Calif. DMV probes possible credit card hack. Is the public sector a target?

The California Department of Motor vehicles is investigating the possibility that users of its online services were latest victims of a credit card hack. Is the public sector the next target for data thieves?

Long lines, slow service, and hassle are usually associated with a trip to the Department of Motor Vehicles, so when DMVs around the country started offering online services, the response was enthusiastic. For California DMVs in 2012, for example, 11.9 million transactions were completed online – up 6 percent from the year before.

The most recent news, however, may dampen that response. California officials are investigating a potential credit card data breach in online transactions for the state's Department of Motor Vehicles over a six-month period ending January 31. The probe is ongoing, but the potential of the hack raises questions about credit card security i an increasingly automate

Brian Krebs (a cybersecurity journalist at KrebsOnSecurity, which previously broke the Target and Adobe hack stories) first  reported  the potential breach when MasterCard sent out an alert to five financial institutions, which included two midsized California banks. The transactions in questions were tagged: “STATE OF CALIF DMV INT”.

“There is no evidence at this time of a direct breach of the DMV’s computer system,” the California DMV told KrebsOnSecurity. “However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”

In addition, US Bank and Visa did not send out alerts, and both said they are still investigating the claims. Krebs says at one bank, the breach could have affected over 1,000 cards.

Online DMV transactions include traffic payments and registration fees.

This news comes on a year of heightened sensitivity to cybersecurity breaches after an attack on Target siphoned information from over 40 million credit cards nationwide over about a month and may have compromised over 70 million customers’ private contact information.

Potential attacks growing to include public sector bodies are a concern, says Ben Woolsey, president of CreditCardForum.com.

“This is not just like Target or retailers getting hacked,” he says. “This is someplace that collects personal information and really knows so much about you as a person and a consumer. It is very disconcerting to see this type of database getting hacked.”

Though the California DMV is still investigating, Mr. Woolsey says he is concerned that hackers could have obtained more than just credit card information, as DMVs also house vital identity information like driver’s license numbers, social security numbers, and date of birth. If hackers access this information, identity theft is a potential threat.

Regardless, he says that government bureaucracies have been slower than others to get online, and can lack the tech talent and support to ensure a security hack is prevented. “There are probably 49 other potential cases waiting to happen,” he says.

That being said, in this digital age, more people are forgoing cash and moving all finances online, while hackers are growing increasingly savvy. This has resulted in higher fraud than ever before:  Nilson Report, a financial industry publication, says retailers and banks had to pay back more than $11 billion in global card fraud in 2012, up 15 percent from the year before. But Woolsey says that actually isn’t the worst thing in the world.

“There is some sort of safety in numbers,” he says. “There are so many credit card numbers on the black market it almost becomes too much for hackers to handle. All cards expire at a certain point, so there is a lifespan of usability for this information.”

The key to ensuring minimum damage is vigilance, he says. Card  users should monitor monthly credit card statements and set up alerts for when  cards have been used. Credit card companies are likely to beef up security in light of these attacks as well, he adds.

And don’t expect hordes of people taking a ticket at the DMV counter for fears of compromised credit cards any time soon.

“My guess is that convenience is going to trump security fears,” Woolsey says. “We’re vulnerable any place, let alone the DMV, as these breaches seem to be happening on a frequent basis.”