up on how a ride will go. You are firmly in the category of fares I could care less about, nothing horrible or entertaining, just business as usual and mildly annoying. You will not tip well, offer any redeeming conversation, and will generally be a pain in the ass I will work most efficiently to remove from my life as soon as possible. To make up for this your calls back on my card (if you somehow get your hands on one with my personal number, as I will not be handing you one willingly) will go ignored. The time on the meter will run despite any traffic issue or extra-curricular activity you may need to perform (including sleeping), and generally your belief that this will not be a pleasant experience will be confirmed.
  
  What’s great about this “job” is that around half the people believe I am trying to rip them off, when in reality it is around half of the passengers that actively attempt to scam me:
  
  I only have $5, it’s not going to be any more than that, is it (halfway across town)? Why are you going a block over to properly turn instead of an illegal u-turn, you’re going the long way! You’re not going to keep the meter running while I go in and buy beer/smokes/drugs are you… that’s bullshit! $2.50 start time… that’s bullshit! Can’t you take Taco Bell/Insert undesirable thing to keep it to X amount? Drunk Girl: It’s my birthday… The famous: I know (person in my/another company) and THEY… and then there’s you: I am an expert at this, among all other things, now listen to me.
  
  I understand you are above me, I make very little money for an extremely stressful job with no benefits. Another big clue is that I am driving you, not the other way around. I just really don’t need the rub in to go along with it.
  
  Now get me here, I’m positive there are cab drivers who are actively trying to scam people. I’m not one, and out of the dozens of drivers I know I don’t think one of them is either. Now maybe I live and work in some sort of taxi-rider’s paradise, but I highly doubt it. I think maybe the driver who doesn’t want to take a card perhaps hasn’t made enough cash that day to pay lease and gas and bring home a few groceries. Maybe they don’t want to pay the exorbitant fees cab companies charge to run slips (I use Square, so no worries from me), or spend the time filling out a slip instead of catching another fare. Not to mention the fact that a slip is a blurred number off from being no good, and by the time it is actually run by the company maybe there is no money on the card, which is now my problem. Hopefully you live here and care about making good, because I now owe the company your fare I used against my lease (again, Square is a life saver so this is hypothetical). Maybe somebody has already hit them with a hundred and they really can only break a $20 at the moment. Also, maybe, just maybe, they care way less about a buck or two than you do and will gladly forfeit a “loss” to help you get over yourself/get out.
  
  I really don’t mean this as a personal attack. This is a generalized rant just as yours was. My entire point after all that is, just as an experiment, the next ride you take don’t go in with teeth clenched for war. Try and be a person being driven around by one. Go into it expecting an enjoyable ride and just kick back and let the person do their job. Even if they take a route you question just let it roll and be nice. You may be surprised the value of not going in passive-aggressive has, because trust me, we deal with real aggression… your act does nothing but secure lesser service from us, and more stress for you.
  - Pedantic Douchebag
    
    Bravo. I have a friend who drives a cab who has delivered similar rants. He also uses Square, he connects with customers via Twitter and Facebook, is totally honest, but still struggles due to distrustful customers, and dealing with the scumbag cab company. May you have smooth roads, and fat tips.
  - blueelm
    
    It may also just be that this driver is really suspicious of card readers. It’s not that unusual around here to find people who are.
  - WillieNelsonMandela
    
    Great post. Thanks for sharing info from the driver perspective.
phisrow

Arguably(while there are certainly steps that ought to be taken to keep numbers from being skimmed off the wire, or at the POS) the ‘security’ of conventional mag-stripe cards is so utterly broken that there is not much the card reader can do to fix it.

So, there’s this magic number. In order to use my credit card, I have to give the magic number to all sorts of random websites and waiters and POS machines. However, despite the architectural need to hand that number out wildly, mere possession of the number is sufficient basis to initiate a charge against the account.

That’s just a no-win. It’s analogous to the madness that is simultaneously treating social security numbers as super-secret authoritative IDs, and absolutely everybody demanding to know yours because they need your authoritative ID…

You really can’t implement something that isn’t toy security without(as a necessary; but definitely not sufficient, condition) some sort of processing power in the card and a challenge-response setup that allows the card to prove possession of a secret without revealing it. Plenty of ways to do that wrong, of course; but at least success is possible…
- KeithIrwin
  
  I concur and would also like to point out that this is probably what the sign is talking about rather than their specific equipment or software. The credit card system itself is inherently a lousy way of authenticating transactions (any system where the information I have to give you to prove that the transaction is authentic can be used to authenticate any other transaction on the same account is a terrible system) and that’s perfectly consistent with the wording of the sign. The sign may be there because the cabbie wants everyone to know how bad the credit card system is. And he may, as others have speculated, want people to know this so that they’ll be less likely to pay with credit cards. But I would not read the sign as being about his equipment.
rf

Substitute a VHF cab dispatch radio for a CB and you have it, at least in some places. Search the 152-153 and 452-453 MHz range in your area…

The cab company in Denver that was doing this seems to have started using carbon slips, but for stretch of years they simply called the CC info in to the dispatcher for processing…
- wolfwitch
  
  Had this happen to me too. Nothing like broadcasting someone’s cell phone number for half the town to pick up. Called my bank almost immediately to have the card canceled and replaced.
http://profile.yahoo.com/F2GKJVQRMHTG4AK3ZYHWW3Q43M Jeremy

My ex used to work for a cc processing company. They would pay him to go collect the cc receipt, which was on carbon paper. All of the credit card numbers, including cid, were present. He got paid for each slip he brought in.
Jos Harrison

Actually i’ll chip in a different possibility. One of the companies here in Phoenix got bought out and got these nice fancy computers that do everything in them, meter runs through them, dispatch, you even get a GPS. Problem is these things have to be certified to use them in taxis. The latest high tech version was running Windows CE, and this was maybe three years ago, when CE was gone. Want to guess how good the security is on those terminals? You swipe the card through there, its sent to dispatch on a ‘secure’ radio signal, and approval is sent back. I’d suspect that what ever encryption it uses is woefully out dated, and yet there’s no way to update it.
blueelm

We don’t really *do* cabs much here. I’m probably ripped off a lot when I travel but I’ve not really worried about it too much.
teapot

As we flew into Dallas Fort Worth the kind people sitting next to me told me I shouldn’t go into any churches that didn’t have windows. There wasn’t a huge chance I would’ve gone to any church, but it sure made me glad I was only at DFW to wait an hour before my connecting flight to Vancouver.

I would never fuck with Texas… I don’t want to end up with all kinds of disease.
Fred Kahl

Not as good as this taxi sign:
http://fredini.posterous.com/atlanta-taxi-sign