Overview It is not uncommon that critical systems are often targeted by cyber criminals. And we have documented it from time to time. But this time the attack was on toll collection systems.  Indeed, gone are those days when you take out your wallet to pay highway tolls while driving through the city suburbs. Today the latest technologies are adopted at the highway tolls for making the payment process fast and easy. With the help of the Radio Frequency Identification (RFID) technology, toll payments are made directly while the vehicle is in motion. A device is affixed on the windscreen of the vehicle that helps to make the toll payments directly from the bank account that is linked to it.  But what about the security of the bank account that is connected to the RFID technology? What amount of security risks lie with the personal information associated with it?  Recently, an electronic toll collection system in Puerto Rico faced a cyber attack. Run by a private operator, the incident could not confirm whether there was any information misuse. However, such incidents can bear the risk of data theft and even subsequent financial losses. Previously, in 2021, another similar incident in the same country resulted in face-loss of the government agency with a financial loss of around $4million. How do the risks amplify? Toll system hacks can happen during any stage of the registration process. Typically, the process starts online by submitting private user details such as name, age, address, vehicle details, social security number (PAN Card) and bank account number. Once the user details are verified and authenticated by the authorized body, the bank account is integrated for toll pass deduction.  Now, this entire process happens at the toll stops which occasionally lures the drivers/ car owners to use the free public Wi-Fi to complete the task. It offers a golden opportunity for the hackers and organized cyber criminal groups to misuse a compromised network and/or poor access controls around systems.  Some Thoughts to Avert such Threats
  • Prevention of Physical Threats: The Information Technology devices used for electronic tolls are vulnerable to misuse or abuse from insiders and organized cyber criminals. With no supervisor around, it could be a cakewalk for the criminals to physically access the toll management system, and do modifications in the systems and configurations, and exploit system vulnerabilities to launch cyber attacks. While CCTV cameras can ensure security to some extent, a robust password management across devices and services can provide an added security layer to prevent unauthorized access.
  • Prevention of Insider and Third Party Threats: Malicious third-party actors or organized cyber criminal groups can wreak havoc. There is a huge risk that the malicious actors could misuse the poorly protected toll systems to access the service providers’ entire network infrastructure. As preventive measures, there should be a systematic segregation of the identities that access the toll systems and access the databases. A robust Identity and Access management system with password vault can prevent anomalous activities.
  • PCI DSS Compliance: Quite frequently tolls accept credit/ debit cards for payment. As a result, they need to meet Payment Card Industry Data Security Standard (PCI DSS) compliance mandates. The toll systems that depend on third party service providers to store and manage the critical information accumulated daily are susceptible to data breaches. Compliance with PCI DSS mandates help to keep the payment card environment safe and secure. 
The Bottom-line As highway tolls are consistently operational, it is gradually getting vulnerable to cyber threats. A few stray incidents are a red signal to the government agencies to take adequate and necessary precautions beforehand, else thousands of users could face digital identity thefts and financial losses.