Waco water bill attack just the latest in a wave of Click2Gov breaches

The City of Waco has warned residents that their online payments for water services may have been intercepted by hackers who stole credit card details. The heart of the problem lies in the third-party online payment software that Waco and several other cities and municipalities use to let residents pay their bills, pay parking fines, as well as make other financial transactions. According to a spokesman for the City of Waco, the Click2Gov portal for water bill payments was breached by malicious hackers who were able to plant malicious code that siphoned off sensitive data between August 30th and October 14th. "Unfortunately, this is something that happens in the credit card world," said Larry Holze. Well, it certainly does happen in the case of Click2Gov if recent history is any judge. Security researchers have been tracking attacks against Click2Gov's payment portals for a couple of years, with multiple reports of breaches involving cities stretching across the United States and Canada, resulting in tens of thousands of payment card details being traded on the dark web. As an example, just last month the city of College Station said its Click2Gov online utility payment system had been compromised between July 31 and November 15, 2019. And in September 2019, eight cities said their Click2Gov payment portals had suffered significant data breaches which saw details of more than 20,000 payment cards stolen. Security researcher Stas Alforov at Gemini believes that the crime wave demonstrates attackers are returning to the same victims over and over again:

"It demonstrates cybercriminals’ willingness to repeatedly target the same victims and underscores that while responsible security habits are constructive, there is no perfectly secure system. It is thus incumbent upon organizations to regularly monitor their systems for breaches in addition to keeping up to date on patches."

CentralSquare Technologies, the makers of Click2Gov, counters that only a "limited number" of Click2Gov customers have reported unauthorised access by hackers and that a vulnerability they identified in the portal has now been closed. According to media reports, in the case of the most recent breach involving water utility payments, the City of Waco was informed of the problem with the Click2Gov software on November 8, 2019. That was too late for those customers who had taken advantage of the convenient (but sadly unsecure) online payment portal. “Of the 44,000 water customers, typically we receive 12,500 payments online each month,” city spokesman Larry Holze said. “During the period identified, a little over 8,000 customers were mailed letters. Payments made with a credit card inside the water office (not online) are not involved in this incident.” Consumers impacted by the breach can expect to receive a letter from the city this week telling them about the incident and advising them on the steps that should be taken to protect against fraud. "We've sent out letters to all those people who they've been able to give us that have been compromised, in some fashion, asking them to be careful and watch their statements and make sure something doesn't show up," said spokesman Holze. The city has also set up a hotline for residents with questions about the breach, available from Monday to Friday on 833-947-1419.