Dothan, AL (WTVY)-- The city of Dothan claims it does not yet know how many credit and debit cards used to make online utilities payments have been compromised.
City IT Director Jack Mason is awaiting that information from Click2Gov, a portal that processes online payments.
However, a leading Cyber security expert believes he already has the answer.
“There were over four thousand (cards) compromised,” said Stas Alforov, researcher for Gemini Advisory, a highly-respected online security firm.
Customers whose cards have been affected will be notified by Central Square, but only after the city reviews that correspondence. It's not known when that will happen.
Click2Gov has been the target of numerous breaches. In 2017 and 2018 hackers compromised about 300,000 cards that netted them approximately $2 million, per multiple reports.
Alforov believes the reason for those breaches is because local governments either failed to install security patches or lacked the sophistication to install them correctly.
Mason told WTVY that the city's system has been kept up to date and patches received from Central Square are usually installed the same day.
The most recent attack on Click2Gov occurred in August of this year and Alforov believes, by then, most cities and other government entities had learned from those previous hacks.
The problem, he said, is criminals attack faster than online payment processors can defend their systems.
Many government agencies using Click2Gov had, by September 20, been notified of the August breach.
Dothan, according to Mason, did not find out until several weeks later.
He said the first he heard about a possible issue is when a Dothan Utilities customer, in late October, reported a card used to pay a utility bill online had been hacked. Mason contacted Central Square.
“The very next day we received their broadcast type notification telling us (there might be an) issue,” he said.
Central Square then performed a detailed analysis, and notified Mason on November 6 that Dothan's online payment system, indeed, had been breached.
Mason said it appears that cards affected are those used in transactions during which numbers and other information were manually entered.
Card information that had been stored in the portal for repeated use does not seem to have been hacked.
Mason told WTVY the data compromise in Dothan was confirmed on November 6. However, he and City Manager Kevin Cowper did not make that information public until November 19. Even city commissioners were not alerted until that day.
When questioned about the delay in notifying Dothan of the breach, Central Square declined comment.
At least one other city using Click2Gov as its payment processor also only recently learned of the Cyber attack.
College Station, Texas shut down its online application November 14, after the system had been infiltrated.
Stolen credit and debit card information, including three digit security codes, are usually sold on the web.
Alforov said criminals who purchase that information will usually test a card's validity by attempting small purchases. If those are approved, they use the cards for more expensive transactions.
Customers whose information is stolen will be reimbursed fraudulent charges by financial institutions that issued the cards.
Dothan will transition to a new payment processor in the next few weeks as part of an infrastructure upgrade. That transition is expected to be complete by February 1, 2020.
While Click2Gov charges customers a transaction fee for using credit and debit cards, those fees won't be charged by the new processor.
Gloss