How secure is E-Z Pass?

I saw a news article about E-Z Pass fraud that people did by stealing E-Z Passes out of cars and replacing them with fakes, but does anyone know how secure the devices’ protocols are?

Let's assume you do clone the RFID tag. It certainly isn't tied to the payment information, as you change that through the web interface. It's tied to a toll-authority account and vehicle.

At least here E-Z pass is an RFID system and with OCR on the license plates, and high def camera shots on the face of the driver. You can run through it once every six months or year or whatever and they'll send you a nasty-gram. With a cloned tag, you could flip the plate by the time they'd catch you -- you'd be on your merry way. But, it's probably not worth it. From The Chronicle

Now, HCTRA has its own high-tech specialists. One uses software to analyze traffic and pinpoint the day of the week, time, lane and direction a frequent toll violator is likely to pass through. Another specialist spends part of her shift doing the equivalent of fingerprint analysis on the photos to track down car owners who have tried to mask their license plate numbers.

If you even take the tag to a second car, they know if the car's color make and model fails to match. I assume it gets Q/Aed if there is a color fail.

A better scam, if you want to skip the tolls, is to get an out of state dealer plate. Note these are not the temp dealer plates. They run up millions of dollars of unpaid of tolls every year. For reference you can see this mentioned here in 2012

  • state vehicle inspection, emissions inspection, and toll fees avoidance;
  • parking ticket fine avoidance (local level);

However, recently (2014) they've been cracking down on out-of-state plates, and I assume dealer plates are soon to follow


I have no direct knowledge of EZPass' system details, other than being a customer. However, one can make a few observations and assumptions:

The device in your (my) car is an RFID device that when queried at a toll booth, responds with a "ID" code that is linked to both my EZpass account and my car. EZPass deducts the toll charge from my EZ Pass account. When the balance drops below a certain value, EZPass can charge my credit card or make a withdrawal from my bank account to replenish my EZPAss account.

The fraud is by stealing the RFID transponder, the criminals can evade tolls. They drive on the roads and you get the bill. That's the extent of the crime. Most people wouldn't notice that their transponder has been replaced, which gives the criminals time to rack up some charges.

Unless the criminals hack into EZPass' systems and steal their client database (certainly within the realm of possibility), there's no way to identify your bank account info. Knowing my transponder ID isn't very useful, other than to impersonate my car and drive on toll roads for "free."