Banks Say Thieves Motored Away with Park-n-Fly Card Data

Hard on the heels of the news that parking company SP+ was a victim of a data breach, the well-known Park-n-Fly offsite airport parking service is facing an online credit card heist.

Multiple financial institutions have told security researcher Brian Krebs that they have picked up on fraud patterns that point to a compromise. The service takes reservations online, and it’s this system that is believed to have been hit.

Park-n-Fly said that its own internal investigations have turned up no evidence of an intrusion.

“We have been unable to find any specific issues related to the cards or transactions reported to us and by the financial institutions,” said Michael Robinson, the company’s senior director of information technology, in an emailed statement to Krebs. “While this kind of incident is rare for us based on our thousands of daily transactions, we do take every instance very seriously. Like any reputable company involved in e-commerce today we recognize that we must be constantly vigilant and research every claim to root out any vulnerabilities or potential gaps.”

He also noted that Park-n-Fly is using SSL encryption, including the latest EV SSL certificate from Entrust, as evidence of its security readiness—though of course this is but minimal protection.

In all, two (unnamed) banks have said that they are seeing fraudulent transactions on a “significant number” of customer cards that all had one thing in common: they had all been recently used online to make Park-n-Fly reservations, at more than 50 locations nationwide.

Further, the card numbers have been dumped onto the Rescator underground black market, according to Krebs, who uncovered that they’re for sale as part of four large batches of fresh card data that the thieves are calling “Decurion.” Rescator of course is the same outlet that fenced the Target and Home Depot caches.

“The card data ranges in price from $6 to $9 per card, and include the card number, expiration date, three-digit card verification code, as well as the cardholder’s name, address and phone number,” Krebs reported.

The parking theme could be warming up: in early December, parking facility service provider SP+ said that between Sept. 29 and Nov. 10, cybercriminals were able to gain access to payment card data at garages in the Chicago area, Philadelphia and Seattle—including the cardholder’s name, card number, expiration date, and verification code. In total, the incident affected 17 SP+ parking facilities.

In that case, the perpetrator(s) used a remote access tool (RAT) to connect to the systems and install malware that specifically searched for payment card data.

What’s Hot on Infosecurity Magazine?