Wednesday, July 9, 2014

TxDOT fixes security issues with txtag.org

In April, I reported several security concerns to the Texas Department of Transportation, which is responsible for among other things toll roads throughout the state. The concerns had to do with the billing and management website for TXTAG, one of several tolling systems in the state. Specifically, the login design made it easy for someone with ill intent to gain unauthorized access to a substantial portion of driver accounts, and having gained access, to acquire complete credit card numbers along with the collateral necessary to use them (expiration date, mailing address, cardholder name).

The agency was quick to fix the second half of this issue. I reported the issues ahead of a weekend during which the agency already had the web site down for planned maintenance, and the credit card disclosure flaw was fixed before the payment portion of the site came back online. This eliminated the more critical flaw, but it still left open a way for a criminal to access personally identifying information on potentially several hundred thousand drivers – information including home addresses, phone numbers, email addresses, automobile descriptions and license plate numbers. It would also be possible to add a vehicle to someone else’s account.

Today, TXDOT rolled out a significant update to the web site – an update that they had announced several months ago in conjunction with Xerox. At first glance, the enhancements nicely address the concerns I raised.


First, and most important, the new site now permits (in fact, requires) strong passwords. The new password rules are to include at least one upper case letter, one lower case letter, and one number or symbol. The password must be between 8 and 12 characters long. This is a huge improvement over the old system of a 4-digit numeric PIN, for which a fifth of people chose an easily predicted number. To prevent users from continuing with an old, weak password, the site requires all users to create a new password the first time they log in.

Second, the new system uses a “captcha” to make it more difficult for an automated scanner to brute force an account. Whereas the previous system allowed one to simply send request after request trying known account numbers and predicted passwords, the new system requires an intelligent being to see and enter a number. Yes it can be defeated, but it moves the bar much higher for a potential attacker.

Nicely done.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.