New Jersey Turnpike electronic toll collection system hacked

[William Knowles <wk () C4I ORG>]

http://www.infoworld.com/articles/hn/xml/00/10/25/001025hnezpass.xml

Wednesday, Oct. 25, 2000 11:38 am PT
By Eugene Grygo

A SECURITY BREACH on the E-ZPass electronic toll system for the New
Jersey Turnpike has led to a suspension of the application pending
repairs, although no customer payment information was accessed,
according to a spokesman for the Turnpike Authority.

The application is based on an e-mail-based account information
system.

A programmer and user of the E-ZPass system, Christopher Reagoso, who
lives in Pennsylvania, brought the security glitch to the attention of
a local Philadelphia television station last week. Although Reagoso
was not able to access home addresses, telephone numbers, or checking
information, turnpike officials acknowledged that he was able to view
account information such as the turnpike usage and names of the users
in the e-mail billing system of the largest electronic toll collection
system in the United States.

"We don't feel there was any criminal intent," said Lynn Fleeger,
director of public affairs for the authority, about the hacking. The
online account statement system will be up and running again in about
one to two weeks when "the proper security measures have been put in
place," Fleeger said. Until then, turnpike customers will be able to
retrieve account information via PIN-secured access to the turnpike
Web site and via paper documents, Fleeger said.

Although Chase Manhattan Bank is serving as the online customer
service contractor for the E-ZPass site, at www.ezpass.com, Chase
subcontracted the e-mail billing portion to PSI Technologies, of
Austin, Texas, a provider of systems for posting, processing, and
accessing electronic documents, said spokespersons for E-ZPass, the
authority, and Chase.

In a prepared statement, a Chase spokeswoman said the bank has quickly
resolved the security issues and no sensitive information has been
disclosed. The individual did not gain access to any password, credit
card, or other payment information, according to the spokeswoman.

Chase responded immediately by shutting down the system, which is
operated by a subcontractor to Chase, and is taking steps to implement
additional security features, the spokeswoman said. Testing will be
done prior to resuming operations.

Using wireless technology, the E-ZPass electronic toll collection
system reads account information encoded on an electronic tag stuck to
the inside of motorists' windshields, turnpike officials said. As
drivers pass through E-ZPass toll lanes, an overhead antenna and
reader reviews the account information and deducts tolls from the
motorist's prepaid account.

The system sidesteps the need for cash, tickets, or tokens.

The E-ZPass system is in use by a regional consortium consisting of
the Port Authority of New York and New Jersey, New Jersey bridges and
tunnels, the Delaware Turnpike and Delaware State Route 1 in New
Jersey on the Atlantic City Expressway, the New Jersey Turnpike, and
the Garden State Parkway.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".