More e-toll security malpractice

Read time 4min 30sec
Sanral has again made elementary security missteps.
Sanral has again made elementary security missteps.

Sanral has reset access codes for e-toll users, changing the PIN codes people use to access their e-toll accounts.

This follows the security breach several months ago in which researchers found the e-toll site could be used to gain unauthorised access to any user's details. E-toll operating company ETC has confirmed the update was not related to a new security breach.

Security experts have been clamouring for the agency to tighten security, including resetting passwords, for months, but now that it has finally responded, it has again made elementary security missteps, and those mistakes hint at deeper architectural security issues within the agency's infrastructure.

In short: it sent new PIN codes in plaintext e-mails, revealing it stores passwords in recoverable form.

The good: better late than never

Sanral has been roundly criticised for its slow reaction in the wake of security incidents. It has been three months since the site was breached and user details leaked, and for much of that time the organisation has acknowledged it had not yet established the full extent of the breach.

Recently, it took the astonishing move of denying any breach had occurred. But now the agency has finally stirred into action, resetting user PINs to avoid further leakage of information for compromised accounts.

Standard best practice after a breach of this sort is to notify users as fast as possible, alerting them to potential identity theft or fraud, and encouraging them to change their passwords at the affected site and any others where the same credentials are used.

Later, if specific accounts are positively identified as having been compromised, those account-holders can be contacted separately to minimise damage.

Despite numerous protestations that it follows international security best practices, Sanral's delay in this matter has greatly increased any potential risk to its users, but the password reset had to happen, and it is better late than never.

The bad: plaintext PINs

Sanral's password reset was not only late, it was also plagued by another basic security error: users were sent newly-issued PINs by e-mail, in plaintext. Best practice is never to send passwords in clear text, but instead to offer a reset function, usually via a Web page or phone channel, which can then positively identify the user and allow them to choose their own new PIN.

In this, Sanral and ETC have failed at one of the most fundamental of security practices. Sending sensitive data by e-mail greatly increases the potential for interception or later recovery.

ITWeb Security Summit 2014

A showcase for infosec thought leaders, featuring interactive workshops that provide intensive information for company executives, ITWeb Security Summit 2014 takes place from 27 to 29 May at the Sandton Convention Centre. Book your spot now.

The agency also failed to explain to users why the reset was taking place. ITWeb has seen several concerned queries from e-toll users, worried this reset is an indication of another security lapse.

With mandatory disclosure now the norm in many parts of the world, and coming to SA as soon as the Protection of Personal Information Act is enacted, Sanral could look to the recent incidents at Target or Kickstarter for examples of disclosure and incident response.

The ugly: storing recoverable passwords at all

Sending passwords in plain text is a bad idea, but it hinges on a deeper issue: why was Sanral's customer support system able to generate e-mails with plain text passwords at all? That means the system is storing passwords in plain text, or in some recoverable form, which is itself a basic (if common) security error.

Best practice is to store only a hashed, salted form of the password, ensuring no password can ever be leaked, either through an external hack or a rogue insider.

An anonymous security expert, familiar with Sanral's security flaws, noted that "any company that can tell you what your PIN is, is getting it wrong. Best practice is that you never store a PIN, you store a hash of the PIN. This would mean that if an internal administrator were to go rogue, he could not derive the PINs and re-use them".

Fundamental security errors tend to propagate throughout vulnerable systems, resulting in incidents like Sanral's earlier flaw, which leaked a user's PIN through the vulnerable Web page.

If the PIN had been stored encrypted in the first place, that earlier attack could never have happened.

Sanral has experienced several security incidents in the few months since its e-toll Web site began operation, and is effectively playing whack-a-mole with the Web site flaws as they are discovered.

More are likely to emerge unless those deep-seated flaws are addressed, said our security researcher.

"They need a fundamental review of the solution architecture, and some penetration and vulnerability assessments, as well as probably an ISO27000 assessment to ensure they have a working ISMS [information security management system] which should bring some stuff out of the woodwork."

Sanral did not return requests for comment.

Login with