DMV Breach Investigation: An Analysis

Experts Don't Suspect Link to Retailer Attacks

By , March 25, 2014.
DMV Breach Investigation: An Analysis
 

It could be several days or weeks before the California Department of Motor Vehicles confirms whether its online payments processing system was the target of a cyber-attack that ultimately compromised credit and debit card details.

See Also: How to Identify Meaningful Alerts from the Security Noise

But financial services industry sources tell Information Security Media Group that if the breach at the California DMV is ultimately confirmed, it's not likely that the attack would be found to be connected to the wave of point-of-sale compromises that exposed payments card data at national retailers Target Corp., Neiman Marcus, Sally Beauty Supply and others.

They point out that transactions potentially compromised at the DMV are card-not-present transactions conducted online, while in all of the recent retail breaches, compromised card details were traced back to card-present transactions conducted at points of sale within stores. As a result, they don't believe a DMV breach, if confirmed, would be linked in any way to the retailer breaches.

Details from DMV

In a statement issued March 22, the California DMV says it was alerted by law enforcement of a "potential security issue within its credit card processing services." However, no evidence of a direct breach of the DMV's computer system has yet been found, the department adds (see Calif. DMV Investigates Possible Breach).

"In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV's credit card transactions and the credit card companies themselves," states Armando Botello, public information officer for the California DMV, in the statement.

Two card issuers tell Information Security Media Group they have received alerts from MasterCard regarding suspicious card activity linked to the California DMV that could suggest a breach.

But MasterCard would not comment about whether it had identified suspicious activity linked to the DMV. It did say, however, that MasterCard's own systems had not been attacked.

The DMV's payments processor, Atlanta-based Elavon Inc., a business unit of U.S. Bancorp, did not respond to Information Security Media Group's request for comment about whether it suspected its network had been breached. But Teri Charest, a spokeswoman for U.S. Bank, says Elavon is reviewing a possible compromise with the DMV.

"We are in touch with the CA-DMV and the authorities to determine if there is an issue," she says.

What Compromise Could Mean

Shirely Inscoe, a fraud expert and analyst for consultancy firm Aite, says if online DMV transactions were compromised, card issuers serving California should be bracing themselves for significant upticks in fraudulent transactions.

That's because if a breach did occur, then it's safe to assume that the three-digit security code, also known as the card verification number, used to authorize card-not-present transactions also was compromised, Inscoe says.

"This data can be used for online purchases without any problems until all the cards are shut down," she says.

While the DMV says there is no evidence to suggest that its own computer system or network suffered a direct breach, John Buzzard, who oversees FICO's Card Alert Service, says he believes if a breach did occur, it was a contained event. Buzzard says if a third party had been compromised, fraudulent transactions would be traced to other merchants as well.

"Typically, with a processor-level breach, you have several merchants affected because they all do business with the same processor," he says. "If this is a single merchant and no one else is involved, then I'm thinking that the real answer is going to come out of a post-forensic investigation."

But Al Pascual, an analyst with the consultancy Javelin Strategy & Research, says if a breach at the processor is to blame, then card issuers will have much bigger worries on their hands.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FFIEC Issues Cyber-Resilience Guidance

New business continuity guidelines from the Federal Financial Institutions Examination Council...

Latest Tweets and Mentions

ARTICLE FFIEC Issues Cyber-Resilience Guidance

New business continuity guidelines from the Federal Financial Institutions Examination Council...

The ISMG Network