Credit Cards Hacked at DMV


On Saturday, the California Department of Motor Vehicles said that its credit card processing system may have been hacked, and are looking into whether or not costumer credit card data has been compromised.

An official statement on their website says that the DMV first found out about the potential breach after they were contacted by law enforcement. And while they do not have any evidence of a direct breach, they have opened an investigation. They are conducting a “forensic review” of their entire credit card processing system, including getting information for the company contracted to process DMV credit card transactions and from the credit card companies themselves.

The potential hack was first noticed by cyber security blogger Brian Krebs. In his blog, Krebs refers to the incident as a “wide-ranging” data breach that first came to his attention when MasterCard sent out an alert to five local banks to warn them that cards had been compromised and had been used to make charges marked “STATE OF CALIF DMV INT.” The MasterCard alert said that potentially compromised transactions occurred from August 2, 2013, to January 31, 2014 and that compromised information included the card number, the expiration date and the security code.

It is unclear at this point if the hack also compromised other DMV customer information like license numbers and social security numbers, but customers are being reminded that they need to keep an eye on their transactions and to report any suspicious charges or activities as soon as possible.

Last year, the DMV handled more than 11 million online transactions, which is an increase of 6 percent over 2012 as more and more people take advantage of the convenience of online registration and other services.

If the credit card information at the DMV has been hacked, it would be the most recent in a string of large, high-profile data security breaches. Late last year, Target stores had a data breach which compromised up to 40 million of the retailer’s accounts. Target is still struggling to win back the trust of its customers and its sales numbers are down. The information was stolen from the magnetic strips on the back of most credit cards.

Earlier this year, another major retailer, Neiman Marcus, was also the victim of a hack which affected millions of customers. In both cases, these companies were in compliance with the Payment Card Industry Security Standards Council, which has led some security experts to question whether PCI standards should not be reviewed and updated.

Another common element, and one of the elements that security experts say is easy to fix, is the use of a magnetic strip on the back of the card. Magnetic strips, like the ones on the cards which might have been hacked at the DMV, are an old technology and many countries have moved away from it to “smart chips” cards which have much higher levels of security and so are much more difficult to steal. Instead of storing personal information on a magnetic strip, which is easy to capture, the chip creates a unique, encrypted code for each transaction the purchaser makes.

By Dan Reyes

Los Angeles Times
Krebs on Security
California Department of Motor Vehicles