Exploiting taxi queue systems for profit


Bruce Schneier’s latest Crypto-Gram newsletter came out yesterday, summarising his previous month of posts. It’s well worth it, even if you subscribe to his RSS feed.

My favourite story (if one can have a “favourite” when talking about series security issues) he shared last month was a group who hacked JFK airport’s taxi dispatch system in New York. From the original report:

Taxi drivers are required to wait in a holding lot at the airport before they are dispatched to pick up a customer. A computer system keeps track that taxis are dispatched in the order in which they arrived. The duo allegedly conspired with Russian nationals to hack the system and move certain taxis to the front of the line, in exchange for payment.

You can see where this is going.

As part of the scheme, [the perpetrators] allegedly charged taxi drivers $10 each time they were moved to the front of the line. Taxi drivers learned that they could skip the taxi queue line by paying the fee to members of the hacking scheme through word of mouth, and the group involved in the alleged scheme offered some taxi drivers fee waivers in exchange for recruiting other taxi drivers to pay the $10 fee to skip the taxi line.

That last action was their undoing. This is what gets me about these sorts of attacks: they’re always brought down by greed. Once you tell enough people about a scheme, word of it will make its way to the top. They would have earned less keeping the number of cabbies who knew about it to a minimum, but they may have continued to get away with it for years.

(It’s the same as bank robbers buying flashy cars when everyone knows they don’t have the requisite incomes, or bankrupt investment bankers drawing attention to their offshore assets by posting party photos with their mistresses on a yacht. I know that hubris is involved in these sorts of crimes, but come on, work that matter between your ears).

When we lived in Malaysia, I remember a friend telling me about a large hotel in which his parents worked, and the payments it received from a specific taxi company to get preferential treatment for airport runs. KLIA is a long way from the Golden Triangle and KLCC, so it would have been incredibly lucrative.

Just think, someone could have cut out the hotel entirely, and broken into its booking system to mess with the order, and collected payment for the privilege. Wa lao eh. 🚕

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.