US parking operator: YEP, hackers got your names, credit card numbers, secret codes... Point-of-Sale systems have been hacked at major US parking garage operator SP+. The breach has resulted in the exposure of customer financial information, SP+ explained at an advisory on Friday. SP+ said it had learned of the breach from the firm that handles its payment card processing. The firm operates about 4,200 parking …
is international (Payment Card *Industry*).
However I can only assume the US equivalent of the FSA (The artist formerly known as FCA) is as effective as the UK ICO, and that chocolate teapots are better designed.
I know of one UK financial institution currently still in breach (after two years) of PCI-DSS requirements for storing voice recordings. Their current inducement to fix things is a 50p/month fine.
AC, obviously.
> What possible excuse have they got for holding the verification codes and card numbers in a database, and in plain text too?
I wondered about that too. Reading the article again, it's possible that the data was captured while in transit.
Still should have been encrypted, though.
Punishment? Oh my, how naive.
Corporations are not only people, but SPECIAL people as well! To punish them with anything more than a stern warning might hurt their feelings and force the government to give them more tax breaks and pass special exemption laws to mollify them.
Best to just avoid that entire distasteful scenario, don't you think? Besides, it's almost certain it's the customers' fault anyway! (somehow, pretty certain, we'll conduct a study to be sure)
If I understand correctly, http://cloud-computing.tmcnet.com/news/2014/07/16/7925932.htm says it was Heartland payment industries responsible for the payment gateway for SP+.
Doing a little search on your favorite search website will show that it's not exactly the first time this happened (135M credit cards exposed in 2008 is hardly a minor incident).
If there was a punishment, they didn't learn their lesson much...
Hm. We can blame lots of people here, but top of my list is the program design team who decided that capturing the card information was a good idea, and then stored it all as a structure that could simply be looked at to gain meaningful (and dangerous) information from data.
When will IT twonks learn that if you are going to give a customer the ability to hold credit card data, or any financial credentials for that matter, separating the components of those and using metadata to re-acquaint them when needed is the way to go?
And, of course, why wasn't it all encrypted anyway?
And why were the details that make the actual physical presence of the card ascertainable at a distance from the user captured?
Of course, all my complaints fall on the rocks of reason if the actual exploit was a buggery-bastard tech-in-the-middle intercept that grabbed the data before it touched down on the car-park people's disks.
This is what happens when you insist on making your cash registers the same as everyone else's and make them talk to each other. So much for the Internet of Things. More like the Internet of Dings.
"Every organisation must understand the current avenues used to attack payment systems, but must also go beyond that knowledge to completely analyse their entire infrastructure to be certain that it is configured as intended, that security zones are properly configured and enforced, all network devices are hardened against potential attack, any network-accessible vulnerabilities are prioritised first for patching, and generally continuously audit the entire infrastructure to discover any violations of the security architecture before it can be exploited,”
Can they get this done for free?
Why was that needed? Was the card holder not present while the car parked itself?
No, I've never used a credit card to pay a parking fee other than once or twice in a car park which has a machine to stick the card in and the cost was over a fiver.. I needed the card, not the verification number since I was present at the point of sale.
[possibly a bit late, sorry]
In the UK there are parking services where the credit card details are gathered from punters over the punters' mobile phones, which thereby saves the parking operator and their billing subcontractors the expense of machines onsite needing to be connected and maintained and other such unprofitable aspects of the business. These operators will presumably need the CVV?
This post has been deleted by its author
When I worked at a takeaway in the UK, our card machine was provided by the bank (NatWest) and the machine dialled a phone number through the telephone line to perform the payment. So, everything was going to the bank. So, what are all these POS systems doing? Are they storing the data internally? Don't they dial the bank directly?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
