14 DAY TRIAL // Cards belonging to customers that have used the online service OneStopParking have been put up for sale on an underground forum.
Although the company did not detect any abnormal activity on their systems, it did receive complaints from customers about fraudulent charges.
The immediate reaction was to scan the website for malicious files, as well as to upgrade the security software used for protecting the site.
Financial institutions trace the breach to OneStopParking
Amer Ghanem, the administrator of the website, said that the complaints from the customers stopped after this activity, suggesting that a vulnerability was eliminated during the upgrade process.
Security blogger Brian Krebs noticed the new batch of cards on sale on Rescator, the same carding forum that exchanged card data resulted from breaches at Target and Home Depot.
After contacting some financial institutions that had purchased a number of cards to determine the common merchant they had been used at, he was informed that the common denominator was OneStopParking.com, an online service that provides low-cost parking spaces near airports and seaports across the US and Canada.
The prices of the cards up for sale on Rescator vary depending on the bank they belong to, but some of them are available for as low as $7.5 / €6.20 and can reach as much as $12 / €10.
Security codes are also included in the database
The database lists whether they are credit or debit, the country, state and city, and also contains cardholder information, CVV (card verification value), address and phone number of the owner.
It is unclear how the hackers managed to get the CVVs of the cards, as it is against the PCI DSS (Payment Card Industry Data Security Standard) for merchants to store this information on their systems.
CVVs, also called CVC (card verification code), are the three-digit numbers on the back of the card, and are used in card-not-present transactions as a protection measure against fraud. By entering the code upon purchasing a product online, the buyer proves that the card is in their possession and they do not rely on information stolen from a merchant.
“We have been unable to identify any specific issues that have caused any credit card breach on our website,” Ghanem told the security blogger.
He added that “being a part of the e-commerce industry and staying up to date with the security news, we are aware of security threats that are always around, especially during the holiday season, when people tend to shop and travel more. We currently have 2 different services that are always monitoring traffic on our website, 24/7 to ensure the safety of our customers.”
[UPDATE, December 31]: OneStopParking.com is currently down for maintenance purposes. Customers can still place reservations by calling a specified phone number.