Security glitch found in N.J. electronic toll system

InfoWorld - A security breach on the E-ZPass electronic toll system for the New Jersey Turnpike has led to a suspension of the application pending repairs, although no customer payment information was accessed, according to a spokesman for the Turnpike Authority.

The application is based on an e-mail-based account information system.

A programmer and user of the E-ZPass system, Christopher Reagoso, who lives in Pennsylvania, brought the security glitch to the attention of a local Philadelphia television station last week. Although Reagoso wasn't able to access home addresses, telephone numbers or checking information, turnpike officials acknowledged that he was able to view account information such as turnpike usage and names of the users in the e-mail billing system of the largest electronic toll collection system in the U.S.

"We don't feel there was any criminal intent," said Lynn Fleeger, director of public affairs at the authority, referring to the security breach. The online account statement system will be up and running again in about one to two weeks when "the proper security measures have been put in place," Fleeger said. Until then, turnpike customers will be able to retrieve account information through access to the turnpike Web site secured with personal identification numbers and through paper documents, Fleeger said.

Although The Chase Manhattan Bank serves as the online customer service contractor for the E-ZPass site, Chase subcontracted the e-mail billing portion to PSI Technologies in Austin, Texas, a provider of systems for posting, processing and accessing electronic documents, said spokespersons for E-ZPass, the authority and Chase.

In a statement, a Chase spokeswoman said the bank has quickly resolved the security issues and no sensitive information has been disclosed. The hacker didn't gain access to any password, credit card or other payment information, the spokeswoman said.

Chase responded immediately by shutting down the account information system and is taking steps to implement additional security features, the spokeswoman said. Testing will be done prior to resuming operations.

Using wireless technology, the E-ZPass electronic toll collection system reads account information encoded on an electronic tag attached to the inside of motorists' windshields, turnpike officials said. As a driver passes through E-ZPass toll lanes, an overhead antenna and reader reviews the account information and deducts tolls from the motorist's prepaid account.

The system sidesteps the need for cash, tickets or tokens.

Related links:

• For more security coverage, visit our Security Watch page.



• Have opinions on security issues? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).