Wednesday, July 9, 2014

TxDOT fixes security issues with txtag.org

In April, I reported several security concerns to the Texas Department of Transportation, which is responsible for among other things toll roads throughout the state. The concerns had to do with the billing and management website for TXTAG, one of several tolling systems in the state. Specifically, the login design made it easy for someone with ill intent to gain unauthorized access to a substantial portion of driver accounts, and having gained access, to acquire complete credit card numbers along with the collateral necessary to use them (expiration date, mailing address, cardholder name).

The agency was quick to fix the second half of this issue. I reported the issues ahead of a weekend during which the agency already had the web site down for planned maintenance, and the credit card disclosure flaw was fixed before the payment portion of the site came back online. This eliminated the more critical flaw, but it still left open a way for a criminal to access personally identifying information on potentially several hundred thousand drivers – information including home addresses, phone numbers, email addresses, automobile descriptions and license plate numbers. It would also be possible to add a vehicle to someone else’s account.

Today, TXDOT rolled out a significant update to the web site – an update that they had announced several months ago in conjunction with Xerox. At first glance, the enhancements nicely address the concerns I raised.


First, and most important, the new site now permits (in fact, requires) strong passwords. The new password rules are to include at least one upper case letter, one lower case letter, and one number or symbol. The password must be between 8 and 12 characters long. This is a huge improvement over the old system of a 4-digit numeric PIN, for which a fifth of people chose an easily predicted number. To prevent users from continuing with an old, weak password, the site requires all users to create a new password the first time they log in.

Second, the new system uses a “captcha” to make it more difficult for an automated scanner to brute force an account. Whereas the previous system allowed one to simply send request after request trying known account numbers and predicted passwords, the new system requires an intelligent being to see and enter a number. Yes it can be defeated, but it moves the bar much higher for a potential attacker.

Nicely done.