14 DAY TRIAL // Last week, security researcher David Longenecker identified a vulnerability in the Texas Department of Transportation’s TxTag.org website that exposed users’ details, including their credit card data.
TxTag is the system that enables drivers to travel on toll roads throughout Texas without having to worry too much about paying the tolls. There are around 1.2 million accounts on TxTag.org.
According to the expert, hackers could have easily gained access to names, mailing addresses, phone numbers, email addresses, credit card numbers and expiration dates. The problem lies in the fact that TxTag accounts are only protected by a 4-digit PIN.
“TxTag.org uses predictable account names - an 8-digit number beginning with the number 2. Account holders may select a custom account name, but the original 8-digit TxTag number assigned to the account remains valid,” the researcher explained.
“Further, TxTag.org limits users to a 4-digit numeric PIN. That in and of itself is a recipe for abuse. To make matters worse, TxTag inexplicably stores the complete credit card number with expiration date as a hidden field on the Update AutoPay Methods page.”
Previous research has shown that most users will select “1234” when asked to choose a 4-digit PIN. Other common variants are “1111,” “0000” and “1212.” This means that it’s probably not difficult to guess a user’s PIN.
“Given a predictable account name and a list of high-frequency PINs, it would not take an attacker long to gain access to thousands of accounts,” Longenecker noted.
“Having access to the account, one could access the account holder's personal information, license plates, makes and models of the registered vehicles, and credit card information; one could also add additional vehicles for which tolls would be billed to the unsuspecting victim.”
The expert says there’s no evidence that the hacking method he uncovered has been used by cybercriminals, but considering how easy it is to pull of an attack, it wouldn’t be surprising if it has.
Longenecker has reported his findings to TxTag and the Texas Department of Transportation, but none of the organizations responded. However, in an update posted on Monday, the expert revealed that the website underwent scheduled maintenance during the weekend.
It’s uncertain if they’ve completely patched the security hole, but for the time being, when users access the Update AutoPay Methods page, they’re presented with a message that reads, “We are currently undergoing maintenance.”
We’ve reached out to TxTag to see if they can comment on the researcher’s claims. The article will be updated if they respond to our inquiry.
Additional details on the TxTag hack are available on David Longenecker’s website.
Update. TxTag representatives have responded to our inquiry. Here's what they've told us:
“TxDOT is aware of the blog post and the described vulnerability. There were no breaches of security on the TxTag site and no customer information was accessed.
In an effort to improve security, TxTag has disabled the subject page and is working on enhancements. We regret any customer inconvenience as we work to further enhance the security features of our site.”