Hackers Breach Payment Systems of Major Parking Garage Operator

wiredmikey writes Parking garage operator SP+ said on Friday that an unauthorized attacker gained access to its payment processing systems and was able to access customer names and payment card information. The company, which operates roughly 4,200 parking facilities in hundreds of cities across North America, said the attack affected 17 SP+ parking facilities. According to the company, an unauthorized person had used a remote access tool to connect to the payment processing systems to install malware which searched for payment card data that was being routed through the computers that accept payments made at the parking facilities. Parking facilities in Chicago, Cleveland, Philadelphia, Seattle, and Evanston were affected by the breach, though a majority of the locations affected were located in Chicago.

Incomplete Online Systems Planning

[BoRegardless]

I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.

This reminds me of the US leaving the Southern US border open and saying "No terrorists would get in across our Southern border."

Re:Incomplete Online Systems Planning

Negligence has long been an actionable tort.

The "we didn't know..." excuse for computer data is long past its sell-by date.

Re:Incomplete Online Systems Planning

[TheReaperD]

I can say, as someone with decent knowledge on the topic that not doing security testing is standard procedure at most companies. Testing costs money and causes delays, something no corporation wants. Until the cost of ignoring the problem exceeds the savings of proactively dealing with it, this will continue to be the case.

Re:Incomplete Online Systems Planning

[khasim]

I'm beginning to think that many corporations establish online systems without ever doing a serious 3rd party security audit and then penetration testing, plus using whatever real time monitoring tools they can to detect and stop intrusions.

I worked with a company that used TrustWave for their 3rd party pen test. The TrustWave person was ... okay ... but he was only allowed to "test" for 5 work days (Mon-Fri) not counting travel time (no Mon morning or Fri afternoon). Or evenings/nights (take his laptop to his hotel). So, in total, less than 40 hours before declaring the system "secure" enough.

A real cracker could rack up double that in a 3 day weekend. Even with only one compromised machine.

And the "real time monitoring tools" usually only detect the script kiddies. Which is a positive step. Just not enough of one.

I think that the core problem is that "computer security" as a concept is way beyond the cognitive capability of most management types.

It really comes down to YOUR skills in PROTECTING the systems
v
the skills of EVERYONE in the world who can script automatic ATTACKS against those systems.

So right from the beginning YOU are at a disadvantage. Then YOU also have to COMMUNICATE the risks and requirements and costs to management. Every single day that you are NOT cracked (or the crack detected) means that YOU were wrong AGAIN about the risk of not spending $X on sub-system Y.

And management types do understand the concept of "inflating" your budget/status by overstating the real risks/rewards.

Re:Incomplete Online Systems Planning

[gweihir]

Indeed. Only cure for that: Management that signed off on the "solution" goes to prison and/or has to compensate the company for the damage from their personal funds.

Re:Incomplete Online Systems Planning

[plover]

There is a fix coming, but it requires coercing millions of merchants to change over their systems from mag stripes to chip and PIN. For operators of parking systems, which have readers built in to their gate-paying systems, this may not be a small expense. And for banks, who have to issue expensive chip cards, and install complex key management systems to secure the accounts of thousands of customers, the expense is even higher, so they've been fighting the change. As late as last year, Visa was about to delay Chip and PIN in the U.S. once again.

But that all changed after Target got hacked, and other big retailers began to fall. The retailers said "enough with this bullshit insecure system. Fix it now, not later." The deferment was canceled, and Chip and PIN is still on for deployment by next October.

Chip and PIN is different. Instead of some easily copied fixed data representing both your identity and your authorization to pay for something, your identity (account number) no longer has to be kept secret. The secrets are instead baked into the chips by the banks, and can't easily be copied or replayed. The merchant terminal will no longer need to be a trusted partner in providing authentication. Your chip is an extension of the bank's security system.

It just takes a long time to get tens of thousands of banks and millions of retailers to coordinate this shift. Once it's done and mag stripes are sunsetted, the security will be vastly improved.

chip+pin

[Mirar]

So when are you switching to chip+pin so it's at least less meaningful to steal data?

Re:chip+pin

[Joe_Dragon]

how does that work online?

Crackers

[nadaou]

Crackers people, cheese.

(Ducks)