Can the Web help make automotive payments more secure?
Posted on:The Automotive Web Payments Task Force is exploring whether the emerging Web Payment API (called “Payment Request”) can be used in automotive use cases to improve the user experience and reduce financial fraud.
Fraud is rampant in fueling. My personal observations are mostly US-centric but have had similar experiences internationally. As gas prices increased dramatically in the US in 2008, so did theft of fuel. Incidents of people filling up their cars and driving away without paying were widely reported. As a result it is rare now to see places that will let you fuel up before paying, trust in the consumer is gone. You now have to pay at the pump with a debit or credit card or go inside and prepay before fueling.
Perhaps as a result, theft of payment credentials has also increased. Card skimmers are devices placed externally over a credit/debit card magnetic reader or hidden inside it that capture credit card information to relay or be later collected by an attacker. They are unfortunately becoming commonplace on ATM machines and gas station pumps.
The upshot: unattended devices in the physical world can be difficult to adequately protect from tampering.
Basic, widely used locks are not secure but merely a mild deterrent. They are easily overcome with “bump keys” (internet search shows how trivial this is), lock picking (more instructional videos online plus learning locks and pick sets are cheap) and spare copies of keys can be made or acquired. Cars have long moved on from simple keys to more complex mechanical locks that make it more difficult to copy keys. They also embed RFID as essentially a second factor authentication on the physical key. These more advanced keys are greatly improved over the more common ones but not without security flaws as researchers are finding ways to overcome the various protection schemes. The locks protecting gas station pumps are of the simpler variety and to facilitate maintenance sometimes commonly keyed, a single key can unlock multiple pumps sometimes even across different stations.
Last summer my eldest daughter had her credit card number stolen. Her bank informed her it was most likely from a card skimmer at a gas station. I was already aware of this phenomenon and only use ATMs at banks since they have security cameras and better overall monitoring practices. Based on her experience I became more diligent about looking for the tamper stickers that indicate a pump might have been opened to insert a skimmer. These are cheap stickers anyone can purchase. A casual observer unfamiliar with the specific sticker used by a given station will not know whether it was affixed by the attendant or an attacker. On a road trip to Upstate New York last Fall my own credit card was stolen by a skimmer. The tamper sticker at the gas station I believe was responsible seemed incredibly cheap and at the time wondered if an attacker might have placed it themselves. A physical card with magnetic stripe was manufactured and used a couple days later at a grocery store in Long Island, NY. The theives’ use of the card within the same state, in the ordinary scenario of buying groceries, was an attempt to make the transaction seem innocuous to the credit card company’s fraud algorithm.
Having a credit card stolen is not a pleasant experience. Fortunately I was not liable for the fraudulent charges but I did have to go and update all the places that card was used for automated payments. A couple weeks ago I was fueling up near the interstate closest to home, a gas station I frequent and I noticed there was no sticker after I swiped my card. I saw all the other pumps at the station had a sticker present and thought I was going to have to repeat the exercise. To spare other customers I went into the service station to speak with the clerk. She informed me they simply ran out of stickers and they check for skimmers every morning. The problem is that rampant.
We are now hearing about gas station pumps being hacked, installing malicious programs to cheat consumers out of gas. Trust in the physical card systems and pumps is gone.
Credit card companies assess the probability of fraud on every single transaction within seconds based on elaborate algorithms and various data points including past purchasing behavior before approving a transaction. Credit cards in the US only recently became equipped with chips which, although suffering from various flaws being discovered, are a marked improvement over magnetic strips. Deployment has been slow and they are generally not seen in US fueling stations but are present in Europe and other parts of the world. In other countries it is also common to require a pin as another authentication factor in addition to the chipped card to complete a transaction. That practice is not in use in the US but due to fuel fraud, card holders are prompted to enter their postal zipcode as a pin when purchasing gas. Since the magnetic strip contains the cardholder’s name in plain text an attacker can look for local addresses matching that name online relatively easily, depending on how common the name is, and obtain the not-so-secret pin (zipcode).
Basic multi-factor authentication is based on something you have and something you know. Magnetic strips are easy to copy and for an attacker to have and a zipcode is knowable to cardholder and the internet.
We also hear regularly about website compromises and the amount of credit card and other personal data that gets stolen, trust in the merchant is eroding. Online consumers often abandon shopping carts, hesitant to trust another site with their credit card. W3C’s Web Payments API can mitigate risk by enabling a streamlined user experience without requiring the merchant to store payment credentials, and by facilitating the use of more secure payment methods (such as tokenization and with strong authentication). Tokenization involves the use of dynamic data to avoid replay attacks; it has been designed to work with existing credit card processing systems, using the same data points. What is most interesting is that given the complexity of changing out payment processing systems, they instead adapt to conform within existing methodologies and data structure. We can overload values with pertinent information coming from the vehicle.
As mentioned fraud detection algorithms are data driven based on past purchasing behavior, including last known geographic location of the cardholder, and the transaction itself. Information about the vehicle including its identification number (VIN), its fuel level and other stateful information, fuel capacity and location are available through the service APIs being worked on in the W3C Automotive standards activity and could be communicated to the payment provider along with the merchant information via the W3C Payments Request API. When paymentItem is “gasoline” and shippingType is “pickup” then the payment provider can look at shippingAddress for that station’s Point of Interest (POI) address to see if it aligns with the merchant information before approving the transaction.
The same and more concerns apply to EV charging.
We do not have all the answers yet, join the discussion and be part of the solution.
See also Ian’s Pay at the Pump explainer where he captures some thoughts on the different ways to initiate the transaction, have the service station let the connected vehicle know where to may a web payment.
https://github.com/w3c/automotive-pay/wiki/PayAtPumpExplainer