Friday, April 4, 2014

Credit Cards for 1.2 Million Drivers Vulnerable at TxTag.org

It's been a bad couple of weeks for transportation authorities in the two biggest US states. On March 22, Brian Krebs broke the story of a wide-ranging credit card breach at the California DMV. That breach apparently involved credit cards used at the CA DMV's online web site over a 6 month period from August 2013 to January 2014.

Today I discovered a serious flaw at TxTag.org, the Texas Department of Transportation's toll road account management and payment system. This flaw exposes personal information for the (as of December 31) 1.2 million drivers with active TxTags, including names, full mailing addresses, email addresses, phone numbers, and credit card numbers with expiration date.

This is especially embarrassing to the organization because they themselves acknowledge a "cyber attack" almost two years ago (they do not believe any accounts were compromised at that time). The ease of the below demonstration makes it highly unlikely they are correct. Worse, it shows they did nothing to improve data security after facing an attack.

TxTag.org uses predictable account names - an 8-digit number beginning with the number 2. Account holders may select a custom account name, but the original 8-digit TxTag number assigned to the account remains valid. Further, TxTag.org limits users to a 4-digit numeric PIN. That in and of itself is a recipe for abuse. To make matters worse, TxTag inexplicably stores the complete credit card number with expiration date as a hidden field on the Update AutoPay Methods page.

Card number not shown on screen...

...but full number appears in HTML source

Data Genetics wrote a very informative article in 2012 that analyzed the relative frequency in which different numbers are used as PINs; it turns out that when asked to select a 4-digit PIN, over 1 in 10 people will chose "1234", and well over a quarter will choose one of 20 common numbers. Keep in mind that this is based on an analysis of data from past breaches and is not TxTag-specific data:

High Frequency PINs

Given a predictable account name and a list of high-frequency PINs, it would not take an attacker long to gain access to thousands of accounts. Having access to the account, one could access the account holder's personal information, license plates, makes and models of the registered vehicles, and credit card information; one could also add additional vehicles for which tolls would be billed to the unsuspecting victim.

I have no evidence to say data has been stolen from TxTag.org. Given the ease of this attack method and the fact that there have been known targeted attacks in the past though, I would not be in the slightest bit surprised to find that this data is already in the hands of miscreants. Bottom line? If you have an account with TxTag, don't use one of the above high-frequency PINs, and consider any credit card stored in that account to be at risk.

TxTag and TxDOT have not yet responded to my request for comment. I will update here if I get a reply.

4/4 10:00pm edit:

I want to add a couple of comments to ensure my findings are not taken out of context.

- I have no indication credit cards have actually been stolen. I merely found and reported a flaw that could very easily be exploited to obtain this information. However, given a documented attack 2 years ago and the ease with which this can be exploited, I believe there is a strong chance someone else could have discovered it as well.

- There are 1.2 million active TxTags (vehicle stickers with microchips, which are scanned by electronic readers on toll roads). There can be more than one TxTag on an account, so the number of vulnerable accounts is likely somewhat lower.

- The problem lies in the AutoPay Method screen. If you do not have a credit card or bank account stored for automatic payments, then financial data cannot be stolen through this manner. However, all other information (names, addresses, email, phone numbers, vehicle license plates and make/model/color) are still at risk through the poor password format.

4/6 9:00am edit:

More information on the "cyber attack" of two years ago: while the agency asserts that no personal or credit card information was stolen in the attack, about 1,600 customers experienced some $46,000 in erroneous charges to their credit cards.

I have yet to receive an "on-the-record" comment from anyone responsible. A source that prefers to remain unnamed confirms though that the office of the CISO for the State of Texas is informed.

4/7 6:00am edit:

Over the weekend, TxTag.org underwent scheduled downtime for some planned maintenance. As of this morning, the website is back online but the critical page for this flaw (the "Update Payment Methods" page for automatic payments) now shows this instead of the credit card number:


Kudos to TxDOT for taking quick action to remove the credit card disclosure. While this addresses the risk of credit card data leaking, there is still considerable personal information that is protected only by a 4-digit PIN. I'll be interested to see how this is addressed. Incidentally, thanks to Michael Scheidell for pointing out that the Florida Sunpass.com site also uses a 4-digit PIN as password (though without the credit card disclosure).