Hackers Breach Payment Systems of Major Parking Garage Operator 38
wiredmikey writes Parking garage operator SP+ said on Friday that an unauthorized attacker gained access to its payment processing systems and was able to access customer names and payment card information. The company, which operates roughly 4,200 parking facilities in hundreds of cities across North America, said the attack affected 17 SP+ parking facilities. According to the company, an unauthorized person had used a remote access tool to connect to the payment processing systems to install malware which searched for payment card data that was being routed through the computers that accept payments made at the parking facilities. Parking facilities in Chicago, Cleveland, Philadelphia, Seattle, and Evanston were affected by the breach, though a majority of the locations affected were located in Chicago.
Re: (Score:2)
Indeed. On a breach like this, somebody should go to prison for a year or two for gross negligence.
Incomplete Online Systems Planning (Score:3)
I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.
This reminds me of the US leaving the Southern US border open and saying "No terrorists would get in across our Southern border."
Re: (Score:1)
Typically, "it works" is all that's required. But notice how your security audit and pentesting aren't really fixes. They're not even really serious inspections; they're much more akin to a bit of gepoking the thing with a stick.
And that brings up two more rather damning questions: Why is utilizing this gepoking stick the industry best current practice gold standard, as in why are there so many who do even less than this? And also, why does it even work, as in how come the software is so bad you can just po
Re: (Score:3)
There is a fix coming, but it requires coercing millions of merchants to change over their systems from mag stripes to chip and PIN. For operators of parking systems, which have readers built in to their gate-paying systems, this may not be a small expense. And for banks, who have to issue expensive chip cards, and install complex key management systems to secure the accounts of thousands of customers, the expense is even higher, so they've been fighting the change. As late as last year, Visa was about to d
Re: (Score:1)
I'm not sure how chip and pin will impact recurring charges. It does not appear to be listed on any of the literature I've found. This leaves me to conclude this technology is reserved solely for one time payments.This would not have helped in the case of SP+ in which users voluntary put their cards on file with an insecure payment system.
Re: (Score:2)
I have not heard of a good way to authorize recurring payments, or to enable payments on behalf of others. There is a way to use crypto to authenticate web transactions without a card reader, if they get off their butts and enable it. They really need to make these things more widely understood so people won't be so hesitant to change.
Re: (Score:2, Informative)
Negligence has long been an actionable tort.
The "we didn't know..." excuse for computer data is long past its sell-by date.
Re: (Score:2)
Actually it's more like corporations establish online systems because some 3rd party "expert" convinced management it was a good idea to do so.
It's only going to get worse not better at this point. Last conference I went to for industrial automation had an opening by Microsoft on the "internet of things" and how they've convinced major companies to put all their assets online for remote assessment, maintenance, and in one case, control. All powered by Azure of course. Everyone in the room was stunned and st
Re: (Score:3)
I can say, as someone with decent knowledge on the topic that not doing security testing is standard procedure at most companies. Testing costs money and causes delays, something no corporation wants. Until the cost of ignoring the problem exceeds the savings of proactively dealing with it, this will continue to be the case.
Re:Incomplete Online Systems Planning (Score:4, Insightful)
I worked with a company that used TrustWave for their 3rd party pen test. The TrustWave person was ... okay ... but he was only allowed to "test" for 5 work days (Mon-Fri) not counting travel time (no Mon morning or Fri afternoon). Or evenings/nights (take his laptop to his hotel). So, in total, less than 40 hours before declaring the system "secure" enough.
A real cracker could rack up double that in a 3 day weekend. Even with only one compromised machine.
And the "real time monitoring tools" usually only detect the script kiddies. Which is a positive step. Just not enough of one.
I think that the core problem is that "computer security" as a concept is way beyond the cognitive capability of most management types.
It really comes down to YOUR skills in PROTECTING the systems
v
the skills of EVERYONE in the world who can script automatic ATTACKS against those systems.
So right from the beginning YOU are at a disadvantage. Then YOU also have to COMMUNICATE the risks and requirements and costs to management. Every single day that you are NOT cracked (or the crack detected) means that YOU were wrong AGAIN about the risk of not spending $X on sub-system Y.
And management types do understand the concept of "inflating" your budget/status by overstating the real risks/rewards.
Re: (Score:2)
The problem is that doing security right isn't cheap, in both buying the right tools, making a proper network topology, and getting everything configured.
Long term, it really means businesses have to lay fiber and create a separate WAN, separate from the Internet, with some top-down management system (virtual circuits), where if machines are not pre-arranged to communicate with each other, they don't have access... and this is done on both the network fabric, and the individual hosts. Dedicated links are a
Re: (Score:2)
"if the traffic isn't MITM-able by the BlueCoat appliance, and it appears encrypted, it doesn't go out."
Thank you for the information. So it's only a matter of cracking a single machine to gain access to all your cyphered traffic, right?
What could possibly go wrong?
Re: (Score:3)
Indeed. Only cure for that: Management that signed off on the "solution" goes to prison and/or has to compensate the company for the damage from their personal funds.
Re: (Score:2)
We should pursue policies that address terrorism at its root causes, instead of creating hardships for people and animals by closing borders.
As a Border Patrol guard near Nogales told me: " The only people that are going to bother you are Border Patrol agents."
Re: (Score:2)
"I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing"
Doing it costs money. Where's the benefit?
chip+pin (Score:3)
So when are you switching to chip+pin so it's at least less meaningful to steal data?
Re: (Score:2)
That's because it's not a chip and pin. They gave me the same card and it's a chip and sign. Lame facade of security.
Re: (Score:3)
how does that work online?
Re: (Score:2)
A variety of ways, some banks implement an sms based approval where an confirmation code is texted to your phone to confirm the transaction before it is processed. MY bank in Australia uses this, though it can be a pain in the arse when travelling overseas if I need to use that card online.
Re: (Score:2)
I get a cross-site challenge; it usually switches over to my bank site where I have to reply to a challenge. A SMS sounds like an ok backup solution (two-factor).
Crackers (Score:3)
Crackers people, cheese.
(Ducks)
Remote access tool? (Score:1)
Good thing they fired the guy in the booth. (Score:1)
And stopped accepting cash. Everyone wins!
My parking payment system is hacked??? (Score:2)
(That's "coins" as in stamped discs of sheet metal ; "wallet" as in pouch of fabric and leather for storing payment tokens in without wearing out the fabric of one's pockets.)