Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. "It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it," says Joe Grand. "It seems like the system wasn't analyzed at all." To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. The card doesn't have to know the password, it just has to respond that the password is correct. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA. San Francisco launched the $35-million meter project in 2003 to deploy 23,000 smart meters made by Canadian firm J.J. MacKay around the city in an effort to thwart thieves. "If I found this problem, chances are somebody else knows about the problem and possibly is exploiting it," says Grand. "That's costing all of us taxpayers money.""