Eric Rescorla <[EMAIL PROTECTED]> writes: >> All the toll lanes that accept EZ Pass that I've seen are equipped >> with cameras. These cameras are used to identify toll evaders >> already. You point out that doing this would require manual work, but >> in fact several systems (including the one used for handling traffic >> fees in central London) have already demonstrated that automated >> license plate reading systems are feasible. Even without automated >> plate reading, storing photographs is also now astoundingly cheap >> given how cheap storage has gotten, so if anyone ever complained about >> incorrect charges on their bill, finding the plates of the cars that >> went through during the disputed toll collections would be trivial. > > Precisely. Moreover, you can presumably use fairly unsophisticated > data mining/fraud detection techniques to detect when a unit has > been cloned and then go back to the photographs to find and punish > the offenders.
By the way, this is yet another instance in which it is important to consider threat models and economics when thinking about security systems. The people willing to fake both their license plates and their EZ Pass device are few, so the losses from them will be small. (If you fake your license plates, in many instances you don't even need to fake the EZ Pass device as nothing prevents you from simply driving through.) On the other hand, the cost of a system capable of doing a challenge-response turnaround -- and we're talking both that of building new tags plus the cost of designing and deploying units capable of conducting two full round trip communications with cars going through at 25 miles an hour -- is pretty high. You also will always need the camera systems because you need to catch people simply driving through, and because you will always get toll disputes that need resolution. That means you can't even save the cost of the plate cameras even with a challenge/response system. Economically speaking, then, it doesn't seem like the threat (a small amount of toll evasion by people willing to fake their license plates and to clone EZ Pass equipment) doesn't cost as much as the putative cure, and can't even cure the problem (since fare evaders with fake plates will simply drive through toll lanes without physical barriers, such as all the high speed toll lanes). If I were advising the automated toll system people, I'd say it was not worth it. On the other hand, more complicated tags *might* be worth it for another purpose -- preserving the privacy of drivers by using more complicated protocols. However, as the benefit of such systems is to people who are unlikely to have much voice in the construction of the system, and who are also unlikely to be willing to pay more money to gain privacy, I think the implementation of such tags is unlikely. -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]