This is cache of http://feeds.ziffdavisenterprise.com/~r/RSS/cheap_hack/~3/341508224/the_mta_seeks_compliance_on_their_antique_vending_machines.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
The MTA Seeks Compliance on Their Antique Vending Machines
2008-07-21 08:44:25 by Editor in Cheap Hack
 
At the time I posted my recent blog about finding a New York City Transit MetroCard vending machine running Windows NT 4 Service Pack 3 I contacted the MTA (Metropolitan Transit Authority) to ask them about it. I received a response from Paul Fleuranges, vice president of Corporate Communications, MTA NYC Transit:
Assuring the security of the MetroCard system is a multi-layered effort encompassing technical solutions and procedures aimed at preventing unauthorized access and detecting unauthorized activities during the course of normal operations. The activity of the system is monitored for unusual behavior at many points in the operation. Procedures are in place to quickly respond to unusual occurrences in ways that not only limit risk, but can lead to immediate remedial action. NYC Transit is in the process of completing an extensive effort to become compliance [sic] with Payment Card Industry (PCI) rules relating to credit/debit transactions. While directly related to the business of accepting bank cards, these rules have also helped NYCT further harden its automated fare collection system against potential unauthorized access to sensitive transaction information by hackers and employees. In regards to your security related questions, which we will not address here in any detail, it is safe to say network environment is constructed in such a way that the serious security implications and vulnerabilities you reference do not exist.
So we'll have to take their word for it that it's impossible for anyone to hack into their machines. If the machines were actually on a network of some kind I would be worried, but it's likely they all just have a dial-up connection and some weird, old version of SLIP. The reference to PCI compliance is interesting. Seeing as how Requirement 6 of the PCI DSS states that you must "Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release" I would think they can't possibly be compliant running NT 4 SP3, and that they must have a goal of upgrading these systems. That's good news.
 
Tags: system, mta, fare collection system, security implications, security, mta nyc transit, nyc transit, pci, system components
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia