California DMV compromised, credit cards breached

The California Department of Motor Vehicles has been the victim of a wide-ranging security breach which may have affected thousands of citizens, according to sources.

Earlier this week, MasterCard issued an alert noting that credit cards used online in transactions with California's DMV may have resulted in the theft of data and personal information - including credit card numbers, expiration dates, and three-digit security codes.

The number of cards stolen is still unconfirmed, but according to security blogger Brian Krebs, at least five different financial institutions have confirmed the data breach. Krebs says the potentially compromised transactions all occurred in a range of six months, from August 2nd, 2013 to January 21st, 2014.

Statistics from California's DMV show that nearly 12 million online transactions with the DMV were conducted in 2012, an increase of 6 percent from 2011 - an ominous number when considering the potential range of the breach.

California's DMV isn't the only institution to be compromised, as just months ago popular retailer Target confirmed that over 110 million of its customers credit cards were compromised in a massive breach. The FBI later issued a statement warning of more potential attacks, and while the focus has predominantly been on Point Of Sale (POS) machines such as cash registers, credit card data is a target highly valued by many would-be hackers for its huge potential, both in financial and personal information.

Source: Krebs On SecurityImage via Google

Report a problem with article
Previous Story

Google's 'Project Tango' 3D mapping smartphone to go up in space in May

Next Story

Electronic Frontier Foundation slams Microsoft for searching a blogger's Hotmail

22 Comments

Commenting is disabled on this article.

Lucky for me the same card I used at the DMV this last fall was the same one I used at Target and already got my new card.... *sigh*

SHADOW-XIII said,

Why DMV was allowed it then?

Who says they did? This blurb/article doesn't give us any details of the breach.

The Target breach, for example, was a piece of code that scraped the live memory of their POS machines as the transactions took place. Nothing was being stored that shouldn't have been.

It's possible that this is the same thing that was done to the CA DMV (though we have no information either way).

These guys run Win2k and XP in this day and age in the physical offices, anybody surprised this kinda thing may happen?

I predict very soon credit cards will feature a SUPER secure additional set of numbers on the back. Instead of just the 3, there will be a large string we will have to enter in each time we want to use the card.

Cheaper to do that then come up with a real solution.

The fix is already coming via CC with a chip (such as used in Europe). It will be deployed by all banks in the US by end of 2015.

pookie62 said,
It will be deployed by all banks in the US by end of 2015.
Sad that it's taken them this long to finally get around to it.

Romero said,
Sad that it's taken them this long to finally get around to it.

They have known about it for a long time (some banks tried it with their credit cards) however they believed it was too expensive. I bet they are getting a wake up call now.

Pretty soon, we will have one time use credit cards where you read out the number and the cashier breaks open an identical card and reads out their numbers to authenticate. Then both the customer and cashier insert their keys into the cash register and turn simultaneously to complete the transaction.

pookie62 said,
The fix is already coming via CC with a chip (such as used in Europe). It will be deployed by all banks in the US by end of 2015.

Maybe I just don't understand, but how does a chip help you with online sales?

neufuse said,

Maybe I just don't understand, but how does a chip help you with online sales?

How does a chip help anything? Wouldnt the theft that have been going on still grab chip information too? It would be neat if a credit card number changed based on when you swiped it. And that change happened identically with a server at that time of swiping. Something like Blizzard does with Battlenet log ins. =)

Golly gee. And so many "tech types" criticize those of us who prefer to do business in person or by US mail. That still remains a much more secure way of doing business.

OR, any of the pertinent info, like the first 3 sets of CC#, nor the 3DIG, EXP info should be ignored on ":EVERY:" form......... Why would any IT org keep any of this info...... Although, most state's IT Infrastructure is at least 10-15 years behind most orgs...

-Razorfold said,
you never ever store the 3 digit code. It defeats the entire purpose of having it...

Which is why Target didn't do that. Their breach was a piece of code that scraped the live memory of their POS machines as the transactions took place. Nothing was being stored that shouldn't have been.

It's possible that this is the same thing that was done to the CA DMV (though we have no information either way), in which case your rant and assumptions would be entirely inaccurate and irrelevant.

excalpius said,

Which is why Target didn't do that. Their breach was a piece of code that scraped the live memory of their POS machines as the transactions took place. Nothing was being stored that shouldn't have been.

It's possible that this is the same thing that was done to the CA DMV (though we have no information either way), in which case your rant and assumptions would be entirely inaccurate and irrelevant.


Except if you read the article it clearly states that the 3 digit code was stolen. When you swipe the card, the 3 digit code is never read because it's not stored on the magnetic stripe.

Since its the DMV my assumption of incompetent morons is likely 100% accurate.

However those 3 digit cvc numbers are used for web based sales which could have been hacked when transmitted and which I suspect the DMV does a lot of so you may not be 100% accurate :)

Depicus said,
However those 3 digit cvc numbers are used for web based sales which could have been hacked when transmitted and which I suspect the DMV does a lot of so you may not be 100% accurate :)

And in that case they should have been encrypted. If they weren't...well then you already know the answer to that.

But if they are captured before transmission - there will always be points in any code where the values are in plain text and no amount of encryption is ever going to change that.