The parking system cyber attack: 2 cities, 2 stories
Parking fine servers in Ames, Iowa, and Saint John were targeted by hackers
They are two cities of similar size, both victimized in the same cyber attack.
But Ames, Iowa, a 26-hour drive from Saint John, had a much different experience after the attacker slipped malicious malware into its parking fine server.
"We were lucky, absolutely we were lucky," said Susan Gwiasda, the midwestern college town's public relations manager. "We were fortunate in that we had a customer who said, 'I only used this credit card to pay for these [parking] tickets and I immediately got fraudulent charges.'"
Gwiasda said the malware had been on the city's server for a matter of weeks before it was caught.
Notice letters were then sent to more than 3,000 motorists who paid tickets over a 12-week period beginning last August.
The city, she said, did get advance notice of a potential problem from CentralSquare Technologies, the owner of the click2gov software, but it arrived during a staff change in the municipality's IT department.
The notice, saying the system was vulnerable and recommending upgrades, was not taken seriously.
"What we needed to do to fix the vulnerability was not expensive, it was a matter of switching servers. Had we known that it needed to be done immediately we would have. So there was some disappointment," said Gwiasda.
After switching servers, Ames had its online payment system back up in just two days.
Different story in Saint John
Saint John officials say the malware sat unnoticed on its parking server for a full 18 months.
On Nov. 16, they too got an alert from a member of the public claiming false charges appeared on his bill statement after paying a parking fine.
City staff alerted CentralSquare Technologies, owner of the software used by both cities.
The company scanned the Saint John system and found no evidence of the malware.
Saint John IT staff eventually learned their server had been breached not from the software owner but from an online IT industry news story.
Names, addresses, credit card numbers, expiry dates and verification numbers stolen in Saint John began to appear for sale on the dark web in September 2017.
"What we're talking about here are parts of the Internet that are obscure," said David Shipley, CEO of Beauceron Security, a Fredericton-based cyber security company. "Typically what happens is you sell credit cards in larges batches because what happens is they go stale fairly quickly. Ones that have high balances usually sell for more."
Shipley questioned a tech industry newsblog report that said the cards fetched an average of $10 US on the dark web. He said the price is usually about a dollar, or even less, per card.
Shipley has sympathy for budget conscious municipalities caught in such attacks, which will only become more common. He said it is costly to defend against such attacks.
Saint John's online payment system remains shut down. It is expected to be back in operation with a new service provider before the start of the year's second quarter, April 1.
Despite fixing the problem relatively quickly, there are still ripples from the attack being felt in Ames.
The city is home to Iowa State University.
Gwiasda said many students there used debit instead of credit cards to pay their parking fines, and they are discovering their bank accounts have taken direct hits from the hacker.