(Bloomberg) -- Hackers can already take control of a car. And as vehicles become rolling shopping malls, cybercriminals will have an opportunity to snatch your identity, too.

Eager for a cut of drivers’ purchases of fast food, gas and more, automakers have big plans to bring e-commerce to the dashboard. Ford Motor Co. already has an app that lets drivers dictate an order to Domino’s Pizza using voice controls and a smartphone. General Motors Co. this year began offering AtYourService, which alerts drivers to deals at Dunkin’ Donuts or lets them book a hotel room on Priceline.com using voice commands. By 2020, as many as 40 percent of new vehicles sold worldwide will let drivers shop from behind the wheel, predicts Thilo Koslowski, vice president of the auto practice at Gartner.

By 2022, 82.5M autos will be connected to the Internet

Connected cars present a rich target, akin to retailers or banks, where hackers can troll for credit card numbers, home addresses, e-mail information and all the other personal details required for identity theft.

“Today the motivation for hacking a car is mischief, with an objective of hurting people or car companies,” Koslowski said. Once drivers can shop with impunity as they roll down the highway, “the car will definitely be viewed as a vulnerable device.”

Most cars sold today lack the technology for drivers to pay for items they purchase (unless they use a smartphone). But by 2022, 82.5 million autos worldwide will be connected to the Internet, more than triple the number now, according to researcher IHS Automotive. In the next two to five years, “buy buttons” connected to smartphone mobile wallets will start appearing on dashboards, according to Richard Crone, who runs payment adviser Crone Consulting LLC. That means motorists will soon be able to buy a pizza, fill up the tank or preorder a half caf skinny macchiato from Starbucks without pulling out their phone.

Banking app for cars on its way

Banks and credit card companies are looking to pile in. Visa has developed an app for the dashboard or smartphone that enables the car to automatically purchase gasoline, parking and fast food. Commercial deployments will be announced in the next three to six months. FIS, a payment technology company, is developing a banking app for cars that will let drivers pay bills or check balances.

Commuters want to be constantly connected, and shopping from the steering wheel is the next logical step, said Phil Abram, chief infotainment officer of GM’s OnStar system, a blue button on the rearview mirror that links drivers to a live attendant.

“Over 3 million times a year, somebody pushes the blue button in a car and asks for directions to a hotel or to ask ‘Where is a coffee shop or gas station?”’ Abram said in an interview. “The roots of this are in what customers want.”

But automakers this summer have proven easy targets for hackers. Two security experts hacked into a Jeep Cherokee’s infotainment system in July to take control of the engine and transmission as an 18-wheeler was bearing down on it. OnStar also was hacked when a security researcher used a small device hidden on a 2013 Chevrolet Volt to take control of GM’s RemoteLink app, which allowed him to unlock the car and start its engine.

“This has been a bit of a blind spot for automakers,” Mark Boyadjis, a technology analyst for IHS, said of cars’ vulnerability to hacking.

The Jeep hack forced parent company Fiat Chrysler Automobiles NV to recall 1.4 million vehicles and ask wireless partner Sprint Corp. to issue a temporary fix over its network. GM worked with the “white hat” hacker to come up with a software patch for RemoteLink within 24 hours, Abram said. Early services like Ford’s Domino’s app don’t put a driver’s credit card information at risk because that data is stored in the smartphone, the automaker said. Visa’s in-car payments will use a randomly generated digital “token” rather than the credit card number.

Opening dashboards to apps will invite thieves

Hackers bent on identity theft are expected to infiltrate cars through the entertainment portal, as the Jeep hackers did, or market malicious apps that appear harmless or even helpful, but actually steal personal information. Opening the dashboard to apps from third parties will invite thieves along for the ride, said Ryan Smith, chief scientist for Optiv, a cybersecurity company that consults with automakers.

“When payment systems come online inside of cars, it will be an attack surface that attackers will start looking at and poking at,” said Smith, who has worked with Charlie Miller and Chris Valasek, the men behind the Jeep hack. “You’re going to see the entire spectrum of fraud inside these vehicles.”

Copyright 2018 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.