Breaking news seems to be coming form the Twitterverse this morning.
It appears that the Auckland City Council’s parking machines were storing the credit card numbers of all cards entered into the machines and the database storing this data has been hacked.
There is no reason why after the transaction was processed for the council to store the credit card numbers unless they were using them as a form of tracking of people using the carpark, if this is the case they still should have never stored the credit card numbers, at a minimum a hash sum of the number would have worked. There appears to be much more to come on this story.
Update:
This just in from Mr A. Source:
Auckland City’s PCI certification is under serious review which will compromise their ability to carry out any credit card transactions. This will also potentially impact the new Auckland Council. Basically, internal systems at Auckland City have been compromised.
I have been laughing over the last few days as the New Zealand Transport Authority has become more red faced over the massive security hole in their toll road payment system.
On January 25 the Silverdale to Puhoi motorway extension will open, however to drive on it you will need to pay tolls, and for the last two months or so the NZTA have been advertising the www.tollroad.govt.nz website heavily so regulary uses of the new road can set up accounts.
On Monday a computer user realised that the website was not encrypting credit card information which means that anyone who knows anything about packet snifting or the like could intercept peoples credit card details as they used the website.
Now first and foremost this should never happen. Not on any ecommerce site, let alone a government website. Ecommerce programing 101 would surely teach you that first you must always encrypt data through using SSL and HTTPS not plain HTTP.
But what was more funny is that the red faced NZTA denied that there was anything wrong with the site! Refusing to take it offline or stop processing accounts.
That was until today when with egg on their face they took down the site for maintenance and admitted they stuffed up. Time to get new programmers one thinks.
