Last week some Swedish news agencies reported about identity fraud on a well-known mobile parking app, Parkster. Fraudsters have much too easily been able to register fake accounts with another person’s personal information, avoiding payment for their usage of the mobile app services. This is unfortunately a well-established fraud method and even more unfortunate when innocent persons got affected. Especially when such infringements affect our elderly. For example, Swedish news reported that a 95-year lady in Sundsvall, Sweden got invoices of 280 EUR from Parkster. Even though she has never owned a car.

Parkster, who has agreements with more than 150 Swedish municipalities, is now receiving sharp criticism for lack of security in its app.

Another mobile parking app targeted for cybercrime lately was ParkMobile in North America. Hackers managed to steal data and account information for almost 22 million customers. And as usual in profit-seeking cybercriminals, the stolen data was later for sale.

ParkMobile wrote a security notification on their website on March 26th, saying that one of their services had been hacked and unauthorized hackers have gained access to customer data.

“We recently became aware of a cybersecurity incident linked to a vulnerability in a third-party software that we use. In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident. Out of an abundance of caution, we have also notified the appropriate law enforcement authorities.” [ParkMobile website]

Soon after ParkMobile’s security notification the stolen data were seen for sale to other hackers for $125,000. But, a few days later the stolen data were released for free on other hacker forums. This is not an unusual procedure, since if a hacker has been unable to sell, or little interest have been shown from potential buyers, the stolen data are often given away in order to increase the hacker’s reputation and validity in the hacking community. Anyone can so download the stolen data as a 4.5 GB CSV file. (No link provided.)

The shared data have been confirmed as legitimate and includes customers’ first and last names, initials, mobile numbers, email addresses, usernames, bcrypt hashed passwords, mailing address, license plate numbers, and vehicle information. ParkMobile like to stress though that no credit card information were accessed, neither were data related to the user’s parking transaction history accessed. [ParkMobile website]

Written by Joakim Rosell