[BreachExchange] Waco water bill attack just the latest in a wave of Click2Gov breaches

Destry Winant destry at riskbasedsecurity.com
Fri Dec 13 10:04:23 EST 2019


The City of Waco has warned residents that their online payments for
water services may have been intercepted by hackers who stole credit
card details.

The heart of the problem lies in the third-party online payment
software that Waco and several other cities and municipalities use to
let residents pay their bills, pay parking fines, as well as make
other financial transactions.

According to a spokesman for the City of Waco, the Click2Gov portal
for water bill payments was breached by malicious hackers who were
able to plant malicious code that siphoned off sensitive data between
August 30th and October 14th.

“Unfortunately, this is something that happens in the credit card
world,” said Larry Holze.

Well, it certainly does happen in the case of Click2Gov if recent
history is any judge.

Security researchers have been tracking attacks against Click2Gov’s
payment portals for a couple of years, with multiple reports of
breaches involving cities stretching across the United States and
Canada, resulting in tens of thousands of payment card details being
traded on the dark web.

As an example, just last month the city of College Station said its
Click2Gov online utility payment system had been compromised between
July 31 and November 15, 2019.

And in September 2019, eight cities said their Click2Gov payment
portals had suffered significant data breaches which saw details of
more than 20,000 payment cards stolen.

Security researcher Stas Alforov at Gemini believes that the crime
wave demonstrates attackers are returning to the same victims over and
over again:

“It demonstrates cybercriminals’ willingness to repeatedly target the
same victims and underscores that while responsible security habits
are constructive, there is no perfectly secure system. It is thus
incumbent upon organizations to regularly monitor their systems for
breaches in addition to keeping up to date on patches.”

CentralSquare Technologies, the makers of Click2Gov, counters that
only a “limited number” of Click2Gov customers have reported
unauthorised access by hackers and that a vulnerability they
identified in the portal has now been closed.

According to media reports, in the case of the most recent breach
involving water utility payments, the City of Waco was informed of the
problem with the Click2Gov software on November 8, 2019.

That was too late for those customers who had taken advantage of the
convenient (but sadly unsecure) online payment portal.

“Of the 44,000 water customers, typically we receive 12,500 payments
online each month,” city spokesman Larry Holze said. “During the
period identified, a little over 8,000 customers were mailed letters.
Payments made with a credit card inside the water office (not online)
are not involved in this incident.”

Consumers impacted by the breach can expect to receive a letter from
the city this week telling them about the incident and advising them
on the steps that should be taken to protect against fraud.

“We’ve sent out letters to all those people who they’ve been able to
give us that have been compromised, in some fashion, asking them to be
careful and watch their statements and make sure something doesn’t
show up,” said spokesman Holze.

The city has also set up a hotline for residents with questions about
the breach, available from Monday to Friday on 833-947-1419.

More information about the BreachExchange mailing list