Eyes Above The Waves

Robert O'Callahan. Christian. Repatriate Kiwi. Hacker.

Tuesday 6 January 2009

Right And Wrong

Last week I noticed that the new Tollroad Web site was not using SSL, so user account details such as PINs and credit card numbers are transmitted in the clear, vulnerable to being intercepted by third parties. I sent an email to the contact address and got a stock reply; then I followed up again and got a less-stock reply that they'd "look into it". In today's Herald there's a story about the same issue.

Let's be clear: Brett Dooley is completely wrong. The site is insecure. They do not need to "reassure" the public, they need to fix the site. If it's true that "all the banks set up for website transactions had "verified and certified all our banking arrangements"". then either the "banking arrangements" excluded the site's form submission system, or the banks are fools.

It's very annoying that the Herald article presents it as a "he said, she said" difference of opinion from which no conclusions can be drawn --- presumably in some desire for "balance". The reporter could have and should have called out Dooley on his false statements.

What's especially bad is that incidents like this undermine the security of the entire Internet. Whenever people are told that it's OK to transmit sensitive information like credit card numbers through an insecure channel without the "browser lock", they're being trained to respond positively to phishers and other attacks on SSL site verification.

This is an unfortunate blunder, because everything else about the Puhoi toll road project seems extremely well done. Instead of requiring some kind of transponder device in cars, they just take photos of your license plate and charge your account automatically. If you don't have an account you can use your cellphone to pay the charge up to three days after passing through, or you can visit a kiosk (away from the toll area itself) and pay cash. Overall it's a nice fully automated, low overhead solution.

Update Looks like the Tollroad people have seen reason.


Daniel Einspanjer
Looks like they heard from enough "he saids" to be forced to do something. It looks like all the links to create an account are "down for maintenance" now.
Once again, I wonder about how bad the articles are in areas I don't know much about. Occam's razor says they're about as bad as in the areas I _do_ know about. And that's very depressing. :(
I saw the article in the paper this morning, and yeah, it sounds like a bit of a mess up. Though as Daniel said, it looks like they've disabled the account-related screens in order to fix it.