This article originally appeared in Journal of Cyber Policy on September 18, 2018
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
“The rising number of data protection laws should give agencies pause about whom they entrust citizens’ data and their networks to.”
Terry Ray, CTO of Imperva:
“As Brian Krebs says, “Although fixing these information disclosure vulnerabilities is quite simple, it’s remarkable how many organizations that should know better don’t invest the resources needed to find and fix them,” these are basic web application coding practices that I’ve seen since the early 2000’s and should not happen. In the early days of the 2000s, as Brian would say, the aughts (had to look that up myself), I found even some banks would use sequential account numbers without validation on their web applications returning very similar results. Most of these were corrected more than a decade ago.
“Given that Govpaynow.com is a managed payment gateway providing online electronic payment services for 3rd party web sites and has a PCI DSS stamp on their web page, I know they have completed at least one PCI audit (Payment Card Industry). These audits are supposed to verify that companies taking and storing credit card information perform ‘routine’ code and vulnerability reviews on their applications. This particular problem would not likely have presented as a vulnerability in most cases, but should have presented under poor coding practices. The most recent versions of the PCI regulation further requires that where web application problems and vulnerabilities are found, they must be corrected.
“I don’t know where the break-down in the process was for Govpaynow.com, but something definitely didn’t happen as it should. Web site usage or attacks of this type, whichever you prefer to call the situation, are avoidable whether it be through rewriting the code or the more common use of modern web application firewalls that validate cookies and prevent input injections and URL tampering.”
Chris Olson, CEO of The Media Trust:
“Hackers target government websites for three reasons. First they draw thousands, if not millions, of users who enter sensitive, personally identifiable information in order to access services or make payments. Second, they are often poorly defended as a result of limited budgets and the preponderance of legacy systems, machines, and software. Third, their digital third parties also often have inadequate security measures and practices.
“As the GoPayNow.com incidents show, third parties are a frequent attack vector. Agencies should put in place a robust digital vendor risk management program that includes the following components: (1) carefully vetted third parties’ security capabilities, reviews, and histories; (2) periodical conducted security audits of third parties once they are on board in order to have an updated risk profile for each; (3) ensure third parties’ risk profiles are appropriate for the extent of their access to the network and data; (4) continuous, real-time scanning of their websites and mobile apps to ensure that only authorized third-party activities are allowed to execute. Such a program would have enabled agencies to downgrade vulnerable third parties’ access levels, if not terminate them altogether. The rising number of data protection laws should give agencies pause about whom they entrust citizens’ data and their networks to.”
Nishant Kaushik, CTO, Uniken:
“Another day, another data breach, another reason to stop relying on personal information as part of your security processes. While it may be technically true that the receipts “do not contain information that can be used to initiate a financial transaction”, the most common usage of this kind of leaked data is to take over access to online accounts, either through the call center or through password reset processes, and then use the taken over account to commit financial fraud. Organizations need to switch to more secure omnichannel authentication mechanisms that do not rely on PII to mitigate the threat of data breaches.”
Pravin Kothari, CEO of cloud security vendor CipherCloud:
“Recently acquired by Securus Technologies, a Carrollton, Texas-based company, GovPayNet is a major provider of credit and debit card payments to government agencies. They process millions of payments annually to over 2,600 agencies across the United States. This past month their website GovPayNow.com exposed what has been described as at least 14 million customer receipts dating back to 2012. Securus has had other issues with cybersecurity over the past few years including the misuse of a service that tracked convicted felons’ cellphones, hackers penetrating this same system and subsequently stealing logins and legitimate credentials, and finally another flaw in May that allowed unauthorized access to accounts by guessing answers to the security questions.”
“All in all, many of these flaws are simple to find and fix. That’s not the issue. The issue is that there will always be open vulnerabilities, misconfigurations, and missing updates that attackers can exploit. You cannot fix them all. With increasing numbers and an escalating volume of persistent attacks, at some point attackers will get into your network. It is really unavoidable. Best practices today position safekeeping of your data, at all times, in a pseudonymized form. This might be achieved using technologies such as encryption and tokenization. If end-to-end encryption is used then the data would be well protected all of the time – in use, at rest (in the database), and in transit (middleware, network, API, etc.). This makes it an order of magnitude harder for the attackers to acquire useful information which they can exploit from within your on-premise networks or your cloud services.”