22
Mar 14

Sources: Credit Card Breach at California DMV

The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used online at the California DMV.

CAdmvThe alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online. The alert further stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.

Five different financial institutions contacted by this publication — including two mid-sized banks in California — confirmed receipt of the MasterCard notice, and said that all of the cards MasterCard alerted them about as compromised had been used for charges bearing the notation “STATE OF CALIF DMV INT”.

A representative from MasterCard, speaking on background, confirmed sending out an alert this week. According to bank sources, Visa has not sent out a similar alert. A Visa spokesperson said “Visa cannot comment on potential third party data compromises or ongoing investigations.”

Contacted about the alerts early Friday afternoon pacific time, California DMV Spokesperson Jessica Gonzalez said the agency would investigate the matter. Reached again at 6:30 p.m. PT (well after DMV business hours on a Friday), Ms. Gonzalez said her office was working late as a result of the inquiry from KrebsOnSecurity. She said the agency was still in the process of getting a statement approved, but that it planned to email the statement later that evening. So far, however, the California DMV has yet to issue a statement or respond to further requests for comment.

Update, 6:44 p.m. ET: The CA DMV just issued the following statement, which placed blame for the incident on the organization’s external card processing firm:

“The Department of Motor Vehicles has been alerted by law enforcement authorities to a potential security issue within its credit card processing services.”

” There is no evidence at this time of a direct breach of the DMV’s computer system. However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”

“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”

The CA DMV did not say who their card processor is, but this document from the California Department of General Services seems to suggest that the processor is Elavon, a company based in Atlanta, Ga. Representatives for Elavon could not be immediately reached for comment [hat tip to @walshman23 for finding this document].

Update, Mar. 24, 10:54 a.m.: Elavon officials could not be reached for comment. But a spokesperson for Elavon parent firm U.S. Bank told this publication that “there has been NO confirmation of a breach. We are in touch with the CA-DMV and the authorities to determine if there is an issue.”

Original story:

If indeed the California DMV has suffered a breach of their online payments system, it’s unclear how many card numbers may have been stolen. But the experience of one institution that received the MasterCard alert this week may offer some perspective.

The alert was tailored for individual banks, including a list of the credit and debit card numbers that each bank had potentially exposed. One California bank that received the alert said the notice included a list of more than 1,000 cards that the bank had issued to customers. To put that in perspective, this same bank had just over 3,000 cards impacted by the breach at Target late last year, and that was a break-in that ultimately jeopardized more than 40 million card numbers at banks nationwide.

“We’re seeing two percent of our card base compromised as a result of this, and our cards are 100 percent concentrated here in California,” said a source at the small state bank, who declined to be named because he did not have permission to speak on the record. “That’s still a big number, and it’s a huge exposure window.”

According to the latest statistics released by the California DMV, Californians conducted more than 11.9 million online transactions with the agency in 2012, a 6 percent increase over 2011.

Also unclear is whether the apparent breach affecting the CA DMV may have involved the theft of additional, more sensitive personal information on Californians, such as Drivers License and Social Security numbers, email and physical addresses, phone numbers and other personal data.

Update, 4:05 p.m. ET: Modified the opening paragraph to make it clearer that this is a breach involving online transactions, not at California DMV physical locations (which don’t accept credit cards anyway). Also, the CA DMV has released a Frequently Asked Questions (FAQ) page about this incident.

Tags: , , , , ,

140 comments

  1. “data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.”

    This is what I complained about happening at Wal-Mart. These days the mag-swipe unit often requires that or you 4 digit PIN rather than the signature now. My bank officer said that should not happen and this article shows why.
    The 3 digit security # on the back should only be verified visually by the cashier and never recorded.
    The individual signature is the hardest to reproduce.

    • Alheranon,

      Your bank officer may be correct that it is not best practice to require the customer enter the cvv2 value, but there is nothing preventing it – nor is it against the terms of merchant agreements to do so.

      There would be NO value in only having the cvv2 visually inspected by the cashier…. It is only useful as a fraud preventative if it is included with the card information submitted through the authorization networks to the bank that issued the card…. Only that bank can confirm if the value matches the one that was issued with the card.

      I agree that it is a seriously bad idea for merchants to require it in a card-present situation… That makes it possible for both the track data from the mag stripe to be captured AND the CVV2 – but in the case of an unreadable card that has to be manually keyed it, it is a totally reasonable measure for the merchant to ask for the CVV2

    • To add to Wombat94 comments – relying on an individual who makes next to nothing and has no incentive to prevent CC fraud to validate CC information simply doesn’t work.

      • The CVV2 has no benefit for in-person transaction when the card is swiped, so not sure why a clerk at a retail store would ever ask to see it unless the mag stripe fails to read. As far as “requiring” you to enter your PIN, that’s something known as “debit steering” where the merchant presents the PIN prompt by default so they pay less in transaction fees (and also have a non-disputable transaction). You can usually cancel out and select CREDIT if you don’t want to use your PIN, and in general that’s a good idea since you get more purchase protection by processing as credit.

        Regarding storage of CVV2 data, as far as I know that is prohibited by PCI standards. Once the transaction is approved the CVV2 is supposed to be purged. So either DMV was storing these numbers in violation of the PCI standards or else the card data was being scooped as it was being processed.

        • This has been happening at Walmart even though I ALWAYS select the “credit” option.
          I repeat my statement that the SIGNATURE is the only thing that should be required 1st (PIN or CVV2 only if processing shows some sort of inconsistency). The signature is the hardest thing for scammers to reproduce anyway. Perhaps the recent SCOTUS ruling will end the “debit steering” redirection.
          Who trusts anybody not to retain info anymore, anyway?

          • Algeranon,

            Signatuere IS all that is REQUIRED in order to process a transaction. “Debit steering”, “PIN Prompting” or “BIN Management” (as the technique is variously referred to) is legal and acceptable for merchants to do (Walmart went to court over this exact practice and won)… the whole reason is that the banks charge MORE of a service fee if the customer signs their name than if the customer enters a PIN. Credit cards in general are charged more because the bank issuing the card has a greater risk of non-payment when they are loaning the money to the customer. When you use a debit card tied to a bank account (whether you enter a PIN or sign your name) the bank does not have that risk.

            That is why the service fees banks can charge are limited by law for PIN entry transactions. Walmart’s (and many other retailers) contention is that if they know whether a card is capable of accepting a PIN, they should be ALLOWED to ask for a PIN – in order to save money for the merchant.

            As you have noted, Walmart doesn’t REQUIRE the PIN – they give you an option, if you choose, to process the transaction as a signature-based payment. It isn’t necessarily obvious how to do that – but almost universally, merchants that do Debit steering will provide a way to opt out of the PIN entry.

            As far as risk of debit PINs being stored and compromised, that is one area of this whole electronic payment mess that is least concerning… I would say nearly all large retailers by now are compliant with requirements for DUKPT security for debit card PINs. (DUKPT – Derived Unique Key Per Transaction)

            Essentially, DUKPT ensures that all PINs are encrypted at the PIN entry device and that each PIN is encrypted with a different physical key – so that each PIN entered has to be separately hacked – if a thief is able to get ahold of the PIN data.

            Here’s the thing, though. If you are presenting your bank-account linked debit card for payment at a retailer it REALLY DOESN’T MATTER whether you enter in your PIN or opt out and sign your name. The simple act of swiping the card is enough to potentially compromise your bank account and have your funds drained (yes, the signature will help protect you from loss based on your Visa/Mastercard cardholder agreement – but most banks also provide similar/same benefits for their cardholders if they enter a PIN as well). Eventually you most likely get all of your money back, but in the mean time, the cash you had in your checking account is gone and you are out of luck.

            If you think about the Target breach, Target reported that encrypted PINs were stollen as well as the track 2 card data – but the encrypted PINs are not hackable in any practical sense given the level of computer power available today. But the damage to many folks bank accounts was already done.

            All of this is to say that in the current climate (speaking as someone who spends a lot of time implementing credit card payment systems as securely as I can) the only safe approach to using a Debit card at retail is to NEVER SWIPE THAT CARD at a retail point of sale terminal. It just isn’t worth it. Use a credit card and pay it off each month…

            As a bonus, if you swipe a card that ISN’T a debit card, Walmart won’t prompt you for a PIN.

            • If Walmart wasn’t requiting these things in haphazard manner I would not be complaining about it!
              Do you work for Walmart of what?
              It is NOT acceptable to me for anything except the signature to be required by the mag-swipe unit unless processing shoes some other problem afterwards. As I have stated it is unsecure to me the consumer, as all these thefts (including CVV2) have PROVED.
              Please do not reply again, you are clearly some sort of lobbyist with little concern for consumer protection.

              • I’m sorry you got the feeling that I am a shill for Walmart… far from it. I am not a fan of them at all and have rarely shopped there in the last 5 years at least.

                The one area that I am a fan of them is in their stand against the unreasonable fees charged by banks for debit/check card transactions and Walmart’s willingness to go to court over the issue.

                Where we are today with Walmart (and now other retailers) asking a customer for a PIN when a debit card is swiped is only allowable by Visa/MC because Walmart won their lawsuit (actually Visa/MC finally settled out of court when the judge in the case made it clear he was going to rule in the merchants’ favor).

                I agree with you that Walmart should not be prompting for the CVV2 to be entered for transactions where the card is swiped successfully. I’ve not encountered that myself – but as I said I don’t shop there much any more. As someone who implements retail payment systems, I can’t think of a reasonable use case for doing this – and it would seem to open up a big liability hole. I would, if prompted to the CVV2 after a successful mag stripe read through the payment terminal decline as well.

                I have implemented a system for one retailer where they would prompt for the CVV2 if the card was unreadable and the customer (or cashier) entered the card’s account number manually. In that case, Visa/MC allow the CVV2 to be passed along with the authorization request as a validation that the physical card was present even though a mag stripe wasn’t captured.

                In the system I implemented, we had all data encrypted in the card swipe terminal – so we never had a chance for the card data to be captured on the point of sale PC… even if the card had to be manually keyed in because the mag stripe wouldn’t read, that was done on the pin pad terminal and encrypted before it ever got to the PC.

                The hole in that process was that the CVV2 couldn’t be entered through the credit terminal in a way that would encrypt it… so if we needed to use CVV2 it was in the clear. We never stored it in a database, never wrote it to a log file, but it was in clear text in memory and could have been captured by a key logger on the PC or a memory scraper malware like Target had. After looking at the potential liability vs. the small benefit for unreadable cards we ended up removing the option to even put in the CVV2 from our point of sale terminal. The risk wasn’t worth if vs. the exposure.

                I do hear you about preferring to have the signature be all that is required. I understand the consumer desire for that, but there are two things that make that impractical:

                1. The credit transaction processing system in the US has evolved to this point over decades and it does not support what you say you would prefer – try the transaction first and then fall back to requiring a PIN/CVV if something fails. This is the system that the card brands have now – if you don’t require the PIN up front, the merchant is charged extra money to process the transaction.

                2. As I said in my last post… when the issue is fraud of the sort stemming from the Target breach, (leaving out CVV2 – which, again, I agree is wrong of walmart to require if you successfully swiped your card) PIN vs. Signature is irrelevant. Once you have swiped your debit card – if that merchant is breached – the damage is already done.

                The ONLY way to really protect your checking account is to NOT USE a debit card at retail point of sale.

                • I agree the input of the CVV2 is ridiculously hard to secure. All should get encrypted.
                  I still think the dropping of the signature is a big business dodge, it should be legally required every time.
                  I hear you about the credit vs. debit thing. The Fed. law should be that both are protected equally.

                  Also, I’m getting a security blurb about site certificate errors on this page. I see this most often on comments pages at different sites.

        • A friend of mine used to work in compliance at a large online retailer. His internal audit revealed that CVV2 numbers were being stored, and this set off all sorts of alarms – but the same audit ALSO revealed that that particular server wasn’t getting backed up, so it all canceled out in the end. 😉

      • It works for the TSA, ya?

      • Look buddy, I work at Wal-mart, and you’re right about the “makes next to nothing,” but just because I work for Walmart, that doesn’t mean that I don’t care, I shop there too, I getart of my pay through their financial delivery system AND their systems contain ALL the valuable info these crooked bast@=D’s look for, therefore your hypothesis that we don’t care holds as much water as a sive! How about you looking at your holyier-than-thou self than looking down your nose at a lot of (VERY) hard working people just because we’ re trying to feed our families BY working than sitting back on our asses and collecting the dole.

        • Sounds like a lobbyist for sure.
          So, you are saying what? You take personal responsibility for the consumers being treated so badly?
          BTW, Walmart has been convicted several times of bribing officials, etc.
          So much for “holier-than-thou” !

    • Please dear readers, see the updates to this post above. CA DMV is now saying the problem lies with their credit card processor. That firm has been independently confirmed to be Atlanta, Ga. based processor Elavon.

    • Yea, put all your money in Mt.Gox

      • Would you put your money in an institution who’s name means “Magic The Gathering Online Exchange”? You can’t make this stuff up.

        • Did I read the other day that they’ve given up and have shut down, with some lame promise to try to give back some of the money? I’d doubt a person would get 1 cent on the dollar, or even that much!

          • “A fool and their monies are easily parted”

            I should know, look at all the A.C.M.E. junk I’ve purchased through out the years! And where has it got me?

  2. Get ready for a kneejerk legislative reaction that is going to cause a lot of pain for everybody.

    • At the rate these breeches seem to be accelerating, the sooner the better.

      • Accelerating breeches? Fast pants?

      • Knowing congress, they’ll make it worse instead of better! Just too many web ignorant legislators! Seems to me they need something like United Laboratories. In the last century – congress had more common sense – they knew they couldn’t handle anything technical so they let UL setup all electrical standards and oversight. I’m not even sure UL has any teeth to be able to enforce its standards, but everyone went along with it, because it was working so well.

        I don’t know the history of UL or how it is funded, but I though it was funded by the entire industry – maybe they could come up with something like this on PCI standards?

        • Rabid Howler Monkey

          Perhaps, this relates to why the U.S. is ceding the Internet to a yet to be defined multinational oversight body. Take my Internet, PLEASE!

          And, then, create a new Internet from scratch. Hopefully, better the 2nd time around.

          • With ICANN adding more(or infinite?) domains now; I think we’ve lost it already. I really wonder if IPv.6 is going to eventually end any small small amount of anonymity that was enjoyed by the pubic in the near future? Not that it was truly anonymous anyway.

          • Already been done, Haven’t you heard of TOR?

            dats where all da criminals are wit yo CC infos?

            you seem new to this sort of thing.

            Enjoy 😉

            • Rabid Howler Monkey

              From a security perspective, how would TOR have protected people from falling victim to the online credit card breach at the California DMV (the topic of this article)?

              And it certainly didn’t provide anonymity as this recent case has shown:

              http://krebsonsecurity.com/2013/10/feds-take-down-online-fraud-bazaar-silk-road-arrest-alleged-mastermind/

              • Ah, now you want security? it’s already there too? it’s called the off switch on your bit box, use it!

                • TOR is not anonymity anyway, unless you know a WHOLE lot about what you are doing! – Just ask the many Tibetan Buddhist dissidents in jail in China how that is working for them! Not that I have, but I do read the news, and none has been contrary! Pretty believable too!

                  There is a solution for them, but it doesn’t involve TOR. That just gets you noticed by the GREAT WALL OF CHINA! Oops! 🙁

                  • Michael Ronayne

                    I first ran into TOR in early 2000 and was freaked out by the avatar the DoD was using in the lower left corner of their homepage, which you can see here in the Wayback Machine:

                    http://web.archive.org/web/20000301032827im_/http:/www.onion-router.net/

                    You can view Peep the All Seeing “Naked” Spy Eye here without the rest if the homepage:

                    https://web.archive.org/web/20000301032827im_/http://www.onion-router.net/Images/Peep.gif

                    When any branch of the DoD tells you they are spying on you in such a creative way, believe them; it’s when they tell you that they are not spying on you, that you should be skeptical. Yes, I have seen all the YouTube videos from the TOR Project team proclaiming their good intentions but every time I watch such a video I am reminded of Peep. There is an old saying which goes: “You never get a second chance to make a good first impression.” In my case, TOR failed that chance 14 years ago.

                    If anyone gets the opportunity, ask the TOR Project team this question: Of the six (6) Domains hosted on the primary TOR Project webserver at 38.229.72.14 (as of 2014-03-23) why is the Domain onion-router.net still owned by the DoD?

                    1. digitalriversupport.us
                    2. onion-router.net
                    3. torproject.com
                    4. torproject.net
                    5. torproject.org
                    6. torproject.se

                    I am really fascinated by the user community on the 38.0.0.0/8 subnet but that is a question for another time and place! To end on a positive note, I wish to congratulate the FBI on their recent phenomenal string to successes bring evil doers to justice who were using TOR.

              • If you actually familiarised yourself witht he story you’d know that TOR worked perfectly well and it was failures he made on the clearnet that led to his downfall. He was advertising it and asking technical questions under pseudonyms directly linked to his real identity.
                It was bad OPSEC not TOR that was at fault

                • I don’t care about this story, you can be detected on TOR if you don’t use a lot of WIZ bang on your end points – EOT! Dang! I need to go to bed!!!

                • Michael Ronayne

                  I can’t comment of the validity of the evidence in any particular case but I would like to point out that within the DEA there exists a unit known as the “Special Operations Division”, or SOD, whose function it is to sanitize and distributes information, the collection of which is unconstitutional under the laws of the United States. Basically illegal evidence is collected which identifies and supports the guilt of a suspect and then a factious evidence trail is backfilled supporting the conclusions which have already been reached, using a technique known as “Parallel Construction”. It is much easier to find a needle in a haystack when you know which haystack to search. This is also the same issue which Meta Data creates. Here are three news stories of this subject from August 2013:

                  Exclusive: U.S. directs agents to cover up program used to investigate Americans
                  http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805

                  Exclusive: IRS manual detailed DEA’s use of hidden intel evidence
                  http://uk.reuters.com/article/2013/08/07/uk-dea-irs-idUKBRE9761B620130807

                  The NSA-DEA police state tango
                  http://www.salon.com/2013/08/10/the_nsa_dea_police_state_tango/

                  Here is the text from the IRS slide and the meaning of the abbreviations which are uses.

                  Parallel Construction

                  # Parallel Construction is the use of normal investigative techniques to recreate the information provided by SOD
                  * Subpoena domestic telephone tolls
                  * Field interviews/defendant debriefs
                  * Request foreign tolls or subscriber info via the Attaché office/MLAT

                  SOD: Special Operations Division
                  MLAT: Mutual Legal Assistance Treaty

                  I have seen the TOR Project team members state that the incriminating evidence was collected outside of TOR, which I am sure “most” of them believe, but this is exactly the illusion which SOD and Parallel Construction are designed to create. My best advice to everyone is, if you are planning to do anything illegal, don’t use TOR.

                  • Good post – I think I posted somewhere here or other KOS discussion about how the Tibetian dissidents do ti, and they don’t do TOR either, although I’ve seen discussions by other dissident groups about how to obfuscate the end points of a TOR connection. Of course they are already aware that nation players are using back doors in the network, but they aren’t interested in what people see as much as what agents can find out about who and where the communications are coming from. Since they are not military type underground fighters in most instances, they have no operational secrets in most cases.

        • UL stands for Underwriters Laboratories, not United.

          Underwriters are insurance companies; they founded UL to reduce the number of claims due to faulty electrical appliances. Basically, if an electrical fire was caused by a device/appliance that was NOT UL-listed, good luck getting your insurance company to pay up.

          The financial equivalent already exists – it’s called PCI.

          • Thanks for that correction Marc – Well I guess PCI will just have to be modified – hopefully the industry can do a better job than congress would! I’m not big on having cumbersome regulations, but surely they will react as nimbly as they can to this need.

  3. Was the DMV breached, or the company/gateway that processes the payments for them? Anyone know which payment engine is powering the CA DMV website? If the company that is powering the payment engine for them got breached, then it’s quite possible that other government entities that use the service may have been breached as well.

  4. As a precaution I just went into my CA DMV account and changed my password. As a result, they sent me a confirmation email with my new password in plain text. Don’t know whether to laugh or cry …

    • Oh Sheeze! I you wanna bad example of our ‘gubbamint’ and where it is going, just look at Californica, and you will see! 🙁

      • Interesting. A government entity makes a mistake and you use a broad brush (and a disparaging misspelling) to belittle all government. Does anyone need to go back to the comparable private sector, capitalist screw ups to see if you called out greed, stinginess, and incompetence in the private sector?

        You’re engaged in right-wing trolling.

      • I didn’t see you talking down capitalism after any of the comparable screw-ups by for-profit entities.

        • California has some of the worst records for individual rights of any state short of New York, which is trying to play catch up as fast as possible. If we don’t speak out now – how long do we wait?

    • The best thing is not to have a DMV account at all. You can make online payments without establishing an account; it just requires keying more information in each time. Even better, write a check and send it in by certified mail. It costs a couple of bucks and and 20 minutes more, but in the end may end up saving you a hundredfold compared to cleaning up an identity theft mess.

      • Richard Goeken

        Why send a certified check? We send checks to the NJ MV all the time and there is no problem (they charge to use a CC).
        You spend extra money to send the check for what reason?

        • Cashiers Checks do not have your bank account on the bottom for one reason. Another is, as pointed out by another post, the USPS can prosecute fraud and the checks are reasonable.

          The USPS is in the best position to authenticate identity and also is the largest public facing agency, when the National Trusted Identities in Cyberspace (NSTIC) finalizes the NIST Standards.

    • Don’t laugh, don’t cry. Tweet!

      https://mobile.twitter.com/CA_DMV/status/447509227087482880

      They have a Twitter account. I’ve found tweeting is a fairly effective way to get entities to change their practices (re – tweets help).

      That, and I’m sure an inquiry from Brian about the practice.

  5. HAHA (not funny)

    The DMV also has our prints on file.

    I now need to remember 43 passwords, 23 PINs, and which finger I used at the DMV.

    • Always give ’em the middle finger. That’s what they deserve and its the easiest to remember.

      • Mr Cooper, If you came into the field office where I work and showed me your middle finger I’d have to show you my index finger as I direct you to the exit.

        I personally speak to 600-750 people a day and fortunately 80% of them are pleasant. I do my level best to change the negative opinions to positive opinions but there are some that don’t want to change and refuse to admit they’re wrong. Don’t get me wrong…DMV is run by humans and humans make mistakes. But most of the time the problem is due to public ignorance. And that we can’t always change

    • PRINTS!! That ought to be illegal!! But then about everything the left-wing fascists in Californica do ought to be illegal as far as our civil rights are concerned!!! :O

      I really do sympathize with Governor Brown, even if he was a major contributor to the problem in the past – he seems to be making amends these days.

      • Listen you right wing troll. How about being specific in what you’re talking about? I’ve lived in ‘Californica’ for 57 years and the only problem I have in jerks like you.

        How exactly do you know the left wing was involved in the decision to require a fingerprint? You don’t do you troll? Because it wasn’t some left wing conspiracy at all, but an attempt to eliminate document forgeries, primarily document(California ID’s and California Drivers Licenses)forgeries performed by people trying to enter the country illegally, you know, the illegal aliens you right wing trolls are always worried about. So what have you got to say about it now, troll?

    • Right thumb – but how did you submit it online?

      • HAHA (not funny)

        I didn’t submit it at renewal, but I had to give a print when I got my DL here. Could be it’s not stored with my CC records, but then no one’s saying, so I have no clue.

        I’ve had DL’s in five states. CA is the only one that required a print. I wonder how many others require one.

        • I can’t speak for other states, but California has had big, big problems with an influx of illegal aliens and a brisk business of selling fake documents, such as driver licenses. Changes to the design in recent years have made them much more difficult to forge, and having at least one fingerprint recorded along with a photo of the holder should make forgery a futile activity.

  6. Article is confusing. Were these online transactions or were the cards “previously used at California DMV locations” as stated in the first paragraph?

    • What’s confusing exactly? Read the first sentence…slowly

      The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving ONLINE payments for DMV-related services

      • +1 :-bd

      • What’s confusing is that same sentence concludes with “cards that all had been previously used at California DMV locations” which sounds like they were swiped at a DMV office. Are you saying that online transactions were only compromised for cards that had previously been swiped at an office?

        • ah yes. I see what you mean. I will fix that. thank you.

          • We all make mistakes Brian, the Mrs. reminds me daily of all the A.C.M.E. stuff and where it’s got me so far.

            Do you got an opening for a Personal Assistant? huh pal?

            &^)

  7. Mine got stolen in February from DMV when I renewed registration. Mastercard now shut down after my bank caught it being used.

  8. Credit cards are pull type transactions. Pull transactions are high risk because it requires is to disclose sensitive access information to our account. Bitcoin and crypto currencies are push transactions requiring zero disclosure of any information at all. Bitcoin is much safer than the legacy fiat money.

  9. Hey folk’s…

    you can’t man in the middle my mailed in payment, and my mail box is boobie trapped by A.C.M.E.

    Wile E Coyote…

    Super Genius!

    ;p

    • oh… this gives a new meaning to the song by the Red Hot Chili Peppers ‘Californication’

      and mrs.coyote just in formed me that we did in fact pay online, but being the Super Genius that she is, payment was made way before that time line.

      Wile E Coyote

      p.s. now my credit cards are all boobie trapped by A.C.M.E.

      Super Genius!

      ;p

    • The USPS also has the USPIS, a law enforcement agency which afaik understands and does a pretty good job of working on cyber crimes too.

      • Very true!

        (see my comment above on the USPS) It was your comment I referred to. The USPS will be in the best position to create a safer exchange.

  10. All this could have been avoided with one time credit card numbers for online transactions that were used by card companies notably Discover and all later dropped. The one-time use number is an alias that the card company links to someone’s real number and in Discover’s case linked it to a particular vendor, too. If this was nation wide stealing one-time credit card numbers would get thief’s nothing. Instead credit card fees go up for businesses and consumers to cover the cost of fraud which is mounting. Its the credit card companies that are short-sighted looking at near term profitability and not the arc of costs that these polices are imposing on the economy.

    • Not true that one time numbers used by credit card companies have been dropped. Citibank, BofA, Fidelity all have an app that allows the generation of a “virtual number” linked to a user’s actual credit card account that can be used one time only for a specific online transaction. I renewed my DMV registration last fall using a virtual number.

      • Richard Goeken

        So let me get this straight. You want to use a one-time number generator app on a device that has NO track record for security as a solution? Hmm…. Think it over.

        • That is what I thought about it, no matter if it was an applet or in the browser; but when you think about it, it shouldn’t matter as long as it doesn’t introduce a vulnerability to the browser or operating system; because, if the scheme is implemented properly only the original vendor/merchant gets paid. Anyone else is left holding an empty bag(the crook- HA!)

          No personal information should be sent outside SSL of course – but then again – the applet approach can be disquieting.

  11. George Scott Hollingsworth

    Frequently checks are converted to electronic transactions. A check contains all the information necessary to execute an electronic transaction. The result is bank account drained. It will take a while to get your money back. Credit transactions are not your money transacted, it it the banks. I have transitioned to using credit transactions whenever possible. Cash is second choice. Check or debit is last choice and done as carefully as possible.

  12. Coincidence?
    I paid my CA DMV fees in early November 2013 using my American Express card.
    By late November I had to get the card replaced because my card information had been stolen. Coincidence? or is DMV the culprit?
    I got the charges reversed, but this was the second time my AX information had been stolen in 2013.
    Bottom line, it is not all that safe to pay for things online, especially using a debit card, which can be wiped clean of cash.

  13. I renewed by mail in February for one vehicle. I distinctly remember being sent to another website for card processing. If I’m not mistaken, all California government agencies use private companies for credit/debit transactions.

    My question is did they hack the DMV site to get to the other site or did they breach the company actually handling the transaction.?

    IIRC, you had to pay an extra couple of bucks to use a credit card/debit card. I guess that was the profit for the private company. I assume that part of the profit they make would be employed to make their site secure and do all the other things that make privatization the darling of the anti-government crowd.

    Personally, I would really like to see where the blame lies. I know that the DMV doesn’t enjoy a good reputation, but I also know the target of this data breach was apparently credit/debit card information and I’m not convinced that it was the DMV’s fault that this information was obtained by the hackers. Like I mentioned before, to be able to even use your credit or debit card you had to agree to pay a surcharge to the company that processed the payment. It seems that part of that processing fee should have been used to secure the information given during the transaction.

    OTOH, if it turns out that the DMV had credit/debit card information stored in their computer system, that would seem to be a real scandal for them. The bottom line for me is did these guys break into DMV records as well as the company processing the payments?

  14. The Human Defense

    Spear Phishing or Phishing email? I predicted it with the Target breach, and unfortunately I was correct. Lets see if it was that or again, another common human lack of awareness, proper site security allowing SQL Injection.

  15. The Human Defense

    Spear phishing or phishing? I predicted it with the Target breach, and unfortunately I was correct. Might be the other lack of awareness training issue, the SQL injection.

  16. TheOreganoRouter.onion.it

    It’s always blame the third party game when it comes to these types of breaches. It’s never “we take full responsibly for what happened since we are the company or state agency that you put your full trust in when it comes to payment processing “

    • Hear, hear!

      Unfortunately, due to decades of frivolous lawsuits, businesses today are very careful to avoid admitting responsibility for anything in general. Although, that does come with a corollary that when they DO guarantee something, promise something, or admit responsibility, the court system is fairly reliable about actually holding them financially accountable for their promise. So I suppose I prefer the current scene to an alternative situation where they could promise anything, fail to keep their promise, and have absolutely no consequences.

      But it is especially irksome seeing this kind of irresponsibility when it comes from a legal monopoly…a taxpayer-funded government department with no competition.

    • Welcome to the wonderful world of outsourcing.

      In ye olden days the buck stopped here, because there was nobody to blame besides the criminals. Now the buck gets passed to whoever was the lowest bidder for the contract. Which, due to the low bid, can mean the operations are handled with less than stellar security, reliability, etc.

  17. You know, this brings me to an issue that has bugged me since I lost my NY driver’s license and also when I needed it renewed. In NY, you only have to order a new license by mail via the internet, pay by card. My lost license I had sent to a new address that wasn’t even on the DMV file yet, but no problem. I didn’t have to show up anywhere with any new proof of ID. This was a far cry from the frustrating, but more secure, old days when you actually had to go to the DMV and show them, like, 12 different forms of identification. For renewal, I went physically to the DMV because the office was nearby, but I’m pretty sure I had the option to renew online.

  18. Okay, I have to back up a little bit on my comment above. You can renew and replace NY driver’s licenses completely online, but they do ask for a fair amount of info, and you have to update your current address etc. Eye tests can be sent in via an approved eye test provider. Still, it’s nothing like having to look the DMV personnel in the eye and present proof of your existence 12 different ways!

  19. Elavon is probably not the culprit.

    This agreement may not be what the CA DMV uses. It specifies that cards may not be charged a fee for using them instead of paying cash. It allows a discount for cash. I’ve used the DMV to renew my license and it doesn’t offer a discount for cash. It states a price for ACH (cash equiv) and a surcharge for credit cards.

    This agreement is more typical of CA entities that may be selling things directly as merchandise.

  20. Elavon, huh? They charge their merchants like $25 a month if they have not proved PCI compliance. Now they can use that little revenue stream to pay for their own PCI woes.

  21. If ELAVON was the problem, then the problem is bigger than you think. They’re a payment switch.

  22. Dear Brian:
    Can we please get the Right-Wing troll, JCitizen, shut down? His comments are neither helpful nor constructive & are only serving to drive helpful & constructive contributors away from the discussion.

    Now regarding the article:
    Very good reporting as always, Brian. Thank you. As more & more of these breaches are revealed I’m consistently amazed at the willingness & ease with which people continue to hand over their forms of electronic payments. Any time a form of electronic payment is used the risk is inherent & if a form hasn’t yet been hacked/breached it’s only a matter of time. These incidents are challenges to be conquered & then profited from. I don’t advocate going off grid by any means but for crying out loud don’t use a debit card. There’s not near the protection plus crooks can easily wipe out your entire savings/checking account balance.

    • Agree with above on the troll comments. Not the place for what he’s pushing.

      And Brian – still waiting on your scoop on the Cryptolocker gang.

      • You are all correct that I am going way off topic and getting into political things I have no business doing here on KOS; I will attempt to restrain myself in the future – but I’m not used to that everywhere else I post. I try – out of respect for Brian and his professional readers. Thank you!

        • Don’t lose all your fun, JCitizen. We know that you know your stuff. Not every comment has to be bathed in gravitas. And, frankly I find calling someone a troll to be itself a little boorish, no matter what wing they’re on. Still, this is one of the few places that we can share and talk about these net/tech/cyber security issues, and there are other places for the political bash game.

          • Thanks JATny! I’ll try to stick to the issues at hand; I’ve appreciated your contributions here on KOS as well! I guess I’m to used to the way thing fly on ZDNet, but no point transferring that kind of ambiance over here – in fact that forum can be frustrating for lack of pointed discussion. 😐

          • Agreed! This is well said. Different people have different opinions. It is about the technology here, and though it is difficult to separate Governments from the mix, when there are state sponsored attackers in China and and elsewhere, in addition to a new Cyber division of DoD. Each branch of the Government is engaged in it, but from the looks of it, they are also trying to defend themselves from attacks.

            The point about illegal activitivites by companies is aften completely obscured. For example, the illegal practices of the banksters in setting up these fraudulent loopholes, like the bailout, Madoff, and Enron. Of course, this was preceded by the practices of former AG Edwin Meese on the Promis and Promise software. There is also all the blame against the NSA for what Snowden himself said was a failure of subcontracting. It was about Carlyle Group. Now we hear about this breach of the DMV in California from Brian Krebs and it has nothing to do with either. It is another company, Evalon.

            I learn alot on Krebs, even from those with opposite views. His apology is good enough for me.

  23. Brian, if you keep this up, you’re going to find yourself with a highly lucrative job offer from VISA and/or Master Card. Of course, buried down in the find print of the employment contract, there will be a small clause requiring you to permanently STFU with respect to CC breaches. (Or perhaps they’ll just arrange for you to receive some of those special Alexander Litvinenko cupcakes. 🙂

    Like most folks, I have multiple credit cards, but I only use them rarely, for online purchases (where they are essentially unavoidable) and for the occasional big-ticket purchase. As a direct result of your reporting on Target, and now this DMV thing, I’m going to try to avoid all such uses as much as possible, going forward… and I suspect I’m not alone.

    Thanks much for your reporting of these incidents.

    P.S. As a resident of the Golden State… albeit one who is unaffected by this breach… I *really* would appreciate it if you could do some dredging on (and then some reporting on) the contract that the state has in place with this CC processor. For Californians, we have three obvious and immediate questions: (1) Why the bleep did our nitwit government officials hire an out-of-state company to do this work? I mean are there really no deserving *California* companies that could have done this same work? (2) Does the contract allow the state to now fire this incompetent CC processing company and hire a different one? (3) Does the contract allow the state to obtain from the processing company any reimbursement or compensation for the costs, to Californian’s, of this processing company’s sizable screw up?

    Given the way private enterprise routinely hoodwinks (or corrupts) governments at all levels, I would not be the least bit surprised to find that the state has absolutely no recourse, under the contract, in this case. I would be outraged, but not surprised.

  24. http://www.elavon.com/about/news/2009-elavon-secures-three-year-extension-for-keycorp-joint-venture

    KeyBank got slammed hard by the Heartland breach because they were Heartland’s primary acquirer.

    It’s telling to me that Elavon has not posted a denial or any kind of statement at all on their website. If there still is nothing by the end of the day on Monday, …

  25. This site is getting to be greatly in need of comment moderation.

  26. I think I remember readin here – or maybe some where else, that some of the “identity source codes” within IDtheft sites had DMV or something close to that. Maybe they just found one of their leaks.

    I am sure there were others involved. I seen a few DMV sources on databreaches.net in the past where a few thugs got arrested for thier part in PII theft.

    As long as this sort of thing is more popular than well paying jobs – and people are willing to work – this sort of action will continue to happen because there is no fixed firm sentencing for this.

    The crooks that used to raise a gun to the teller know realize that they can probably have a better shot of doing just a little more work to get the same result, and in the end, have a 50 / 50 chance or less at being caught.

  27. Brian,

    Do you see this affecting Elavon customers or is this limited to the California DMV?

    • This story has been updated multiple times. For those of you who are coming here to point out that other publications are saying it’s Elavon — that was first reported here. Please read the full story and the updates.

      • I think Khürt was trying to ask if it affected other Elavon customers.

        There’s a difference between a breach at the DMV which happens to use Elavon and a breach at Elavon which happens to service the DMV.

        And theoretically, the breach of Elavon could be such that it didn’t affect customers other than the DMV.


        http://www.prnewswire.com/news-releases/block–leviton-llp-investigates-possible-credit-card-breach-at-california-department-of-motor-vehicles-251938571.html

        Block & Leviton LLP, a Boston-based law firm …
        seeks to determine, among other things, whether the California DMV’s third-party credit-card processor, Elavon, Inc. (a unit of US Bancorp), acted negligently, or otherwise breached any duties owed to California DMV customers.

        So, at least one entity thinks that the blame is with the processor.

        Your article doesn’t seem to assign blame (which is perfectly reasonable) – it merely identified the involved parties.

        • All good questions. If I had answers to any of them you would see another story up on the site already about it.

          • Well, instead of being snippy to your readers [read: customers], you could make the initial story clear that you do not know which exact type of breach it is. Your reply makes me not want to visit your site again-and this is my first time.
            Then again, I suppose you have plenty of visitors, so no big loss…

            • haha. learn to be less sensitive, because everyone else in these comments can be just as snippy. lol

            • Hey Krebs, how come you don’t know everything about this breach already? WTF? You don’t know who’s responsible yet? Sheesh. Get to work!

        • Excellent points

  28. Folks, this is why we should go through the hassle to use one-time credit cards with limits when making online purchases. Bank of America’s ShopSafe feature supports this (they obtained it when they purchased MBNA). I only use my BofA account with this feature, and never even carry the physical card with me in person.

    CitiBank’s feature is almost as good, except it doesn’t (or didn’t, I closed my account after repeated breaches when I hadn’t even used the account after they had just re-issued my card and I’d not even used the card yet) allow you to set a cap on each temporary card, nor do they let you track where each temporary card was used (all you can see is the normal list of uses on your statement, but not that it was associated to a temporary card no.). But it does at least let you set short (2 mos.) expiration dates, which limits the risk (but not so much, it seems these days).

    • Citibank does allow you to set max spending amount per number. I may not be immediately obvious, you need to click “advanced options”