Sanral in denial

Two months after user data was exposed, the agency has yet to notify users or reset PINs.

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 19 Feb 2014

Two months ago, the South African National Roads Agency's (Sanral's) e-toll Web site was breached, and attackers stole customer data.

What followed has been a litany of bad security practice, bordering on the criminal. Sanral has signally failed to notify users their information was exposed, and left vulnerable accounts open to further attacks.

Despite repeated requests for information and improvements, Sanral remains silent, possibly hoping we'll just go away and forget about it.

What we know

On 21 December, at the absolute latest, a hacker discovered that by knowing or guessing an e-toll user's account name, the PIN could be retrieved from the e-toll login page, yielding access to the account with all its personal details. We know this was the latest date the compromise could have started, because that's when the YouTube video was posted detailing the hack. In all likelihood, it was discovered earlier.

Requiring prior knowledge of the account name mitigates the risk a little, but not completely: since e-toll accounts are named by their users, usually with some variant of their name, they are trivially easy to guess. Go through a phonebook and pick out common surnames, and you'll get numerous hits. We tried that, and it worked.

Best case scenario: only a few accounts were actually compromised. We know that some were compromised, we just don't know how many. However, the number is known to be greater than zero, and for those accounts, they are 100% compromised.

The worst case scenario: criminal syndicates knew of the hack from the start, and brute-force guessed their way through the database. That's less likely, but the possibility exists that the entire database was compromised, and risk officers deal in worst-case scenarios.

How Sanral has failed

(1) Sanral's service provider, Electronic Toll Company (ETC), had no idea the hack was taking place. The compromise was disclosed two weeks before it started doing the rounds on social media. Sanral executives have since admitted to me they thought that later date was when the attack first happened. Sorry guys, but no. You'd been owned for two weeks by then.

(2) ETC and Sanral still don't know how many accounts were compromised, much less which accounts they were. At least, they didn't last time they admitted so, on 17 January, but since then they have refused to answer the same question. It's possible the answer is so bad they'd rather suffer the slings and arrows in silence than admit the extent of the breach, but incompetence is usually more likely than malice.

(3) ETC and Sanral failed to notify users of the breach. During incident response, as soon as you know customers are at risk, you notify them. Target did. Kickstarter did. Sanral did not. "Hi, we're sorry, but your details may have been exposed. Please change your PIN as a precaution and we'll be in touch again when we know more." You don't have to know the extent of the breach to warn customers they may be at risk, you just do it.

Any user whose account was exposed in the two weeks or more the site was vulnerable, is still open to attack.

(4) ETC and Sanral have failed to alert compromised customers that their data has been stolen. Of course, this is related to point two, since they don't actually know who was affected. Log analysis would reveal which accounts were accessed incorrectly, and those users are unquestionably at risk. Again, we know some users were affected. Those users have their home addresses, phone numbers, vehicle details, driving details, and potentially bank details now in the hands of third parties who may or may not have malicious intent (benign security researchers are the best they can hope for). Those users are at risk of identity theft, physical crime, fraud and more, and Sanral is knowingly extending their risk with every day action is not taken.

(5) ETC and Sanral have failed to instruct their users to change their credentials. Those captured PINs still work. Any user whose account was exposed in the two weeks or more the site was vulnerable, is still open to attack. A brute-force attack on usernames could have yielded a mass of PINs for later exploitation - by failing to enforce a password change, Sanral has ensured the maximum risk for every account which was targeted.

Best practice, worst practice

When suffering a breach of this sort, there are a few steps which absolutely must be followed. Obviously the immediate flaw must be identified and fixed, and analysis conducted to establish the extent of the damage.

A review of related systems and processes is required to find other flaws before attackers do, especially when you have suffered a series of successful attacks like Sanral/ETC has - the implication that fundamental design flaws exist cannot be ignored. If necessary, disciplinary action is taken against technical staff and executives who failed to discharge their duty of care. And customers must be notified of any personal information that has been stolen.

In the modern era of identity theft and tightly-coupled information systems, there is almost no such thing as a piece of personal data with no downstream value. Users will use the same PINs as their house alarms or bank cards. They will reuse passwords across services. If nothing else, that personal data will facilitate highly-effective spearphishing attacks, and every security professional I've asked says the same thing: e-toll phishing attacks are not likely: they are inevitable.

Companies globally used to cover up breaches just this same way, and so we saw mandatory disclosure laws, starting with SB1386, in California, in 2003. The Protection of Personal Information Act (POPI) in SA will mandate disclosure after a breach, but it is, alas, not yet in effect. That's lucky for Sanral, or it might not be the Public Protector getting involved, but the National Prosecutor.

Sanral may have closed the flaw in its Web site, but it has signally failed in all other respects. No heads have rolled. No customers have been notified. No PINs have been reset. The agency knows the ramifications. It is, in other words, knowingly perpetuating the exposure of some users to the risk of crime. That's no longer bad practice. That's complicity.