<< Back to article Print this page Loading page, please wait...

The rideshare and public transport hidden threats

Craig Ford (CSO Online)
17 December, 2019 08:30

I don't know about the rest of you, but I seem to spend a bit of time lately in rideshares like Uber, Didi, Ola or any of the other new entrants to the market. I also regularly travel on the train and I want to discuss some possible threats that I don't feel many of us consider when we travel using rideshare or public transport. The risks will be cyber-related not physical threats as that is my focus of expertise. I will likely go down the scenario path so that I can demonstrate these risks so we can all better protect ourselves while using these types of services in the future.

Let’s take a look at public transport first as I believe it poses the biggest risks. How about we go with a very common scenario for many readers on their commute each day via train and bus. You arrive nice and early at the station for your hour-plus commute to work (that is the average for most cities in Australia), I know some colleagues who do a two-hour commute each way. Back to the scenario building, you swipe your go/opal card (depends on the one used where you live) or even payWave or apple pay, google pay (transit cards are being phased out in favour for these other methods).

You make your way on the train or bus and you find a seat, you unpack your laptop or tablet and you start to do some emails or work to get a head start while on your commute. You most likely connect to the free Wi-Fi and think nothing of it. The emails you are sending could contain privileged information and could be damaging if they made it into your competitors’ hands. You make calls and discuss similar sensitive information without a second thought. You arrive at the station, swipe your payment method and walk a few minutes down the road to your office. That sounds like a pretty normal commute for most, wouldn’t you say? Is that something you do or witness most days? It is for me, I see this type of behaviour all the time when on public transport but is there anything wrong with that? I think there is, and I feel you are putting yourself and your company at risk without even knowing it.

Let’s go back and look over what happened during the scenario. First, you swiped your credit card or payWave (whichever payment app you use). If I was a malicious actor I could be waiting and as people are swiping their cards or tapping the app I could be charging you a secondary charge without you being aware, let's say $1 per person with between 10-20% of the community using the services (further details on transport usage here). Brisbane has 2.28 million residents if 10% of those catch public transport (228,000) and say 20% (45,600) of those goes through central station (this is a just an apotheosis, not exact figures). If you could scan and take payment for 20% of them by just sitting near the scanners with a device that has an extended range, a malicious actor – I in this scenario could steal $9120 from unsuspecting victims. You could keep changing stations, fly between states and make a killing out of this. Look this type of attack is unlikely as you would still at best need to be a few metres away and it would get pretty obvious if you just sit or linger around payment gateways. I am certain after about an hour you would be having a conversation with security, or at least I hope so.

I think we need to be aware of the threat though, as the credit card payments become the standard skimming devices will certainly get made to help malicious actors steal the info or double charge you as you get on the public transport. A malicious actor could also just walk through a train or bus letting an auto payment machine receiving payments as they pass you sitting down or sliding past you to get to the other end of the carriage. Buy yourself a couple cheap RFID shielding sleeves (they cost about $1 each), that will certainly help save you from that walk by attack at least.

The RFID attack is not your biggest threat while on public transport though when you found your seat on the train you connected your device to the free/public Wi-Fi. Please don’t do this unless it is necessary, especially if you are using a company device with sensitive data on it. As a malicious actor you could use a man in the middle technique to trick everyone on the train to thinking that your wi-fi network that they just connected to thinking it was the trains free Wi-Fi, they could then inspect and modify any communications travelling across the network. If you are connecting to resources without a VPN you are putting yourself at risk.

The malicious actor could even infect your machine by replacing a clean file with a modified version that was captured then re-sent on to you being none the wiser. This type of wi-fi attack is quite common and it is recommended if you need to use the internet while on public transport use your own internet or mobile hotspot. It is much safer and less likely to be intercepted (still possible though if they use the same technique on your wi-fi signal but unlikely unless you were being specifically targeted).

You should also consider who is sitting behind you and what they can see on your screens or what they can hear during your conversations. Any one of the people could be from a competitor, be a malicious actor or anything you don't know. So, take some advice don't work on sensitive documents on public transport or take sensitive phone calls

Rideshares, do you think about the risks with these services? A payment skimming device could be installed behind a seat in the vehicle and when you get in you could be charged an extra $50 for your troubles, this could be done without the car owners knowledge, just slip a cheap device down the back of the seat and it could scan away till the battery runs flat, this could take days. That could put hundreds of riders at risk without being aware of what happened. Phone calls in this space should also be the same as on other public transport methods, don't have sensitive conversations. Let your phone go to voicemail for 20 minutes, I am sure your world won't burn down over that time and if it does 20 minutes would not likely have saved you from that fate anyway.

There are more threats with rideshare and public transport, but I think you understand now where I am going with this. Be more considerate of where you are, don’t put yourself in undue risks and just minimise the attack vector. Use the time to read a book, listen to music or a podcast. It will be more relaxing and much safer for you and the organisation you work for.

As always tell me what you think? Have you witnessed other commuters doing things that they really shouldn’t? have you done this? Comment tell me what you think, let’s start the conversation. Let’s make us all that little bit safer while commuting.

Till next time…