I hate this app. It's such a lousy experience trying to park if you only occasionally use a metered lot. You get out there and have to download this thing in a garage with bad signal or you're trying to reset your password. I don't understand why these cities and garage owners can't just use a kiosk that takes credit cards. Now this. I hope this incident makes people reconsider this app and others like it.
Why download an app and create an account unless you were going to use it frequently? I've always just used the website to pay to park without an account.
I have them all over the city where I live. I don't mind. Besides its considerably cheaper than having hundreds of kiosks and it gives me a warning when its expiring and allows me to renew remotely. I get that it may make less sense in garages.
No notification from ParkMobile on the breach to their customers. Wonder what class-action lawsuits that might trigger.
“It’s also curious that ParkMobile hasn’t asked or forced its users to change their passwords as a precautionary measure. I used the ParkMobile app to reset my password, but there was no messaging in the app that suggested this was a timely thing to do.”
Honestly it's on the less severe side of data leaks considering what could have been leaked. No location history at least.
Really the only improvement (besides not getting hacked) would be not storing the license plate numbers/vales. They could be hashed just like passwords using bcrypt.
What's interesting is they say the salt values were not stored which is odd as typically password hashes use per input unique salts that have to be stored. Not sure if that means they used an additional salt or if they reused the same salt.
I don't think you could hash the registration plates. Users need to see the vehicles that are associated with their account, not least to select the car that the parking session is to be associated with. Although an app could maintain an internal database, the service also has a web interface and the UX that would result from only storing hashed VRNs would be pretty awful.
You could just name the vehicle with a nickname and also have the color, make, and model. I figure most people don't even know their license plate number from memory.
The app could let you "lookup" an existing entry from the license plate since it would then just be checking if the entered plate value matches one of the existing hash values.
I guess the part that would be weird is if your license plate # changed but you kept the same vehicle. e.g kid driver their 'parents' car but one year registers it under their own name.
Static salt is called pepper [1]. It's not a bad idea - but it would be better used with the regular salt.
Some people don't seem to like the idea, but I think it adds an easy additional layer of protection. At least in the past many of the password leaks seemed to be due SQL injections and only leaking the database content. Pepper stored in the code would have protected the passwords.
I've used ParkMobile to pay for parking around Rutgers in New Brunswick, NJ where one of our daughters was enrolled for a time. Was recently receiving an unusual amount of SMS spam. Seems like this might be a possible explanation.
Ok, so why do they need to store my parking locations anyway? They say it wasn't leaked so I guess it's there. I'm in the EU and they have no business storing that information longer than needed (which would be until I stop the parking action.)
If they are using it for their marketing: I was never notified of that.
> If it’s any consolation, whoever is selling this data is doing so for an insanely high starting price ($125,000) that is unlikely to be paid by any cybercriminal to a new user with no reputation on the forum.
Why are details of such “secretive forms” excluded? Where is this forum? Can I read it for myself?
> a fairly robust one-way password hashing algorithm called bcrypt, which is far more resource-intensive and expensive to crack than common alternatives like MD5
MD5 is still common for password hashes? That can't seriously be true anymore.
I’ve definitely had this happen. Their server simply went unavailable when it was time to stop the parking session, and charged max possible time.
On the other hand, I’ve gotten free parking multiple times because their UI is terrible, and I didn’t successfully start the parking session. No tickets yet. I’d definitely contest if I got one though.
As far as I know there hasn't been a public source of license plate-to-owner mappings previously available. With open source license plate reader software I've seen in internet videos, it seems like a large scale leak of license plate data opens up new possibilities for private entities to track individual people's travel on public roads.
In the US, governments have been doing that for quite a while, of course.
Edit: I guess that kind of tracking is already possible if car dealerships and mechanics sell that information.
For $20, a Digital Recognition Network (DRN) customer can look up any license plate in the United States. If there is a match, the program will show the last time one of the company's cameras captured the plate, including a photo and information about when and where the photo was taken. The company sells the data to businesses, such as auto lenders, insurance carriers, repossession agents, and private investigators, but it can also be accessed by law enforcement. With more than 9 billion license plate scans in its database, it's a vast tracking tool that holds a massive amount of power. Vice recently looked deeper into the company and detailed how it works.
