EZ-Pass discovers risk of sending URLs instead of actual text

[danny burstein]

In a story datelined 24-Oct-2000, and headlined:

   New Jersey shuts down E-ZPass statement site after security breached 

The Associated Press reported on a problem with privacy and security on
the New Jersey EZPASS website where people can review their usage.
(EZPass is a radio transponder placed in your motor vehicle which is
"read" at toll booths, enabling you to zip through without having to stop
and hand over cash. Naturally it keeps records of when and where you
were for billing purposes... Which is another RISK all together)

Per the story:
   
   TRENTON, N.J. (AP) -- A security breach has forced New Jersey
   officials to temporarily shut down a service that allows E-ZPass users
   to get monthly statements via e-mail.

The story contains claims and counter-claims, some of which are mutually
exclusive, but then has the following paragraph:
   
   Reagoso said Monday that it wasn't hard to break into the system. He
   discovered that the electronic statements aren't sent directly to
   drivers via e-mail, but rather drivers are provided with a link to
   access their accounts.

Presumably the link for, say, October would have been something like 

	www.[the number of your account].200010.[somelocation]

and all you'd have to do is replace your own account number with the
person's you were looking for.

Quoting one more paragraph from the story:

   "It's something that an eighth-grader who designs his own Web page at
   home is capable of doing," Reagoso said. "It took four accidental
   keystrokes to display anybody's account."
   
I just checked the EZPass website (www.ezpass.com) and they don't have
any comments posted...

  [It turns out Mr. Reagoso has his own website:
        http://www.reagoso.com
  in which he says a bit more.  DB]