Sanral exposes user details
Lacklustre security provides criminals with a goldmine of information, and breaches privacy law.
A new security flaw in the South African National Roads Agency's (Sanral's) e-toll Web site exposes registered users' personal details, leaving them vulnerable to criminal activity.
Exploiting the flaw, attackers could - until this morning - gain access to unsuspecting victims' accounts, including their personal data such as car registration, phone numbers, physical address and other information.
The exposed data is ripe for exploitation - it could be used to initiate fraud, phishing, identity theft, or even housebreaking, particularly when coupled with records of a user's driving habits.
The flaw was exposed at the end of 2013 by a researcher identifying himself as "Moses Thembeka" and "moe1". The researcher published an advisory and a video showing how to capture the PIN of a registered e-toll user.
The flaw does not require any special tools or software to exploit, nor does the attacker need a registered e-toll account. Sanral hastily patched the flaw after widespread social media exposure and media questions about the vulnerability, but many user accounts may have already been compromised.
While the agency has yet to provide detailed commentary on the privacy breach, it yesterday claimed to have signed up almost a million e-tag users, all of whose details will be registered on the site. ITWeb demonstrated the latest security issue in a previous attack, showing that a motorist, tagged or not, could be tracked in real time by exploiting a flaw in the e-toll Web site.
Since the latest hack requires an attacker to know or guess a victim's username, the number of accounts likely to be compromised could be relatively low, but the risk to hacked accounts is very high.
E-toll customers using common names or words as usernames would be most at risk. ITWeb tested this theory and successfully accessed a number of accounts in a matter of minutes (and notified the users in question).
And, since registrations on the e-toll Web site are restricted to a limited, non-case-sensitive character set for usernames, it would be plausible for a potential attacker to brute force a large amount of the namespace with little effort - the Sanral database is a goldmine for criminal syndicates, especially if there are nearly a million e-tags in circulation, as Sanral claims.
The phenomenon of password reuse is also a probable issue, with users likely to reuse familiar PINs for bank cards, cellphones, home alarms and so on.
Although the flaw has been patched, this will be scant consolation to anyone whose personal details have been stolen. Sanral could easily identify potential victims by analysing its site logs to find accounts subjected to the PIN identification process, and accounts that have been accessed from multiple IP addresses, in order to notify them of a possible breach.
However, until the mandatory disclosure requirements of the Protection of Personal Information (POPI) Act come into effect, the agency is not obligated to do so.
Novation Consulting director Elizabeth de Stadler says an argument can be made that Sanral should let affected people know their details have been compromised, although this will only become mandatory under POPI.
De Stadler explains the law is not in effect yet, because president Jacob Zuma has yet to set an effective date, and there is no indication of when that will happen. She adds companies will then have between one and three years to comply.
Under POPI, companies that suffer breaches will be told by the Information Regulator - an office yet to be set up - how to inform people of the risk, says De Stadler. She says this could be in person, or in the form of a newspaper advertisement, or a notice on a Web site, which carries with it reputational risk.
De Stadler adds Sanral most certainly has an ethical duty to inform those whose accounts have been accessed. She notes the flaw is a breach of the common law right to privacy.
Jacobson says there is a big disconnect between the policy and what happened in practice. He adds people whose data has been compromised may wish to sue, but would battle to prove it was Sanral's negligence that led to that information being used to inflict damages.
The latest flaw is the strongest argument against registering to use Gauteng's electronic freeways, says Jacobson. He says registration exposes a lot of concentrated information, and usernames can easily be worked out, based on other information, such as e-mail addresses.
Although the fact of another security issue does not surprise Jacobson - due to the lack of proper implementation already evidenced - he is taken aback by the simplicity of the hole. "They've actually created a back door for themselves."
Additional reporting by Bonnie Tubbs.