Security flaws close new road's toll system

A computer programmer discovered the system's flaws. Photo / BOP Times

Internet security flaws have forced a closedown of website toll payment facilities for the Northern Gateway motorway between Orewa and Puhoi, less than three weeks before its opening date.

After shutting the payment section of the $365 million toll road's website yesterday, the NZ Transport Agency admitted it had done so because of flaws pointed out to the Herald by computer experts.

It said the toll payment system was set up "without all the necessary security features".

The agency has until January 25 to plug the security hole, but more than 900 motorists have sent credit card or bank details over what it now admits was an insecure internet link to set up toll payment accounts.

That follows a marketing blitz by the agency to get motorists booked in early to the $27.8 million "free-flow" electronic collection system, which is run through the national motor vehicle registry centre in Palmerston North.

The system works through cameras mounted on gantries near the Orewa end of the 7.5km toll road, which will photograph number plates and match the images through the registry.

Those who do not have accounts will be required to pay their tolls - $2 for cars or $4 for trucks - within three days of using the road, either through a freephone number (0800-40-20-20) or at kiosks at either end of the road.

When told by the Herald on Monday of computer industry professionals' concerns, vehicle registry centre manager Brett Dooley said he was confident the website was secure.

All the banks set up for website transactions had "verified and certified all our banking arrangements", he said.

Even so, Mr Dooley acknowledged then that changes would be made to the website to assure motorists their credit card details would be safe from computer hackers.

That was because the on-line form on which motorists were asked to post their details lacked two indications that they would be protected by encryption - an "https" in the website address and a padlock icon at the bottom right of the page.

But last night, the agency said it regretted the fact "that comments given to the Herald yesterday incorrectly stated that the site was secure before these changes have been made."

"NZTA is making changes to the toll road website to improve the security of the on-line payment facilities," it said.