22
Mar 14

Sources: Credit Card Breach at California DMV

facebooktwittergoogle_plusredditpinterestlinkedinmail

The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used online at the California DMV.

CAdmvThe alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online. The alert further stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.

Five different financial institutions contacted by this publication — including two mid-sized banks in California — confirmed receipt of the MasterCard notice, and said that all of the cards MasterCard alerted them about as compromised had been used for charges bearing the notation “STATE OF CALIF DMV INT”.

A representative from MasterCard, speaking on background, confirmed sending out an alert this week. According to bank sources, Visa has not sent out a similar alert. A Visa spokesperson said “Visa cannot comment on potential third party data compromises or ongoing investigations.”

Contacted about the alerts early Friday afternoon pacific time, California DMV Spokesperson Jessica Gonzalez said the agency would investigate the matter. Reached again at 6:30 p.m. PT (well after DMV business hours on a Friday), Ms. Gonzalez said her office was working late as a result of the inquiry from KrebsOnSecurity. She said the agency was still in the process of getting a statement approved, but that it planned to email the statement later that evening. So far, however, the California DMV has yet to issue a statement or respond to further requests for comment.

Update, 6:44 p.m. ET: The CA DMV just issued the following statement, which placed blame for the incident on the organization’s external card processing firm:

“The Department of Motor Vehicles has been alerted by law enforcement authorities to a potential security issue within its credit card processing services.”

” There is no evidence at this time of a direct breach of the DMV’s computer system. However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”

“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”

The CA DMV did not say who their card processor is, but this document from the California Department of General Services seems to suggest that the processor is Elavon, a company based in Atlanta, Ga. Representatives for Elavon could not be immediately reached for comment [hat tip to @walshman23 for finding this document].

Update, Mar. 24, 10:54 a.m.: Elavon officials could not be reached for comment. But a spokesperson for Elavon parent firm U.S. Bank told this publication that “there has been NO confirmation of a breach. We are in touch with the CA-DMV and the authorities to determine if there is an issue.”

Original story:

If indeed the California DMV has suffered a breach of their online payments system, it’s unclear how many card numbers may have been stolen. But the experience of one institution that received the MasterCard alert this week may offer some perspective.

The alert was tailored for individual banks, including a list of the credit and debit card numbers that each bank had potentially exposed. One California bank that received the alert said the notice included a list of more than 1,000 cards that the bank had issued to customers. To put that in perspective, this same bank had just over 3,000 cards impacted by the breach at Target late last year, and that was a break-in that ultimately jeopardized more than 40 million card numbers at banks nationwide.

“We’re seeing two percent of our card base compromised as a result of this, and our cards are 100 percent concentrated here in California,” said a source at the small state bank, who declined to be named because he did not have permission to speak on the record. “That’s still a big number, and it’s a huge exposure window.”

According to the latest statistics released by the California DMV, Californians conducted more than 11.9 million online transactions with the agency in 2012, a 6 percent increase over 2011.

Also unclear is whether the apparent breach affecting the CA DMV may have involved the theft of additional, more sensitive personal information on Californians, such as Drivers License and Social Security numbers, email and physical addresses, phone numbers and other personal data.

Update, 4:05 p.m. ET: Modified the opening paragraph to make it clearer that this is a breach involving online transactions, not at California DMV physical locations (which don’t accept credit cards anyway). Also, the CA DMV has released a Frequently Asked Questions (FAQ) page about this incident.

Tags: , , , , ,

140 comments

  1. Agree w/ wiredog. Leave the political slurs out, please.

  2. So since there is pretty much a guarantee that everyone’s credit, social security, and personal information is leaked and abused at will, how does one go about starting a new identity from scratch? The system has become unusable so how do we get a new one without all the same old mess as the old one?

    • I agree there is no point changing one’s identity – seems like they will just have to come up with better and better authentication schemes, that work with less and less chance of being compromised.

      I still feel a change in PCI standards may help for years to come, but the industry will at least have to admit they will be playing catch up the whole time. I really don’t believe they will ever actually be completely ahead of the criminals.

      • I am thinking more along the lines of why bother using a ‘real’ one anymore. The framework of identities is pretty well busted and seems like the normal sap gets punished for trying to conform while the banks and crooks keep changing the rules at a whim and make out like bandits. Maybe I’m just cynical or watched one too many netflix documentaries, but it seems like society is coming apart and our leaders do nothing while the banks and financial sectors take full advantage of every last dollar they can wring from our pre-corpses.

        • I once called for a system, where your ID would be behind a veritable Ft. Knox, then a shadow ID would be issued that was only tied to the real one through some kind of technical scheme – I’ll leave that to the experts.

          I’ve also see good arguments from people smarter than me, that all they need is a Real ID that cannot be corrupted and simply improve the security involved in attaching it to a financial device. When I say Real ID, I mean one like a drivers license, that cannot be copied, or would be so expensive to copy that it would be cost prohibitive to try.

          Congress tried to pass a Real ID act so that employers could finally cover their behinds from hiring illegal aliens and getting fined for it. The problem was there was no carrot in the law, only a stick – states powers trumped federal in this case and the whole scheme was dropped. I don’t know if they will ever try it again with the hot button immigration reform issues out there.

          As it turns out, punishing employers for hiring illegal aliens with fake IDs has not worked out. They can always duck the charges because of the fact that faking the ID is too easy, and it looks totally legitimate – in fact some of them are tied to actual persons who passed away. So you also have the problem of fake ID splattered all over the system, which I’d wager is also complicating the financial side of this, as much as the type of credit card theft we see here at KOS.

  3. The California DMV’s physical locations do accept credit cards.

    • Interesting, I think most people found this:
      https://www.dmv.ca.gov/dl/fees/dl_fees.htm Payment Methods DMV field offices accept payment by check, money order, cash or ATM/Debit cards for payment of fees.

      But, there’s also this: ‎https://www.dmv.ca.gov/fo/fo_sst.htm
      Self Service Terminals
      ‎Cash, credit card, debit card or check are all acceptable forms of payment.‎

      (Personally, I recall using a check.)

      I’m not sure who would process ATM/debit cards. Does one just pay the networks directly, or is there a special processor for them? I’d naively assume that one would use a payment processor….

  4. if the breach is at Elavon, then there could be a lot of other potential BIG target areas involved if the bad guys go beyond the card processing specifically for the Cali DMV:

    http://www.elavon.com/merchant-services/enterprise

    AIRLINES
    We’re the #1 processor for Airlines. And climbing.

    HOSPITALITY/T&E
    We are the leading hosts of Hospitality.

    RESTAURANT
    We’re rated five stars in Restaurant.

    RETAIL
    We’re a top seller (or acquirer) in Retail.

    HEALTHCARE
    We prescribe winning payment solutions in Healthcare.

    PUBLIC SECTOR / EDUCATION
    Our processing serves the Public Sector.

  5. I have some diagnostic information (Screenshot) from a failed attempt to login to the California DMV. (Login attempt dated 12/27/2013.)

    Lmk if you need.

  6. The article states that Elavon is the DMV’s merchant credit card processor, but that is not necessarily the same thing as the “external vendor that processes the DMV’s credit card transactions”. To avoid PCI hassles, the DMV may have hired a different vendor (a payment gateway) on whose website the actual payment transactions were entered. Those transactions are then sent to Elavon for approval and capture. So the question may actually be: Does the California DMV use a payment gateway and was the gateway breached?

  7. California DMV FAQ:
    Questions About Potential Credit Card Processing Breach

    http://www.dmv.ca.gov/about/cc_faq.htm

    Question 1:
    What happened?
    On March 21, 2014, the Department of Motor Vehicles was alerted by law enforcement authorities to a potential security issue within its credit card processing services.

    plus a lot of other blah-blah-blah questions and answers….

  8. I’ve had my ATM card skimmed while at the Escondido DMV. It was a card I rarely use and a day after I paid for my registration at the DMV, it was used on iTunes for $50. I called the Escondido DMV and the main Sacramento number and I couldn’t get anyone to investigate this. I called the bank and reported it and the money was replaced. But I don’t have any iDevices or an Apple account and would never EVER buy anything from iTunes.

  9. There is no breech of data at CA DMV, somebody said maybe. Show me real facts. In the mean time it would behove you to hold your keyboard.

  10. I bought two bottles of laundry soap at Target incident on Thanksgiving weekend, and when that news story hit I called my credit card company and had the card replaced.

    Because the state’s press release about the DMV incident said that we would be notified if affected by the DMV credit breach, I didn’t proactively cancel my credit card, even though I paid a vehicle registration online during the time frame of the DMV snafu.

    Now (about 3 months after paying the DMV fee online), I see two unauthorized purchases on the card statement for odd amounts around $55 and just under $100. The vendor is down in LA and the charges were for online purchases, but “of course” the credit card company will not tell me where those purchases were mailed–I doubt law enforcement will follow up on it. Now I again have had to go through the process of cancelling the card and waiting for a replacement, plus the card company advises that I make a police report. I sure hope this is the end of it!

  11. I just received my BOA Visa credit card statement today, with $157 charge from CA DMV. I don’t live in CA, but on the East coast. I NEVER had a fraudulent charge on any credit card until this CA DMV charge. As we can see charges are being made to anybody, anywhere. This should be nationally advised, since it’s not a local in-state problem.

  12. All those promises are meaningless if the crooks have installed listening software to collect credit card information and forward it to their server. Let it run undetected for a few weeks or a few months, and they’ll have tens of thousands of credit card credentials in their collection.

  13. Maybe they need to switch to PayPal?

  14. This is exactly why I use Google Wallet. This is the system they use and I have never had a problem.

    If I cannot purchase online using Google Wallet, I find a way to mail in a check.

    Also, the security that is now provided in the Chrome Browser is another factor.

  15. Richard Goeken

    That is like saying this O-ring has never caused a problem, so we don’t neet to replace it now. Challenger.

  16. O-kay! Maybe it is at least better than Bitcoin? Nobody noes what happ’n to it – Oh noes! :(

    Probably WAY more trustful than PayPal – got any links/ideas?

  17. I did not say or imply that the system does not need to be fixed. That is painfully obvious… especially here on Krebs.

    The post I responded to was talking specifically about a well known method of assigning a secret number for a public facing one. It has been used for years by the telephone companies. My point is that Google Wallet also uses this method and has a safer browser, if only because they sandbox cookies.

    Now, they are planning to encrypt gmail also. How is that not “doing something about the problems”?.

    http://www.securityweek.com/google-boosts-security-gmail-infrastructure

    The Challanger and Airplane disasters do have something in common with Cyber disasters, though. They both find out about the problem after it is too late, not before. Further, we would not be hearing much about either types of disasters if it were not for the scale.

    If inspection is the way to prevent these Cybercrimes, it has to start with a deep search of hardware, software and most importantly, network vulnerabilities. How to prevent Man In The Middle attacks is not at all an easy task.

    I am just waiting for the certificate inspection plan by Google to be implemented. That will be the key for the key for the key… multi-factor authentication.

    The comments about end points are still relevant and this is where all the action is. As bad as stolen credit cards are to devastate a persons’ life, getting into your pacemaker will be a lot worse.

    It is clear that we must secure the endpoints, the records, and the networks at the same time, which means a standard. That is why President Obama created NSTIC. A trusted identity is what is needed, along with a standardized way of communicating across systems. The Interoperability is where it becomes a mess.

  18. @JCitizen:

    ‘you are drunk, go home!’