The parking system cyber attack: 2 cities, 2 stories

They are two cities of similar size, both victimized in the same cyber attack.

But Ames, Iowa, a 26-hour drive from Saint John,had a much different experience after theattacker slipped malicious malware into its parking fine server.

"We were lucky, absolutely we were lucky," said Susan Gwiasda, the midwestern college town's public relations manager. "We were fortunate in that we had a customer who said, 'I only used this credit card to pay for these [parking] tickets and I immediately got fraudulent charges.'"

Gwiasda said the malware had been on the city's server for a matter of weeks before it was caught.

Notice letters were then sent to more than 3,000 motorists who paid tickets over a 12-week period beginning last August.

The city, she said, did get advance notice of a potential problem from CentralSquare Technologies, the owner of the click2gov software, but it arrived during a staff change in the municipality's IT department.

The notice, saying the system was vulnerable and recommending upgrades, was not taken seriously.

"What we needed to do to fix the vulnerability was not expensive, it was a matter of switching servers. Had we known that it needed to be done immediately we would have. So there was some disappointment," said Gwiasda.

After switching servers, Ames had its online payment system back up in just two days.

Different story in Saint John

Saint John officials say the malware sat unnoticed on its parking server for a full 18 months.

On Nov. 16, they too got an alert from a member of the public claiming false charges appeared on his bill statementafter paying a parking fine.

City staff alerted CentralSquare Technologies, owner of the software used by both cities.

The company scanned the Saint Johnsystem and found no evidence of the malware.

Saint John IT staff eventually learned their server had been breached not from the software owner but from an online IT industry news story.

Names, addresses, credit card numbers, expiry dates and verification numbers stolen in Saint John began to appear for sale onthe dark webin September2017.

"What we're talking about here are parts of the Internet that are obscure," said David Shipley, CEOof Beauceron Security, a Fredericton-based cyber security company. "Typically what happens is you sell credit cards in larges batches because what happens is they go stale fairly quickly. Ones that have high balances usually sell for more."

Shipley questioneda tech industry newsblog report that said the cards fetched an average of $10 US on the dark web. He saidthe price is usually about a dollar, or even less, per card.

Shipley has sympathy for budget conscious municipalities caught in such attacks, which will only become more common. He saidit is costly to defend against such attacks.

Saint John's online payment system remains shut down. It is expected to be back in operation with a new service provider before the start of the year's second quarter, April 1.

Despite fixing the problem relatively quickly, there are still ripples from the attack being felt in Ames.

The city is hometo Iowa State University.

Gwiasda saidmany students there used debit instead of credit cards to pay their parking fines, and they are discovering their bank accounts have taken direct hits from the hacker.