State Government Online Payment Service Exposes 14M Customers

Details on more than 14 million customer records have been exposed thanks to a security oversight at GovPayNow.com, which as its name implies provides a platform for online payment systems for state and local governments.

The company, which according to its website “handles more than 2.1 million payments annually to more than 2,600 agencies in 36 states reaching more than 26 percent of all U.S. counties” has leaked names, addresses, phone numbers and the last four digits of the payment cards for citizens that have paid online for everything from traffic tickets to bail to permitting fees.

The breach covers data stretching back six years.

According to security researcher Brian Krebs, the issue revolved around GovPayNow’s online payment receipt URLs – each customer was presented with a unique confirmation page after a transaction. But the addresses for these pages were static, consisting of a common web address with a unique set of numbers at the end for each receipt — so someone only had to type in different receipt digits in the web address to pull up different receipts. Even just guessing the digits gave adversaries a good chance of getting a “hit.”

The company fixed the problem over the weekend, it said. It’s unclear whether bad actors actually accessed the information – and there’s likely no way of knowing.

For its part, GovPayNet issued a statement: “[We have] addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients. The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means. Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”

Despite the company’s insinuation that the issue provides little danger to consumers financially, there are threat vectors that the information could be used for.

“While it may be technically true that the receipts ‘do not contain information that can be used to initiate a financial transaction,’ the most common usage of this kind of leaked data is to take over access to online accounts, either through the call center or through password reset processes, and then use the taken over account to commit financial fraud,” Nishant Kaushik, CTO at Uniken, told Threatpost.

Further, the issue indicates that the company persisted in relying on outdated security practices, and may be non-compliant with PCI standards, according to Terry Ray, CTO of Imperva.

“These are basic web application coding practices that I’ve seen since the early 2000s and should not happen,” he said via email. “In the early days of the 2000s…I found even some banks would use sequential account numbers without validation on their web applications returning very similar results. Most of these were corrected more than a decade ago.”

He added, “Given that GovPayNow.com is a managed payment gateway providing online electronic payment services for third-party web sites and has a PCI DSS stamp on their web page, I know they have completed at least one Payment Card Industry (PCI) audit. These audits are supposed to verify that companies taking and storing credit-card information perform ‘routine’ code and vulnerability reviews on their applications. This particular problem would not likely have presented as a vulnerability in most cases, but should have presented under poor coding practices. The most recent versions of the PCI regulation further requires that where web application problems and vulnerabilities are found, they must be corrected.”