New Brunswick

The parking system cyber attack: 2 cities, 2 stories

They are two cities of similar size, both victimized in the same cyber attack. But Ames, Iowa, a 26-hour drive from Saint John, had a much different experience after the attacker slipped malicious malware into its parking fine server.

Parking fine servers in Ames, Iowa, and Saint John were targeted by hackers

Like Saint John, Ames, Iowa, had its parking fine server attacked by hackers. (Iowa State University)

They are two cities of similar size, both victimized in the same cyber attack. 

But Ames, Iowa, a 26-hour drive from Saint John, had a much different experience after the attacker slipped malicious malware into its parking fine server.

"We were lucky, absolutely we were lucky," said Susan Gwiasda, the midwestern college town's public relations manager. "We were fortunate in that we had a customer who said, 'I only used this credit card to pay for these [parking] tickets and I immediately got fraudulent charges.'"

Gwiasda said the malware had been on the city's server for a matter of weeks before it was caught.

Notice letters were then sent to more than 3,000 motorists who paid tickets over a 12-week period beginning last August.

Malware was inserted into parking fine servers in both Saint John and Ames, Iowa. In Ames, it was discovered in just weeks. In Saint John, it lay hidden in the system for 18 months. (Shutterstock)

The city, she said, did get advance notice of a potential problem from CentralSquare Technologies, the owner of the click2gov software, but it arrived during a staff change in the municipality's IT department.

The notice, saying the system was vulnerable and recommending upgrades, was not taken seriously. 

 "What we needed to do to fix the vulnerability was not expensive, it was a matter of switching servers. Had we known that it needed to be done immediately we would have. So there was some disappointment," said Gwiasda.

After switching servers, Ames had its online payment system back up in just two days.

Different story in Saint John

Saint John officials say the malware sat unnoticed on its parking server for a full 18 months.

On Nov. 16, they too got an alert from a member of the public claiming false charges appeared on his bill statement after paying a parking fine.

City staff alerted CentralSquare Technologies, owner of the software used by both cities.

The company scanned the Saint John system and found no evidence of the malware.

Saint John IT staff eventually learned their server had been breached not from the software owner but from an online IT industry news story.

Names, addresses, credit card numbers, expiry dates and verification numbers stolen in Saint John began to appear for sale on the dark web in September 2017.

The City of Ames, Iowa, continues to use the click2gov software to collect parking fines. Saint John is in the process of switching to a new provider. (City of Ames, Iowa)

"What we're talking about here are parts of the Internet that are obscure," said David Shipley, CEO of Beauceron Security, a Fredericton-based cyber security company. "Typically what happens is you sell credit cards in larges batches because what happens is they go stale fairly quickly. Ones that have high balances usually sell for more."

Shipley questioned a tech industry newsblog report that said the cards fetched an average of $10 US on the dark web. He said the price is usually about a dollar, or even less, per card.

Shipley has sympathy for budget conscious municipalities caught in such attacks, which will only become more common. He said it is costly to defend against such attacks.

Saint John's online payment system remains shut down. It is expected to be back in operation with a new service provider before the start of the year's second quarter, April 1. 

Despite fixing the problem relatively quickly, there are still ripples from the attack being felt in Ames.

The city is home to Iowa State University.

Gwiasda said many students there used debit instead of credit cards to pay their parking fines, and they are discovering their bank accounts have taken direct hits from the hacker.

About the Author

Connell Smith

Reporter

Connell Smith is a reporter with CBC in Saint John. He can be reached at 632-7726 Connell.smith@cbc.ca

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.