The RSA Conference was amazing this year — bigger, more robust and crazier than I have ever seen it. The only void I noticed among the technical vendors was addressing the issue of hacktivism. In the packed conference and crowed exhibition halls, I never came across a discussion about this phenomenon. Can we forecast this risk? Do we know its long term effects? I think most of us are still befuddled by this concept.
The hacktivism issue resurfaced for me when, not unlike the other 24,999 RSA attendees, I was headed back home after the show. The route to my hometown of Seattle is frequent since I’m on the road all of the time and because of this, I leverage technology to the uber-degree. I mean that quite literally – – I love the service provided by a mobile phone application provider, “Uber”. However, upon my arrival, I learned that some services and companies aren’t always greeted with a warm welcome to a city!
As “Transportation Networking Companies “ (TNCs) have popped up in the last few years, companies like Uber, Lyft, Car2Go, SideCar, etc. have been receiving a fair amount of backlash from the taxi industry, ranging from violence to citizen arrests to citywide bans and taxi strikes. Why? Because TNCs provide new options for getting around and their value establishes competitive advantages over the taxi industry. With these new companies you can summon a car with just the push of a button often at a lower expense than a taxi. Automatic payment adds even more convenience AND drivers keep their cars clean, all in hopes of a 5 star ratings. Other feature benefits include driver and passenger rating systems, customer service and even map images on the receipt for the route taken. These companies consider themselves technology companies and not car services and these TNC applications and services are gaining market share very quickly.
Seattle just recently joined the ranks of cities looking to ban these new efficient and economical services. It seems consumers and companies have practically declared war on them. That’s interesting to me. Why would such a fragile cyber security industry, like the taxi industry, make such strong moves? What would happen if activists and/or hacktivists decided to attack them? TNC companies are probably better positioned to survive such cyber war assaults whereas the taxi industry, well they might not make it.
Because Taxi companies are extremely weak in defense, many attack vectors exist against them.
TNC companies create user accounts that gather payment and identity information, taxis don’t. An angry rideshare customer can call taxi companies and send them to remote locations just for “fun”, the taxi company will arrive and find no fare waiting. Companies like Uber have automatic billing for cancellations and use GPS in the app to show the user’s location. Rideshare companies: 1, Taxis: 0.
If hacktivists like Anonymous decide to call blitz or to TDoS (Telephony denial of service) a taxi company, victims could lose their traditional phone systems and call centers. Rideshare companies do most of their requests over the internet and authenticate their users, so if they have DDoS protection, this type of attack won’t affect them. Taxi companies would all need to switch to VOIP systems and put TDoS protection in place to keep this from happening. The new mobile based malware and botnets are an additional platform for TDoS. Groups like Anonymous have used these attack vectors against other targets and it is something else that the taxi companies would need to be aware of and prepare for. Rideshare companies: 2, Taxis: 0.
If the war escalates, another nefarious attack surface is this.
Anyone can go and buy a “burn phone” or prepaid cell from a convenience store and then request a phone number port from the mobile phone company website. Instead of porting their own phone number, they could request to port the taxi company’s number. This is illegal, yet some fake number porting requests have slipped through the system on occasion. Per the FCC rules on number portability, attackers could steal the taxi company’s phone numbers temporarily. Although port fraud can be reversed, it can take up to several days. Rideshare companies, which primarily operate over the internet with authenticated users, again wouldn’t be as devastated by this attack type as a taxi company would. Rideshare companies: 3, Taxis: 0.
Taxi companies may have powerful influence to lobby the government, but even if they succeed in pushing out their internet-based competitors; their risk for cyber retaliation is very great and very real. The taxi companies that are against this new and growing transportation service are throwing heavy stones from their glass houses.