Information Security News mailing list archives
New Jersey Turnpike electronic toll collection system hacked
From: William Knowles <wk () C4I ORG>
Date: Wed, 25 Oct 2000 13:16:38 -0500
http://www.infoworld.com/articles/hn/xml/00/10/25/001025hnezpass.xml Wednesday, Oct. 25, 2000 11:38 am PT By Eugene Grygo A SECURITY BREACH on the E-ZPass electronic toll system for the New Jersey Turnpike has led to a suspension of the application pending repairs, although no customer payment information was accessed, according to a spokesman for the Turnpike Authority. The application is based on an e-mail-based account information system. A programmer and user of the E-ZPass system, Christopher Reagoso, who lives in Pennsylvania, brought the security glitch to the attention of a local Philadelphia television station last week. Although Reagoso was not able to access home addresses, telephone numbers, or checking information, turnpike officials acknowledged that he was able to view account information such as the turnpike usage and names of the users in the e-mail billing system of the largest electronic toll collection system in the United States. "We don't feel there was any criminal intent," said Lynn Fleeger, director of public affairs for the authority, about the hacking. The online account statement system will be up and running again in about one to two weeks when "the proper security measures have been put in place," Fleeger said. Until then, turnpike customers will be able to retrieve account information via PIN-secured access to the turnpike Web site and via paper documents, Fleeger said. Although Chase Manhattan Bank is serving as the online customer service contractor for the E-ZPass site, at www.ezpass.com, Chase subcontracted the e-mail billing portion to PSI Technologies, of Austin, Texas, a provider of systems for posting, processing, and accessing electronic documents, said spokespersons for E-ZPass, the authority, and Chase. In a prepared statement, a Chase spokeswoman said the bank has quickly resolved the security issues and no sensitive information has been disclosed. The individual did not gain access to any password, credit card, or other payment information, according to the spokeswoman. Chase responded immediately by shutting down the system, which is operated by a subcontractor to Chase, and is taking steps to implement additional security features, the spokeswoman said. Testing will be done prior to resuming operations. Using wireless technology, the E-ZPass electronic toll collection system reads account information encoded on an electronic tag stuck to the inside of motorists' windshields, turnpike officials said. As drivers pass through E-ZPass toll lanes, an overhead antenna and reader reviews the account information and deducts tolls from the motorist's prepaid account. The system sidesteps the need for cash, tickets, or tokens. The E-ZPass system is in use by a regional consortium consisting of the Port Authority of New York and New Jersey, New Jersey bridges and tunnels, the Delaware Turnpike and Delaware State Route 1 in New Jersey on the Atlantic City Expressway, the New Jersey Turnpike, and the Garden State Parkway. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- New Jersey Turnpike electronic toll collection system hacked William Knowles (Oct 26)