The Central Coast Council payment system was hit by someone doing a BIN attack, with around 20 cards being successfully processed by the attacker.
The Council is reporting the attacker having used random card numbers, but that is exceedingly unlikely. A combination of CC number, Expiry and CVV results in trillions of possibilities.
For someone to have hit 20 functional cards from hundreds of attacks, the card details would need to be real. So this is most likely someone using the Council site to validate stolen CC details.
The Council has reportedly put “Another level of fraud control” in place to prevent future incidents.
Impact
Only 20 cards were successfully compromised from “hundreds” of attempts
Details
This is an odd one, as the Council uses the Infor Pathway for its payments. This is a common platform across councils in Australia. Had the Council not configured the solution in line with other implementations, or are other councils vulnerable to the attack?
If anyone is interested, the Council has a Data Breach Policy that can be found here
Opinion
The council has worked the PR really hard on this one. Lots of phrases like:
- “…this is another example of sophisticated attackers and that all card holders should remain alert…”
- “…continually improve our response to the ever changing, sophisticated cyber-criminal threats that can occur from anywhere in the world…”
Trying to imply the attack was outside what it would normally militate against.
Which is all bullshit, of course. This is not overly sophisticated, it’s just some script kiddies bashing away at a payment gateway that wasn’t properly protected.
Some relevant questions for the council are;
- Why wasn’t the payment gateway secured similarly to all the other council implementations?
- Why wasn’t there throttling enabled on the gateway?
- Who in the council holds accountability for ensuring the payment gateway is secure, and what if any action has Council taken to ensure this person is qualified to do so?