PORTSMOUTH -- A 13News Now Investigation has uncovered new security concerns with Elizabeth River Tunnels' website that drivers use to register their license plates to pay for the new tolls at the Midtown and Downtown tunnels.
We began looking into the problem after a concerned viewer showed us the website for 'Pay-By-Plate' did not have a secure internet address.
A website with a secure internet address would have a security certificate and its URL would start with 'https' instead of 'http' like ERT's website.
Internet security expert Jerri Prophet, who is president of IntellecTechs, explained that having that 's' means the information you enter into that website is protected through encryption as it's sent from your computer to a company's server.
Without the security certificate, though, Prophet said anyone could easily steal whatever information you enter into the site.
'They don't need really anything nowadays,' Prohpet said. 'You could have a cell phone sniffing it out.'
Prophet said that's all it would take to steal a drivers' address, phone number and license plate information entered on the Pay-By-Plate website.
Elizabeth River Crossings, which operates ERT, said the site has always been secure.
Despite that claim, the company said it added a security certificate to its Pay-By-Plate website in a statement to 13News Now:
'ERC takes the security of its customers' private information very seriously. We utilize enterprise-class industry standard web application firewall solutions to ensure private information is always secure. The Project information, logos and marketing materials that surrounded the secure application came from a separate web server and were previously not encrypted; however, the forms where customer data is being entered has always been securely transmitted. While confidential information was never accessible or compromised, we have encrypted ALL content on the Pay By Plate page so everything is fully encrypted as an added security measure.
In addition, in November 2013, ERC employed a private security firm to perform a complete vulnerability check of our systems. That check, as well as several internal tests that have since been performed, all confirmed the security of our site.'