Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Breach Payment Systems of Major Parking Garage Operator

Posted by timothy on from the situational-awareness-only-goes-so-far dept.

wiredmikey writes Parking garage operator SP+ said on Friday that an unauthorized attacker gained access to its payment processing systems and was able to access customer names and payment card information. The company, which operates roughly 4,200 parking facilities in hundreds of cities across North America, said the attack affected 17 SP+ parking facilities. According to the company, an unauthorized person had used a remote access tool to connect to the payment processing systems to install malware which searched for payment card data that was being routed through the computers that accept payments made at the parking facilities. Parking facilities in Chicago, Cleveland, Philadelphia, Seattle, and Evanston were affected by the breach, though a majority of the locations affected were located in Chicago.

24 of 38 comments (clear)

  1. Incomplete Online Systems Planning by BoRegardless · · Score: 2

    I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.

    This reminds me of the US leaving the Southern US border open and saying "No terrorists would get in across our Southern border."

    1. Re:Incomplete Online Systems Planning by Anonymous Coward · · Score: 1

      Typically, "it works" is all that's required. But notice how your security audit and pentesting aren't really fixes. They're not even really serious inspections; they're much more akin to a bit of gepoking the thing with a stick.

      And that brings up two more rather damning questions: Why is utilizing this gepoking stick the industry best current practice gold standard, as in why are there so many who do even less than this? And also, why does it even work, as in how come the software is so bad you can just poke holes in it with silly ease?

      Why doesn't the software "just work" properly, especially since that's exactly how it's been sold for decades now? You can buy better cars at the dodgiest pre-owned car dealer in town than you get enterprise software delivered new from the biggest global enterprise software vendors, not to mention all the fly-by-night comparatively dodgy people also busily making a living in this space.

      There are many, many reasons for this, from entirely uncritical clients to (often unwittingly!) unscrupulous vendors to an entire cottage industry of... drama clowns wearing coloured hats that're claiming are here to fix this security thing for us. It isn't hard to see how bad it is once you realise that it is in fact so far substandard that it has become its own underground civilisation.

      How to fix it, though? You can't bolt on "security" (and relatedly, "privacy") later, so you have to build it into the system from the get-go. And yes, this is going to cost extra, though not as much as trying to bolt it on later. So customers must demand it right in the spec and software writers must refuse to write anything that doesn't take proper consideration of security (and relatedly, privacy) starting right at the spec. Until that happens, until the security cottage industry withers for lack of work to do, we'll continue to see what we're seeing now.

      Which will be a goodly while yet. Heck, we're not more than a few fleeting fads further than the notion that designing software works just the same way as designing a bit of hardware, something we've kept to for ages despite all the obivous indications that it is a rather defunct approach. Who of you have actually read Fred Brooks' 1975 book? And if you have, has your project manager?

    2. Re:Incomplete Online Systems Planning by thegarbz · · Score: 1

      Actually it's more like corporations establish online systems because some 3rd party "expert" convinced management it was a good idea to do so.

      It's only going to get worse not better at this point. Last conference I went to for industrial automation had an opening by Microsoft on the "internet of things" and how they've convinced major companies to put all their assets online for remote assessment, maintenance, and in one case, control. All powered by Azure of course. Everyone in the room was stunned and started thinking how they could do this awesomeness. I was just stunned at the positive reception they got.

      When talking to one of the other attendees about it later he asked if we were also going to look into this "internet of things". Simple two word answer, "fuck no!"

    3. Re:Incomplete Online Systems Planning by Anonymous Coward · · Score: 2, Informative

      Negligence has long been an actionable tort.

      The "we didn't know..." excuse for computer data is long past its sell-by date.

    4. Re:Incomplete Online Systems Planning by TheReaperD · · Score: 2

      I can say, as someone with decent knowledge on the topic that not doing security testing is standard procedure at most companies. Testing costs money and causes delays, something no corporation wants. Until the cost of ignoring the problem exceeds the savings of proactively dealing with it, this will continue to be the case.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    5. Re:Incomplete Online Systems Planning by khasim · · Score: 3, Insightful

      I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.

      I worked with a company that used TrustWave for their 3rd party pen test. The TrustWave person was ... okay ... but he was only allowed to "test" for 5 work days (Mon-Fri) not counting travel time (no Mon morning or Fri afternoon). Or evenings/nights (take his laptop to his hotel). So, in total, less than 40 hours before declaring the system "secure" enough.

      A real cracker could rack up double that in a 3 day weekend. Even with only one compromised machine.

      And the "real time monitoring tools" usually only detect the script kiddies. Which is a positive step. Just not enough of one.

      I think that the core problem is that "computer security" as a concept is way beyond the cognitive capability of most management types.

      It really comes down to YOUR skills in PROTECTING the systems
      v
      the skills of EVERYONE in the world who can script automatic ATTACKS against those systems.

      So right from the beginning YOU are at a disadvantage. Then YOU also have to COMMUNICATE the risks and requirements and costs to management. Every single day that you are NOT cracked (or the crack detected) means that YOU were wrong AGAIN about the risk of not spending $X on sub-system Y.

      And management types do understand the concept of "inflating" your budget/status by overstating the real risks/rewards.

    6. Re:Incomplete Online Systems Planning by blue+trane · · Score: 1

      We should pursue policies that address terrorism at its root causes, instead of creating hardships for people and animals by closing borders.

      As a Border Patrol guard near Nogales told me: " The only people that are going to bother you are Border Patrol agents."

    7. Re:Incomplete Online Systems Planning by mlts · · Score: 1

      The problem is that doing security right isn't cheap, in both buying the right tools, making a proper network topology, and getting everything configured.

      Long term, it really means businesses have to lay fiber and create a separate WAN, separate from the Internet, with some top-down management system (virtual circuits), where if machines are not pre-arranged to communicate with each other, they don't have access... and this is done on both the network fabric, and the individual hosts. Dedicated links are a lot more expensive than VPNs, but one isn't a misconfiguration of a router from disaster with them.

      Remote access trojans (RATs) are not hard to stomp. If machine "A" has no reason to be communicating outside to the Internet, then it doesn't get access [1]. If it needs to go out, it gets access to the IP range it needs and no other. Network security 101 with the principle of deny everything that isn't whitelisted. This has been in textbooks since 1992 when one used Venama's TCP wrappers on sensitive boxes to ensure only proper hosts could telnet to them (SSH wasn't in use back then because it would have been considered an ITAR munition.) RATs are easily detectable by IDS/IPS installations. In a more secure network, if the traffic isn't MITM-able by the BlueCoat appliance, and it appears encrypted, it doesn't go out. SSH tunnels are easy to spot with monitoring tools, and the kibosh laid on it automatically.

      Of course, edge security goes without saying. This isn't hard. ASA appliances are relatively cheap, and the expertise to properly configure them is widespread.

      [1]: Realistically, how many machines in a company need Internet access, or access outside their Ethernet segment for most things? One could always allow RDP/Citrix access to a hop box if people wanted external Web access, WSUS and mirroring repositories takes care of patches, and DCs are internal. Or, one can require remote desktop access for the more secure data and "just" use proper endpoint security. Lots of ways to do this securely.

    8. Re:Incomplete Online Systems Planning by gweihir · · Score: 2

      Indeed. Only cure for that: Management that signed off on the "solution" goes to prison and/or has to compensate the company for the damage from their personal funds.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Incomplete Online Systems Planning by turbidostato · · Score: 1

      "I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing"

      Doing it costs money. Where's the benefit?

    10. Re:Incomplete Online Systems Planning by turbidostato · · Score: 1

      "if the traffic isn't MITM-able by the BlueCoat appliance, and it appears encrypted, it doesn't go out."

      Thank you for the information. So it's only a matter of cracking a single machine to gain access to all your cyphered traffic, right?

      What could possibly go wrong?

    11. Re:Incomplete Online Systems Planning by plover · · Score: 2

      There is a fix coming, but it requires coercing millions of merchants to change over their systems from mag stripes to chip and PIN. For operators of parking systems, which have readers built in to their gate-paying systems, this may not be a small expense. And for banks, who have to issue expensive chip cards, and install complex key management systems to secure the accounts of thousands of customers, the expense is even higher, so they've been fighting the change. As late as last year, Visa was about to delay Chip and PIN in the U.S. once again.

      But that all changed after Target got hacked, and other big retailers began to fall. The retailers said "enough with this bullshit insecure system. Fix it now, not later." The deferment was canceled, and Chip and PIN is still on for deployment by next October.

      Chip and PIN is different. Instead of some easily copied fixed data representing both your identity and your authorization to pay for something, your identity (account number) no longer has to be kept secret. The secrets are instead baked into the chips by the banks, and can't easily be copied or replayed. The merchant terminal will no longer need to be a trusted partner in providing authentication. Your chip is an extension of the bank's security system.

      It just takes a long time to get tens of thousands of banks and millions of retailers to coordinate this shift. Once it's done and mag stripes are sunsetted, the security will be vastly improved.

      --
      John
    12. Re:Incomplete Online Systems Planning by Anonymous Coward · · Score: 1

      I'm not sure how chip and pin will impact recurring charges. It does not appear to be listed on any of the literature I've found. This leaves me to conclude this technology is reserved solely for one time payments.This would not have helped in the case of SP+ in which users voluntary put their cards on file with an insecure payment system.

    13. Re:Incomplete Online Systems Planning by plover · · Score: 1

      I have not heard of a good way to authorize recurring payments, or to enable payments on behalf of others. There is a way to use crypto to authenticate web transactions without a card reader, if they get off their butts and enable it. They really need to make these things more widely understood so people won't be so hesitant to change.

      --
      John
  2. chip+pin by Mirar · · Score: 2

    So when are you switching to chip+pin so it's at least less meaningful to steal data?

    1. Re:chip+pin by YoungHack · · Score: 1

      That's because it's not a chip and pin. They gave me the same card and it's a chip and sign. Lame facade of security.

    2. Re:chip+pin by Joe_Dragon · · Score: 2

      how does that work online?

    3. Re:chip+pin by bloodhawk · · Score: 1

      A variety of ways, some banks implement an sms based approval where an confirmation code is texted to your phone to confirm the transaction before it is processed. MY bank in Australia uses this, though it can be a pain in the arse when travelling overseas if I need to use that card online.

    4. Re:chip+pin by Mirar · · Score: 1

      I get a cross-site challenge; it usually switches over to my bank site where I have to reply to a challenge. A SMS sounds like an ok backup solution (two-factor).

  3. Crackers by nadaou · · Score: 2

    Crackers people, cheese.

    (Ducks)

    --
    ~.~
    I'm a peripheral visionary.
  4. Re:And their liability is nothing... by gweihir · · Score: 1

    Indeed. On a breach like this, somebody should go to prison for a year or two for gross negligence.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. Remote access tool? by lippydude · · Score: 1

    Why the reluctance to mention the Operating System?

  6. Good thing they fired the guy in the booth. by Anonymous Coward · · Score: 1

    And stopped accepting cash. Everyone wins!

  7. My parking payment system is hacked??? by RockDoctor · · Score: 1
    Someone has stolen the coins from my wallet?

    (That's "coins" as in stamped discs of sheet metal ; "wallet" as in pouch of fabric and leather for storing payment tokens in without wearing out the fabric of one's pockets.)

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"