Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.
When contacted by this author on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected. A portion of their statement reads:
“Park ‘N Fly (“PNF”) has become aware of a security compromise involving payment card data processed through its e-commerce website. PNF has been working continuously to understand the nature and scope of the incident, and has engaged third-party data forensics experts to assist with its investigation. The data compromise has been contained. While the investigation is ongoing, it has been determined that the security of some data from certain payment cards that were used to make reservations through PNF’s e-commerce website is at risk. The data potentially at risk includes the card number, cardholder’s name and billing address, card expiration date, and CVV code. Other loyalty customer data potentially at risk includes email addresses, Park ‘N Fly passwords, and telephone numbers.”
The Park ‘N Fly homepage now includes a conspicuous notice stating that the Web site is temporarily unable to process transactions and directs customers to a 1-800 for reservations.
Reading the Park ‘N Fly disclosure made me wonder if anything had changed over at OneStopParking.com, a Florence, Ky.-based competitor that KrebsOnSecurity reported Dec. 30, 2014 as the likely source of another e-commerce breach. Reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.
Ghanem said his firm is in the process of notifying affected customers.
Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.
The stolen CVVs traced back to both Park ‘N Fly and Onestopparking.com were among thousands for sale in large batches of card data being peddled at Rescator[dot]cm, the same crime shop that first moved cards stolen in the retail breaches at Home Depot, Target, Sally Beauty, P.F. Chang’s and Harbor Freight. The card data in both batches ranged in price from $6 to $9 per card, and included the card number, expiration date, 3-digit card verification code, as well as the cardholder’s name, address and phone number.
Predictably, Park ‘N Fly is offering affected consumers 12 months of free credit monitoring services, even though credit protection services generally do nothing to detect or prevent fraud on existing accounts — such as credit cards. For more on what credit monitoring services actually do (and don’t do) check out this primer.
Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.
Good article
Error message
“You are posting comments too quickly. Slow down.”
I appreciate getting updates and info from you. I wish the average person today would grasp what an incredible problem Cyber-Security has become.
Yes!!! That’s exactly how I feel as well. And whenever I try to educate people about this stuff I feel like they think I’m a freak or that I’m paranoid or overreacting…
LEL. OK. Because that’s just what people want: uninvited “education”.
Ramble to people about tv shows they don’t care about and nobody cares, but dare to mention security and you are now a paranoid freak; Especially if you try to talk about blogs like this or, god forbid, read 2600 at school.
He speaks my words. I have been looked at like an alien when I make similar suggestions.
The most interesting part is the compromise of CVV. Either the attacker was able to grab data mid-transit from the eComm site, or, PNF is violating a major card network rule and storing CVV.
It’s not really that interesting. As I’ve noted before in these ecommerce breach, think of it like a bot on a home user PC. Anything that user types into a form on a web site is going to get stripped out and saved and sent to the bad guys. This attack is similar, only it targets the Web server and strips out content the customer/visitors types in and records it. They weren’t storing CVVs; the CVVs were being stripped in real time.
My credit card was hacked very soon after reserving parking at Park N Fly. Fortunately my card company caught it right away and defined all the charges.
I still believe companies are often unable to protect themselves, and privacy notification rules aren’t overwelmingly going to help. American Airlines is now joining the same notification club: FBI has already been informed, yet again. Notifications will be sent, yet again.
Why not move some of the massively duplicated security protection out to the big pipes? I assume duplicated security is implemented 1000’s of times among all the 1000 largest companies, etc (in addition to massive amounts of duplication at smaller companies). Yet, the same likely known attribution signatures are reused on the way to the next victim.
I’m not meaning get rid of local security measures; but mandate duplicating some of it out to the big pipe (e.g. clean pipe) providers. Too many are mostly playing a pass-along-the-trash implementation to the next victim (organization and individuals).
huh?
It’s because security is almost as hard to understand as your post.
Thank you Brian, as always, for excellent info. I wanted to clarify one thing – “cards stolen from online transactions can only be used by thieves for fraudulent online purchases”. Can you confirm that I am reading this right – any “card not present” breaches will not supply enough info to produce a physical card that can be used in brick and mortar store?
If this is the case- it will greatly assist us in managing fraud disputes.
Out of curiosity -can you please elaborate as to what other information is needed to encode magstripe. I understand that track one contains service code and other info as defined by the issuer. Does it mean that whenever “card present” transaction is being authorized, all info from track 1 (or 2) needs to be present and valid?
The difference between the various CVV codes is interesting, so I’ll fill in a little info. The “CVV1” code is encoded on the magstripe, but is not printed on the card. So this is what Target style “dumps” have, being used to make fake cards. The “CVV2” code is printed on the card but is not on the magstripe. So that’s the number you enter for CNP transactions, and it’s stolen by, for example, breaking into the vendor web site. Having these two separate codes is a teeny bit of intelligence in the otherwise idiotic magstripe card system! Search wikipedia for “CVV” for more info.
So, OneStopParking.com, just like Sony, how’s that cheaping out on IT support working out for you? In retrospect, do you wish you’d have bitten the bullet and pulled people in who could fix your failed update to a secured Joomla?
In retrospect, are we really that expensive? Seriously.
That is a serious over simplification. From September to December – how do you know they were not pulling in experts? 3 months is a very short time to understand and fix an issue without compounding the problem by rushing in bad code.
I don’t think so. Developers don’t need to be on-site to fix broken systems. We’ve been doing remote access for a long time now. Call the headhunters or beseech the community, find the people you need, and you’re off. Give ’em access, and stand back.
If this bunch had their stuff together, they’d have been using a source code mgmt. system, and once this popped up, they’d just roll back to an earlier version which worked. Then they could find out what’s wrong with their current version.
Cheaping out is SOP with far too many ops these days. It’s short-sighted. You don’t get robust by cheaping out.
Once again, I remind you that they had just 3 months. That is a very short time to obtain talent – even if you are using outside consultants. Your post also implies that any ‘ol computer technician or developer will do. In real life that simply isn’t true. Thus, your solution is an over simplifies the actual challenges.
“Once again, I remind you that they had just 3 months. That is a very short time to obtain talent – even if you are using outside consultants.”
BS.
“Your post also implies that any ‘ol computer technician or developer will do.”
Any capable developer would do. I’ve never even seen Joomla, but I know the concepts and I can read documentation. Three months is a long time for me. I doubt I’d have trouble ramping up to handle it.
“In real life that simply isn’t true. Thus, your solution is an over simplifies the actual challenges.”
I believe you’re oversimplifying, not me. This’s not rocket science for typical codehounds/geeks. We’re used to dealing with !@#$ like this. Failed upgrades happen (depressingly) all the time because our bosses tend to cheap out on necessities they believe they can afford to do without.
We get to clean up the resultant mess. It’s a living.
So the web site is written by people who don’t really understand what they are doing and rely on a Content Management System (Joomla) to paper over their ignorance.
Should this approach be acceptable from companies that take payments?
Couple things here. Makes me wonder if Krebsecurity isn’t responsible for a couple attacks as they’re conveniently able to display what stolen credit cards (CVVs) look like from a stolen card page.
Secondly, I find it disturbing that the author mocks the measures the victimized company is offering customers. It’s the same measures that Home Depot offered too. And it’s obvious that Park ‘N Fly is working on added measures as they’ve taken their site down until they’ve fixed the problem, which is costing them added revenue too. — Haters will Hate.
Troll much, Michaeal?
Okay, I’ll bite. You got me, Michael. I’m stealing these cards. That’s how I’m getting the scoops. Yep.
Secondly, just because Home Depot and every other company that suffers a credit card breach offers free credit monitoring services for a year to affected customers doesn’t mean it’s the proper response. It’s the only thing they can do to save face immediately, but in some senses it’s counterproductive.
Credit monitoring services do not address the problem that caused them to offer these services to their customers in the first place. Worse, they give consumers a false sense of security because most consumers are so financially illiterate that they don’t understand that these services will not help them detect fraudulent charges on their credit cards. Also, credit monitoring services in general deter people from taking more proactive steps to protect their identities and credit files from being hijacked, such as regularly ordering and reviewing their credit files and placing a freeze or fraud alert on their files.
Here’s what the credit monitoring services should catch:
1. Change of your address to a scammer’s address.
2. Opening new credit cards in your name. With a $12,000 limit per card, a lot of damage can be done here.
3. Writing contracts in your name. That BMW that you just bought for $75,000 (not!)? They should let you know about that.
You can easily check for invalid charges on existing cards yourself. These other things: Not so much.
Let’s not forget that you’re not going to get that alert until after those accounts have been opened and most likely a balance has been added. The monitoring does not stop the theft nor does it fix it. The breached companies would be better off advising folks to place 90 day fraud alerts on their credit files. They are free and actually work to stop the account from being opened in the first place. If you think a store is going to wait to open a new line of credit until they get permission from LifeLock or someone else, you are sorely mistaken. They open the account, LifeLock sends the alert a few days later, and then you still have to deal with the issue.
@BrianRules: Agreed, it’s after the fact. I don’t do the credit lock but would if my account were ever abused.
Of course it’s Brian stealing all those cards!
He logs on to the carding shop to, oh wait he’s actually BUYING all those cards. Dang I wish I had the kind of money Brian has to buy stolen cards and then write about it.
What a total Loon!
I find your analytical abilities disturbing. I bet you see conspiracies everywhere that less er … “open minded” people do not right.
re:”[…] mocks the measures the victimized company”.
The “victimized” company was using Joomla! Free PHP known to have many flaws. Sounds to me like the company was too cheap to hire professionals to build a secure website. I can only imagine what their “security” budget was. Any company that decides to go the cheap route can expect to be hacked, it’s only a matter of time. Pay now or pay later.
Mind you, I’m not complaining. Companies like this make me more valuable every day.
Robert M wrote an excellent comment above.
“The “victimized” company was using Joomla! Free PHP known to have many flaws. Sounds to me like the company was too cheap to hire professionals to build a secure website. I can only imagine what their “security” budget was.”
::facepalm::
+1
…and quoted for truth.
LOL, what security budget?
The infiltrators probably had a field day once they discovered Doomla – er, Joomla was being used for PHP on their website.
Really, Michael? Brian will defend himself but your comments are simply weird… strange… and smell of potential nepotistic relation with certain parking companies? Brain simply stated that credit-checking is useless and do NO good in protecting customers. Maybe somebody else should read Brian’s articles to you so that you really hear what he’s saying… I read NO hate in his articles.
Hey Michael,
What position do you hold at Park ‘N Fly? Curious minds would like to know your relationship to the company….
The victim here is the people who trusted these companies to spend the appropriate money on I.T. and security. Joomla!? Really!?
Seems quite likely that the Park ‘N Fly backoffice is using the SAME infrastructure on which the leaky website was built to capture and process reservations called into the 1-800 number. If so, then I wouldn’t put much faith and trust in the safety of any CC data used to make reservations that way, either. Just sayin’…
Pretty much every government in the world [as far as I know] requires drivers of motor vehicles to have a driving licence before being permitted to drive. Airline pilots have to have licences and type approval ratings before being allowed to fly. Banks have to have government-issued licences before being allowed to operate as a bank…
Yet anyone can set up a web site that can ask for pretty much any piece of information from visitors, can capture Personal Information and/or process financial transactions, yet as far as I’m aware, no government requires such site owners to meet a minimum security standard, or indemnify anyone registering with the site against subsequent identity theft or similar damages.
I’m interested to know if people think that this situation will remain as-is [in which case any attempts at redress may be restricted to personal or class-action lawsuits in jurisdictions that support such], or whether governments will be forced to legistlate that those responsible be forced to compensate and indemnify their victims.
Where is the line between “bad luck” and “criminal negligence?”
Or perhaps in the first interest we’ll see something equivalent to an internet “quality mark” that sites who are regularly “pen tested” by qualified white hat hacking companies [and can provide test results to prove a clean bill of health] can display something analogous to a “you can trust us” banner?
I ask this multi-part question because we seem to be in a “rinse, repeat” cycle. Company A gets hacked. Customers suffer. Company B gets hacked. Ad nauseum.
Anyone care to speculate on what it would take to force a little more collective responsibility on the web community?
CP, you seem to be assuming it is possible to have hack-proof systems. Every system is hackable.
There are “quality marks” (McAfee Secured, etc), offered by various security companies, but they are useless. You’re allowed to display the mark if you “pass” the vulnerability test. Even if you don’t “pass” you’re given a buffer to mitigate the finding without taking the mark down. You can honestly leave the mark on your site indefinitely. The only way you can be forced to remove it is through a lengthy court process.
As for bad luck vs criminal negligence. There are some attempts to define this, such as PCI-DSS, but this just leads to companies doing just enough to meet basic PCI standards, and nothing else. I could argue that is negligent.
CP: And TRUSTe, Norton Secure, et cetra. I’ve found little use for seeing them though, like Caffeineguru mentions.
My more trusted sources besides “quality marks” are not seeing organization websites as having a breach or being on more trusted blocklists.
I first learned about you on 60 minutes and love everything that you are doing. I wish the government allocated money in helping fight this crime.
My “AllClearID” service (thanks Home Depot) called me with the first alert I’d received since inception. After struggling with their automated call system not working at all with my home phone, I finally got their login process to call my cell phone and was able to enter my PIN on the phone and log me in.
Their web system told me NOTHING about the activity that their other phone call had tried to alert me to. The only thing I can do is update my profile and extend my “subscription” for another year. There doesn’t seem to be a way to check the status of their monitoring in any fashion.
At least the service was free….
I’m a little scared now…
How did you know that AllClearID was calling and not a scammer pretending to be AllClearID?
Assuming that your PIN is the only private information about you, and that your name, address, and phone number are public, it’d make for an interesting phishing attack.
Note that it could be run as a MITM attack, so your information could be sent by the scammer to AllClearID for verification…
I’m assuming that the PIN is valid for both Phone and Internet access…
Fwiw, I’m with Brian on the side of “Credit Monitoring is useless for credit card information breaches”.
Credit Card monitoring should be the job of the credit card issuers, and if they fail to do their job, they should be liable for all costs + additional fines and penalties (new laws / rules probably should be created for this).
As for Credit Monitoring, citizens / residents of countries should freeze their credit in their respective countries. Each country with credit reporting bureaus should pass a law limiting the cost for freezing to ¤5 (five local currency units [$,€,£,¥,₩,₪,₹,₺,₽,…] — or inflation adjusted to the cost of a fast food breakfast) per bureau with the same fee ceiling for temporary thaws.
As a general rule, you shouldn’t reply directly to unsolicited email or phone calls (technically this applies for postal mail too…). Instead you should use the contact information you already have or can get via a different trusted path to reach the contacting party.
Note from both Caller ID and the sender Email “from” address / reply-to address (and postal mail) can be forged. — Think about the return address on an envelope — you can write anything you like there, it’s customary to put correct information so that someone can recognize you, but it’s also customary for scammers to provide information matching (or appearing to match) the entity they’re pretending to represent.
Krebs, I categorically demand that you cover the ongoing Ross Ulbricht / “Dread Pirate Roberts” Silk Road trial.
The twists! The turns! The excitement! 🙂
Also send any spare Bitcoins to:
1KrebsccWaYJU1z4ZYaEX6aJChrwucMhUi
heh.
My blog will show that Home Depot employers can go into the pos system and look up your full, c,c info. Go to http://www.hdpos.blog.com This happened to me