The SA National Roads Agency (Sanral) says it takes the security of road users' data very seriously and has now taken steps to identify potential security holes that could render personal information vulnerable.
However, the company responsible for building and running its Web site has yet to provide details as to how many people were affected - and what users should do to safeguard themselves - as a result of weak security measures.
This comes after at least three separate security issues relating to the road agency's online systems have been brought to its attention over the past few months. The first issue - reported by ITWeb in October - involved a limited security flaw in the e-tolls Web site that could allow attackers to capture personal information such as identity numbers, car registration details, physical and e-mail addresses, as well as cellphone numbers.
The second security hole, less simple and limited in scope, was uncovered a week after tolling went live last month. ITWeb revealed how an online portal developed by Sanral to allow unregistered road users to check outstanding e-toll fees allowed would-be snoops to track motorists' movements with just a vehicle licence number in hand.
The most recent issue - far more serious in nature and implication - was brought to Sanral's attention earlier this month. Through a security flaw inherent in the login process on Sanral's site, attackers could get into users' accounts, giving them full access to personal data such as car registration, phone numbers, physical address and other information. Sanral has since patched flaws, but has yet to apologise or advise users on whether they have been jeopardised by them.
While the e-toll system only went live insofar as road users started being billed on 3 December, Sanral says it has been ready for two years. However, the said glitches - some stemming from elementary oversights - have IT pundits believing the agency has not been ready to the extent it should have.
Web site woes
Last week, Sanral said it had initiated a "full security source review to identify anything that our regular penetration testing has not picked up".
The agency says it adopts a hybrid approach to managing its online security, using both internal and external practitioners. "Specialised skills such as penetration testing are outsourced to industry experts to get an objective view of internal controls."
The company responsible for developing and running Sanral's Web site is Electronic Tolling Collection (ETC) and, despite the recently found failings, the roads agency says it has full confidence in its service provider.
ETC is still in the process of investigating the various flaws, says Sanral, and has not yet provided information around the risk to users.
In terms of how Sanral has reacted to security glitches, spokesperson Vusi Mona says the agency "carries out regular penetration testing and we fix any vulnerabilities immediately once we are aware of them".
However, Craig Rosewarne, MD of Wolfpack and founder and chairman at Information Security Group of Africa, says penetration testing is but one very small part of the whole security environment.
"[It] by no means provides assurance that a company has adequate controls in place. You would expect a company such as Sanral - that potentially has a serious percentage of the Gauteng population unhappy about e-tolls - has a solid information security management system in place to manage their risk. I believe they would increasingly become a target of hacktivists."
Rosewarne says with privacy laws and the collection and protection of personal information, Sanral will have to continuously improve its security to avoid any further possible breaches and headlines. "Do they have solid information security controls in place? I don't know, but based on the security maturity of the typical organisation in SA I don't believe it will be enough - time will tell."
Sanral says it has developed partnerships with various security consultancies and experts. "[The agency will] continue to seek expert advice to ensure road user information is protected."
Manuel Corregedor, operations manager at Wolfpack, believes the first mistake Sanral made was the decision to use four-digit PINs.
"The problem with using a four-digit PIN is that it is a lot easier to brute force (guess) as opposed to a 15- to 20-character password that has alphanumeric characters with special symbols. The four-digit PIN, combined with the fact that the user name was limited to a non-case-sensitive character set, substantially increased the chances of an attacker being able to guess the login credentials of a user."
He says Sanral should introduce two-factor authentication - a means of increasing security. "Two-factor authentication would require that a user enter in another pass code in addition to their PIN. This pass code could be SMSed to the user or generated on the user's mobile device using a mobile application."
Sanral has yet to advise users whose information may have been compromised in the latest security crack, which it has dubbed a cyber attack, due to the researcher who discovered the flaw disclosing it publicly.
The agency says any Web site, when scrutinised long enough, will have vulnerabilities. "Sanral would like to appeal to the public to responsibly disclose vulnerabilities identified by calling the Sanral call centre. This would ensure the vulnerability disclosure is done in the interest of increasing security for road users and not increasing exposure to road users."
Executive exits
Meanwhile, in what seemed to some to be an ominous forewarning of failure, ETC's chief operating officer, Ben Theron, suddenly resigned on Friday. Sanral could not comment on whether the executive's withdrawal from the company was linked to any of the recent toll-related problems.
An ETC spokesperson said in a statement that Theron had resigned for personal reasons. Theron joined ETC in 2010 and was instrumental in establishing the operations side of the business.
Eyebrows were also raised at the end of last year, when Salahdin Yacoubi, CEO of ETC, suddenly stepped down just before the system was finally set to go live.
Sanral pays ETC in the region of R25 million per month for the operating costs of e-tolls, including the rental of e-toll kiosks across Gauteng, rates and taxes, and e-toll maintenance.
Share