From Hack a Day:
The transponders and readers perform no authentication. Someone could wander through a parking lot with an RFID reader and pick up the ID of every tag in the lot. They could then write their own transponder with the stolen IDs. Here’s the really bad part: the transponders support unauthenticated over the air upgrading. You can force any transponder to take on a new ID. An attacker could overwrite every tag passing a certain intersection and cause havoc in the toll system. Some have suggested that there are IDs in the system that are unbilled, since they’re assigned to administrators; these would be especially attractive to thieves.
How do we fix this system? Here’s the problem: the system is defined by California law. An update to the way things are done would take legislative action.
Sounds kind of fucked. The post also discusses the issue with being tracked/logged via FasTrak, the one big reason why I never got one when I still had a car.