Cybersecurity Vulnerabilities in Mobile Fare Payment Applications: A Case Study

Abstract

Mobile fare payment applications are becoming increasingly common in the public transportation industry as a convenience for customers and as part of an effort to reduce fare management costs and improve operations for agencies. However, there is relatively little literature on vulnerabilities and liabilities in mobile fare payment applications. Furthermore, few public agencies or supporting vendors have policies or established processes in place to receive vulnerability reports or patch vulnerabilities discovered in their technologies. Given the rapidly increasing number of data breaches in general industry IT systems, as well as that mobile fare payment apps are a nexus between customer and agency financial information, the security of these mobile applications deserves further scrutiny. This paper presents a vulnerability discovered in a mobile fare payment application deployed at a transit agency in Florida that, because of the system architecture, may have affected customers in as many as 40 cities across the United States, an estimated 1,554,000 users. Lessons learned from the vulnerability disclosure process followed by the research team as well as recommendations for public agencies seeking to improve the security of these types of applications are also discussed.