Avoid Transit App Nightmares

Feb. 10, 2017

Apps are everywhere. Smartphones are everywhere. Let’s solve transit issues by using apps on phones - genius! Let’s celebrate.

And now your agency is the lead story locally — but not in the way you want. It’s a bad news story because your app was hacked. What went wrong?

Apps are software, running on more software. Despite everyone’s best efforts software gets hacked. What are the consequences to your agency when that happens? There are a few consequences: financial loss, interruption of operations, loss of reputation/trust, loss of moral all lead to a reduced reputation and breaking faith with the community.

The worst outcome? Reduced ridership. Difficulty raising funds. Indeed, your agency will continue to exist, you will provide transit services, and you will recover. However, there is an opportunity cost.

What can be done?

First, why have an app? There is a nearly overwhelming reason to consider, adapt and adopt one or more apps to add ridership and build loyalty:

- Operational Efficiency:

  • Reduce vehicle loading times by faster fare processing
  • Create new revenue via partnerships with advertisers
  • Better ADA capabilities – agency can anticipate when a stop needs extra time

- Improved Rider Experience

  • Use tracking info to build better routes
  • Solve the first/last mile problem
  • Direct riders to their next travel segment’s platform/bus

- Communications Improvements:

  • Meet people in their language and disability need
  • Inform riders about service alternatives/enhancements
  • Inform riders about service disruptions


Passengers are delighted to know how to rapidly navigate your transit system. You are delighted to add ridership, make travel convenient, reduce administration time and build rider loyalty.

Many software solutions lead to some surprises. The actual cost to roll-out and support the app are much more than anticipated. The agency’s needs are not necessarily aligned with the priorities of the app developer. And, the app doesn’t replace any existing system therefore it adds to operational complexity. There is the chance that a rider, having farecards, apps, etc. will be charged two or three times for the same single trip.

Apps are secure, right? The marketplace will ensure that every app is reliable, safe and secure. Experience shows that this is not true. There is a difference between a "bug" and intentional fraud. Your agency manages risk in many ways, including:

  • Contracts that protect the agency
  • Insurance to protect the agency
  • IT staff does some due diligence
  • Riders are savvy, they understand the risk/reward of making their financial information available


When the app is hacked, your agency’s risk mitigation legalese will be lost on your riders. How will riders react? Anger? Betrayal?

What is the outcome of a hack? If your app is hacked, it may be the way to get to all of the information on the rider’s phone: their entire contact list, user and password information for their financial institutions, their photos and other information that can be damaged, lost.

What happens when your app is the cause of identity theft of your riders?

Is your agency prepared for:

  • Relentlessly being the punching bag for all news cycles and in social media (PR nightmare),
  • Security breach leading to unknown reliability in financial and operational information,
  • Unreliable transit schedules — riders and operators do not know where to be or when,
  • Being unprepared for financial disruption — staff lose faith in management

Protect and Serve

Your agency has many programs to ensure rider safety and system reliability. What should your program include to protect the agency and rider information?

Risk awareness:

- Your developer/vendor must brief your agency about vulnerabilities, known and potential, for the app and its underlying operating system. Smartphone vendors attempt to secure the devices, yet there are vulnerabilities. When the risk(s) exceeds the usefulness, your agency needs a response plan.

- Regulatory and Best Practices Compliance: The agency must ensure that the app meets or exceeds industry and regulatory requirements. Ethical hackers should be engaged to challenge the assertion that the app is safe

What are the Responsibilities?

  • Is someone responsible to ensure that the app remains secure (and relevant)?
  • Are there consequences if the app’s vulnerabilities are not fixed?
  • Do you know the risk to your agency if riders cannot do business with you?
  • Do you know the risk to your agency if riders lose their personal and financial information because of your app?
  • Whose job will be lost in the aftermath of a hack?

What About a Support Plan?

  • Is there a way to inform riders about app issues?
  • Is there a way to shut down or remove an app when/if it is a security risk?

Have a Recovery Plan

  • How long will it take to regain normal operations after a hack?
  • How long will it take to regain the public’s trust after a hack?
  • What is your total financial obligation when a hack occurs?
  • What is the outcome of your Agency’s relationship with key vendor(s) in the aftermath of a hack?

Well-conceived and created apps can greatly enhance transit experiences. When your agency does the up-front work to build a resilient ecosystem to support and protect riders who use the app, then life is grand. For all others — proceed with great caution.

Leigh Weber, CISSP is the principal witg Cybersecurity Analysis Ltd.