In a story datelined 24-Oct-2000, and headlined:
New Jersey shuts down E-ZPass statement site after security breached
The Associated Press reported on a problem with privacy and security on
the New Jersey EZPASS website where people can review their usage.
(EZPass is a radio transponder placed in your motor vehicle which is
"read" at toll booths, enabling you to zip through without having to stop
and hand over cash. Naturally it keeps records of when and where you
were for billing purposes... Which is another RISK all together)
Per the story:
TRENTON, N.J. (AP) -- A security breach has forced New Jersey
officials to temporarily shut down a service that allows E-ZPass users
to get monthly statements via e-mail.
The story contains claims and counter-claims, some of which are mutually
exclusive, but then has the following paragraph:
Reagoso said Monday that it wasn't hard to break into the system. He
discovered that the electronic statements aren't sent directly to
drivers via e-mail, but rather drivers are provided with a link to
access their accounts.
Presumably the link for, say, October would have been something like
www.[the number of your account].200010.[somelocation]
and all you'd have to do is replace your own account number with the
person's you were looking for.
Quoting one more paragraph from the story:
"It's something that an eighth-grader who designs his own Web page at
home is capable of doing," Reagoso said. "It took four accidental
keystrokes to display anybody's account."
I just checked the EZPass website (www.ezpass.com) and they don't have
any comments posted...
[It turns out Mr. Reagoso has his own website:
http://www.reagoso.com
in which he says a bit more. DB] [danny burstein via risks-digest Volume 21, Issue 09]
0:00
#
G!
