Affiliation:
1. Computer Science and Engineering Department, University of South Florida, Tampa, FL
2. Center for Urban Transportation Research, University of South Florida, Tampa, FL
Abstract
Mobile fare payment applications are becoming increasingly common in the public transportation industry as a convenience for customers and as part of an effort to reduce fare management costs and improve operations for agencies. However, there is relatively little literature on vulnerabilities and liabilities in mobile fare payment applications. Furthermore, few public agencies or supporting vendors have policies or established processes in place to receive vulnerability reports or patch vulnerabilities discovered in their technologies. Given the rapidly increasing number of data breaches in general industry IT systems, as well as that mobile fare payment apps are a nexus between customer and agency financial information, the security of these mobile applications deserves further scrutiny. This paper presents a vulnerability discovered in a mobile fare payment application deployed at a transit agency in Florida that, because of the system architecture, may have affected customers in as many as 40 cities across the United States, an estimated 1,554,000 users. Lessons learned from the vulnerability disclosure process followed by the research team as well as recommendations for public agencies seeking to improve the security of these types of applications are also discussed.
Subject
Mechanical Engineering,Civil and Structural Engineering
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Electro search optimization based long short‐term memory network for mobile malware detection;Concurrency and Computation: Practice and Experience;2022-06-02
2. An Analysis of Vulnerability Scanners in Web Applications for VAPT;2022 International Conference on Computational Intelligence and Sustainable Engineering Solutions (CISES);2022-05-20
3. A Semi-Automated HTTP Traffic Analysis for Online Payments for Empowering Security, Forensics and Privacy Analysis;The 16th International Conference on Availability, Reliability and Security;2021-08-17