Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnSwati KhandelwalTHN:8DCE10F3696C5403AA123C1609CBF6B2
HistoryApr 05, 2014 - 5:34 a.m.

Vulnerable Texas Transportation Site 'TxTag' leaves 1.2 Million Credit Cards at Risk

2014-04-0505:34:00
Swati Khandelwal
thehackernews.com
12
JSON

Vulnerable Texas Transportation Site 'TxTag' leaves 1.2 Million Credit Cards at Risk

Do you know, Why another major company is getting hacked every week? Because of poor policies, Laziness to Incident Response and lack in will-power to put efforts on applying important patches.

Some companies are not taking their security more seriously, and best suitable example for this is **TxTag,**an electronic toll collection systems in Texas operated by_ Texas Department of Transportation (TxDOT)_.

1.2 MILLION CREDIT CARD ARE AT RISK
Security researcher, David Longenecker claimed a serious flaw at _TxTag _website that exposes the active Credit Card Details and Personal Information of 1.2 Million Drivers including active TxTags (vehicle stickers with microchips, which are scanned by electronic readers on toll roads), Names, phone numbers, full residence addresses, email addresses, along with their complete Credit card numbers and Expiration date.

According to David, the account names could be easily predictable by anyone, which is typically an 8-digit number that begins with the number 2 and protected by only a 4-digit PIN Number, that could be itself another easy x-factor to abuse.

But their stupidity didn’t end here, to make the case worst for their users; _TxTag.org _inexplicably stores the entire credit card details including Credit Card Numbers and expiration date, which meant to be partial visible to users, but available in the plaintext as the value of input field on the page source code.

_“I have no indication credit cards have actually been stolen. I merely found and reported a flaw that could very easily be exploited to obtain this information.” _he said.
** ** NO LESSONS LEARNED FROM PREVIOUS CYBER ATTACK

Texas Department of Transportation had not learned any lesson from their past experiences with hackers. Exactly two years back, they themselves confirmed a “cyber attack” in which the hackers overloaded the TxTag back office accounts servers, but according to TxTag, no accounts were compromised at the time.

In the reply back in 2012, Karen Amacker, TxDOT spokesman said, “Customer service and information security are of paramount importance to TxDOT. Cyberattackers recently tried to get into TxTag.org, but were not successful. All of our customers’ information, including credit card information, remains secure.”

But this security and so called paramount importance is seems to be a dilemma for them as they did nothing to improve the data security of their users after facing an attack.

FLAW REPORTED, BUT YET NO RESPONSE

The Flaw has been reported by the researcher, but neither TxTag nor TxDOT have so far responded to any of his request for comment.

The problem lies in the AutoPay Method screen. If you do not have a credit card or bank account stored for automatic payments, then financial data cannot be stolen through this manner.” david said.

We should understand that no one is safe when bad hackers are out to do some damage. You are always advised to don’t be lazy with your passwords, set tough-to-guess and long passwords and don’t store information online that you don’t absolutely need to. Stay Tuned, Stay Safe.

JSON