Pages

2010-11-16

Giving away all your customer details because of a checksum

Philadelphia Parking Authority is one of the worst ("best?") at taxing everyday people in Philadelphia. With a revenue of $192 million in 2007 and their expansion of $11 million in annual red-light camera revenue, they are collecting on average $212 per local driver per year (1, 2). How can you process that many tickets? Through a convenient online ticket payment website at http://philapark.org.

With only inputting a ticket number into this website, you can collect the offender's license plate number, the date and location of the infraction and a description of the offense. However, the tickets follow a predictable sequence. Since tickets are uploaded immediately to the website, you can enumerate all tickets to find a list of all license plates with parking violations, their physical location, and a list of infractions. Practically, since so many cars get tickets, you could even use this system to track vehicles.



Here is a list of valid ticket numbers:
550491336 550491344 550491351 550491369 550491377 550491385 550491393 550491401 550491419 550491427 550491435 550491443 550491450 550491468 550491476 550491484 550491492 550491500 550491518 550491526 550491534 550491542 550491559 550491567

The last digit is a checksum based on digit weights of 1,2,1,2,1,2,1,2,1, with an offset of 5 on the last digit.

A recent ticket is 554682872, so you can start enumerating from there.

The solution

Of course, the way to fix this is to either not give away so much information on a public web interface -or - require the user to type in their license plate so that this would not be possible.