A follow-up on the California DMV breach blamed on Elavon

Over the weekend the Hash reported on a story published by Brian Krebs, and continued to chase open threads, resulting in new information. Here’s a re-cap of the story, including additional commentary in order to address a reader’s questions.

[The original story and updates can be viewed here.]

Journalist Brian Krebs broke the story Saturday, based on information he received from MasterCard regarding a CNP (card-not-present) breach. The common thread between the cards that were flagged was the California Department of Motor Vehicles (DMV). Krebs contacted several banks; all of them confirmed the link and the warning from MasterCard.

Speaking to the Hash, law enforcement officials have said that American Express cards were also potentially compromised, and Visa told Krebs they are aware of the issue, but as of Friday, had not issued an advisory on the matter.

Moreover, law enforcement officials have told the Hash that as of Noon last Friday, the US Secret Service has become involved with the matter. Attempts to contact the agency for comment have been unsuccessful.

According to the MasterCard alert:

“…the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.”

The California DMV was contacted by law enforcement on Friday and told of a potential security incident with their credit card payment processor. In a statement to the Hash, the California DMV noted that there was no evidence of a direct breach of their systems.

From their statement:

“However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”

“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”

The Hash discovered that both firms operate with what’s often called a $0 (zero-dollar) contract. These are MSA (master service agreement) contracts with no commitment from the state.

Such a thing means that various state agencies can select whom they wish to work with, and keep the right to compete for new business if the need arises. The MSA contracts started in 2010, and they expire in 2015.

First Data Contract / Elavon Contract

In a statement to the Hash, Tom Joyce, a spokesman for US Bancorp (Elavon is one of their business units), said:

“At this time, there is NO confirmation of a data breach at the California DMV. We are in touch with the CA-DMV and the authorities to determine if there has been any issue.”

Further, First Data confirmed the MSA contract, but said they are not the processor for the California DMV.

Thus, the processor mentioned by the California DMV is Elavon, who isn’t confirming the breach reports from MasterCard, but they’re not denying them either.

The California says that 24 million drivers are registered in their system. Last year, more than 8 million people registered a vehicle or renewed a license using the Web, those with credit cards would see the transaction listed as a CNP by their bank.

This story will be updated when new information is available.

On Twitter, one reader asked:

“Riddle me this – If a payment processor was breached, why are only Cali DMV cards affected?”

In California, the only way to pay for services with a credit card is to do so online, as branch locations in the state only accept cash, checks, or debit cards. In the MasterCard alert, the banks were told of the CNP breach, and given a list of cards that were impacted.

CNP (card-not-present) transactions are usually online or over the phone. The common purchase between each of the impacted credit cards was the California DMV, which could only have happened online.

So the answer to the question is in the business model of payment processing.

Most merchant accounts (what allows a business to take credit cards) are only for a single merchant. If Elavon is the processor for the DMV and say the California Highway Patrol, those are two separate merchant accounts. A breach at the DMV wouldn’t impact the CHP and vice versa.

It is entirely possible that the breach extends beyond the DMV, but there is no proof that it has. So far, the only cards potentially compromised are those that were used online for DMV transactions in the six-months flagged by MasterCard.

The reader responded:

“I just find it very hard to believe that processor would be the source of the breach. The DMV SEEMS [like] a far easier / softer target.”

This is actually correct in my opinion. The DMV would be the softer target. Government agencies like the DMV (not just in California, but everywhere), try to keep up with security, but often fall behind when it comes to defending against current threats.

That’s a nice way of saying security at the state government level is just awful, and those charged with protecting the network are often buried in red tape; stripped of any real power to act and do their jobs. It’s politics at its best. If not for the law enforcement warning, it’s likely the DMV might have never known about the incident.

So yes, the DMV is the softer target, but why an attacker would target the processor instead depends on a number of things. It’s possible that a socially-engineered attack gave the attackers better access to the processor. Or, perhaps a flaw somewhere in the processor’s infrastructure was exploited remotely. The same thoughts apply if the DMV was in fact the source of the breach.

In any event, the only way to know for sure would be to know the IOCs (indicators of compromise) that alerted the investigators. For their part, MasterCard would have been told by law enforcement, which would confirm their own internal fraud detection programs.

So something tipped the investigators off, and that something could be the key to learning why the attackers picked one target over another. At this stage, no one knows but the investigators themselves, and that isn’t likely to change any time soon.