Two Years Later, Hackers Are Still Breaching Local Government Payment Portals 5
Two years after hackers first started targeting local government payment portals, attacks are still going on, with eight cities having had their Click2Gov payment portals compromised in the last month alone, security researchers from Gemini Advisory have revealed in a report shared with ZDNet today. From the news report: These new hacks have allowed hackers to get their hands on over 20,000 payment card details belonging to US citizens, which are now being traded on the dark web, the cyber-security firm said. Click2Gov is a web-based portal sold by Central Square, formerly known as Superion, to US and Canadian municipalities, small and large alike. It comes as a cloud-based offering and in a self-hosted version. Once up and running, Click2Gov provides a self-service portal where US citizens can pay taxes and bills. Such portals are widespread across the US and are not only used by locals, but also by Americans living across the country to pay bills and taxes for property they own in other cities or states. In 2017, a hacker group began targeting self-hosted Click2Gov portals that had been lagging behind with software patches.
Wait, what?! (Score:2)
This explains two things.
1. My card was last hijacked around two years ago.
2. The city water bill portal has been broken since not too long after that. SSL cert thing. Been using the phone system since.
Son of a...
of course, none at the city will lose their heads over this. They should, but they won't. Ditto Click2Gov.
Lawyers, Negligence, Accountability (Score:1)
Re:Lawyers, Negligence, Accountability (Score:4, Interesting)
The cities should at this point be demanding refunds and the banks should be suing Superion for damages.
Superion doesn't seem to know what the problem is nor how to fix the problem. I'm not sure how you find top-flight programmers that want to work in the mid-west on dot.net payment code.
Also to make the job more painful, it's not a SAAS offering, but rather a self-hosted solution that by default installs in an insecure manner.
Use CVV (Score:1)