Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Breach Payment Systems of Major Parking Garage Operator

Posted by timothy on from the situational-awareness-only-goes-so-far dept.

wiredmikey writes Parking garage operator SP+ said on Friday that an unauthorized attacker gained access to its payment processing systems and was able to access customer names and payment card information. The company, which operates roughly 4,200 parking facilities in hundreds of cities across North America, said the attack affected 17 SP+ parking facilities. According to the company, an unauthorized person had used a remote access tool to connect to the payment processing systems to install malware which searched for payment card data that was being routed through the computers that accept payments made at the parking facilities. Parking facilities in Chicago, Cleveland, Philadelphia, Seattle, and Evanston were affected by the breach, though a majority of the locations affected were located in Chicago.

1 of 38 comments (clear)

  1. Re:Incomplete Online Systems Planning by khasim · · Score: 3, Insightful

    I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.

    I worked with a company that used TrustWave for their 3rd party pen test. The TrustWave person was ... okay ... but he was only allowed to "test" for 5 work days (Mon-Fri) not counting travel time (no Mon morning or Fri afternoon). Or evenings/nights (take his laptop to his hotel). So, in total, less than 40 hours before declaring the system "secure" enough.

    A real cracker could rack up double that in a 3 day weekend. Even with only one compromised machine.

    And the "real time monitoring tools" usually only detect the script kiddies. Which is a positive step. Just not enough of one.

    I think that the core problem is that "computer security" as a concept is way beyond the cognitive capability of most management types.

    It really comes down to YOUR skills in PROTECTING the systems
    v
    the skills of EVERYONE in the world who can script automatic ATTACKS against those systems.

    So right from the beginning YOU are at a disadvantage. Then YOU also have to COMMUNICATE the risks and requirements and costs to management. Every single day that you are NOT cracked (or the crack detected) means that YOU were wrong AGAIN about the risk of not spending $X on sub-system Y.

    And management types do understand the concept of "inflating" your budget/status by overstating the real risks/rewards.