Mobile fare payment applications are becoming increasingly common in the public transportation industry as a convenience for customers and as part of an effort to reduce fare management costs and improve operations for agencies. However, there is relatively little literature on vulnerabilities and liabilities in mobile fare payment applications. Furthermore, few public agencies or supporting vendors have policies or established processes in place to receive vulnerability reports or patch vulnerabilities discovered in their technologies. Given the rapidly increasing number of data breaches in general industry IT systems, as well as that mobile fare payment apps are a nexus between customer and agency financial information, the security of these mobile applications deserves further scrutiny. This paper presents a vulnerability discovered in a mobile fare payment application deployed at a transit agency in Florida that, because of the system architecture, may have affected customers in as many as 40 cities across the United States, an estimated 1,554,000 users. Lessons learned from the vulnerability disclosure process followed by the research team as well as recommendations for public agencies seeking to improve the security of these types of applications are also discussed.

移动票价支付应用程序在公共交通行业正变得越来越普遍，它为客户带来便利，并且是降低票价管理成本和改善代理商运营的努力的一部分。但是，关于移动票价支付应用程序中的漏洞和负债的文献很少。此外，很少有公共机构或支持供应商拥有适当的策略或已建立的流程来接收其技术中发现的漏洞报告或补丁漏洞。鉴于一般行业IT系统中数据泄露事件的迅速增加，以及移动票价支付应用程序是客户和代理机构财务信息之间的联系，因此，这些移动应用程序的安全性值得进一步审查。本文介绍了一个漏洞，该漏洞是在佛罗里达州的一家公交机构部署的移动票价支付应用程序中发现的，由于该系统体系结构，该漏洞可能已经影响了美国多达40个城市的客户，估计有1,554,000名用户。还讨论了从漏洞披露过程中吸取的经验教训，以及研究团队的建议，以及对寻求提高此类应用程序安全性的公共机构的建议。