Cityparkering.dk – lack of trust when paying your fines online

Background

Private parking company, CityParkering, offers the possibility of online payment of your parking fines issued for improper parking on spaces that they own as well as a way to complain about it. The online setup raises concerns in the way data is handled which questions the professionalism of this company.

Business risks identified

Running a business can be a complex operation. Complexity usually means you, as a business owner, will forget or simply ignore certain details  because they don’t stand out as much as, for example, sales and marketing.

The industry has shown us over and over again that bad risk management can lead to a business slow-down or even total failure.

This article is meant to provide light to Security and Privacy issues that can affect the business and its users way beyond its technical details.

Cityparkering end “customers” face the risk of having their personal and payment information stolen

How can this Impact end users ?

End user personal data and financial information can be used to inflict direct financial loss.

This will further result in lack of trust and uses avoiding to use Cityparkerings services.

Why is there such a risk ? 

Customers can pay for their fines online using their credit card information and this can be stolen through man-in-the-middle attacks as well as a phishing scheme

link to examples where this was done

Cityparkering faces the risk of violating the Danish Data Protection Act and GDPR

How can this Impact CityParkering ?

Financial loss due to fines from the Data protection authority

Reputation damage due to bad publicity

Why is there such a risk ? 

Cityparkering has demonstrated that they have inadequate technical safeguards for protecting personal data  and demonstrated a lack of transparency on processor/sub-processor usage and personal data retention.

As a data controller, it is CityParkerings responsibility to ensure a secure enough online setup as well as providing users with relevant information about how their personal data is handled. There is no information about how data is transferred to the US, nor which service providers are used for that.

Specific violations and articles

  1. improperly responding to a personal data  request (breach of GDPR article 15)
  2. unlawful disclosure of data to the US thus constituting a breach of GDPR article 6(1)
  3. personal data is stored longer than needed (breach of GDPR article 5)

Changes recommended

There no real help in just pointing fingers.

Risk management first starts with identification and awareness of the problem (this present article and the Data protection authority complaint) and then a discussion around what needs to be done.

The following 4 items are something that most companies that have an online presence fail to do and it’s the best starting point for Cityparkering.dk

  1. Perform a web security assessment (vulnerability scan, followed by a penetration test depending on budget and findings)
  2. Address vulnerabilities found in the web security assessment
  3. Perform an inventory and document all personal data flows
  4. Train staff to understand a personal data request and respond appropriately to it

Detailed description of the issues

Submitting a form in clear text [solved on the moment of publishing]

When navigating to the website to pay for your fine, you will find that you need to enter your unique fine number and your cars registration number. This is done on an insecure online form (HTTP-only). Data is being transmitted over the network in clear-text, which means that anybody with access to the network between myself and Cityparkering can intercept the information and find out details about the car, owner and the fine.

clear text

dassubmitting a form in clear text

Plain-text Response containing personal data after submitting the form

After submitting the form, some technical information is being returned and displayed on the screen along with personal data of the owner of the car.

This is how the technical and personal information blend looks like, where I’ve removed the specific information and replaced with <A DESCRIPTION IN THIS FORMAT>

result_search=[ 
{ 
"ticket_id":"eNortjI2slJ6myRcIhR5wTJBa_8_a6aULDNTRxa7EM_TAn-YAk8dufl2ipI1XDAhnw-S",
"ticket_nr":"352128117113426",
"ticket_reg_no":"<CAR_REGISTRATION_NUMBER>",
"ticket_obs_time":"2018-11-07 16:30:57",
"ticket_issue_time":"2018-11-07 16:36:08",
"ticket_betailing_id":"+71 < 352128117113426+83892897 <",
"ticket_final_fine":"<AMOUNT_TO_BE_PAYED>",
"ticket_amount_due":"<AMOUNT_TO_BE_PAYED>",
"ticket_vat":<AMOUNT_THAT_IS_ValueAddetTax>,
"ticket_pvagt_remark":"<THE-CITYPARKERING-EMPLYOEE-REMARK-ON-THE-FINE>",
"ticket_status":"206",
"is_cp_ticket":true,
"has_active_complaint":true,
"has_max_complaint":false,
"car_make":"FORD",
"car_model":"FIESTA 5 D\u00d8RS",
"owner_name":"<CAR_OWNER_NAME>",
"owner_address":"<CAR_OWNER_ADDRESS>",
"owner_postal":"<CAR_OWNER_POSTAL_CODE>",
"owner_country":"Danmark",
"payment_data":[
{
"code":"Afgift udstedt",
"created_time":"2018-11-07 16:36:47",
"cp_created_time":"2018-11-07 16:36:47",
"reminder":0,
"principal":<AMOUNT_TO_BE_PAYED>
}
],
"images":[
"<LINK1-TO-PHOTOS-OF-MY-CAR>",
"<LINK2-TO-PHOTOS-OF-MY-CAR>",
"<LINK3-TO-PHOTOS-OF-MY-CAR>",
"<LINK4-TO-PHOTOS-OF-MY-CAR>",
"<LINK5-TO-PHOTOS-OF-MY-CAR>",
"<LINK6-TO-PHOTOS-OF-MY-CAR>",
"<LINK7-TO-PHOTOS-OF-MY-CAR>"

],
"ticket_address":"<ADDRESS-WHERE-THE-PHOTOS-WERE-TAKEN>",
"ticket_forseelsens":"<REASON-FOR-THE-FINE>",
"ticket_customerNo":"511",
"ticket_customer_name":"<THE-OWNER-OF-THE-SPACE-WHERE-THE-CAR-WAS-PARKED>"

}
]

The personal data that I’m referring to is

  • <CAR_OWNER_NAME>
  • <CAR_OWNER_ADDRESS>
  • <CAR_OWNER_POSTAL_CODE>

This information was  not specified by me, meaning that they obtained this from another source and they are now transmitting it over the internet on insecure connections.

Handling personal data with processors outside EU

CityParkerings privacy policy does not say anything about processing my data in the US but as we can see in the screenshot below  they send emails from a data-center in Seattle USA.

auto reply

Lack of input validation and susceptibility to XSS

[partially solved on the moment of publishing]

Most forms on the website accept any kind of input which make XSS attacks possible.  Cityparkering enables attackers to steal sensitive information from its users, have them log in their place, capture their keystrokes and other attacks related to stealing the users data and using it against the user.

Redirection to a payment platform from a non-secure location [solved on the moment of publishing]

Very conveniently, one can pay for the fine online. After seeing the fine details, you can go forward to a payment portal, redirected from a non-HTTPS page.

cityparkering.dk-redirect-to-mitcp.dk-headers-http-referer

My personal data was still available online 1 year after dealing with all this

After 1 year (see Timeline below), I was curious to see whether a poorly configured setup such as the one from CityParkering.dk would at least delete my data. I still found photos of my car and personal data related to me even after 1 year.

Bad response to the Data subject request to CityParkering.dk

Noticing the issues described above, I decided to write to CityParkering.dk to ask for 1) a copy of all my personal data, 2) a reason for why all data is kept online so long and 3) to delete all my personal data.

My request wasn’t understood and I was asked multiple times to read their privacy policy. I eventually got access to some of the personal data via a self service page that was dependent on a piece of information (the fine number) used over 1 year ago.

Even though Cityparkering did reply to my request (eventually), it was not straightforward, nor complete and it was dependent on information that I was not informed I will need later on.

Seeing the bad response, I filed a complaint with the data protection authority, which is currently still handled by the Data Protection Authority. Updates will be added as the case progresses (see Timeline below)

Timeline

  • 07-11-2018 16:36 – I receive fine in car window,  photographs of the car are posted online
  • 14-11-2018 16:00 – I filled a complaint about the fine on their website and received an acknowledgment email
  • 12-12-2018 07:37 – the answer to complaint was sent over email, concluding that I still have to pay
  • 17-12-2018 – fine is payed via bank transfer
  • 04-11-2019 15:10 – after 1 year, I verified that images related to the fine are still on the website
  • 04-11-2019 15:12- I requested a copy of all personal data by sending an email to [email protected]
  • 05-11-2019 – received reply that i should go to the “persondata page” (https://www.cityparkering.dk/gdpr.php) . My request was not understood and I follow-up with a clear specification that it is a personal data request
  • 06-11-2019 08:45 – received reply that i can download the data on my own using the details from the fine – I used 352128117113426 which is from the most recent fine. Normally, you would not keep this information for such a long time and i do not have the information from a previous fine so i could only access part of the personal data that they had.
  • 06-11-2019 11:00 – I go on the website to download the personal data as instructed. A PDF file was downloaded with the details of the fine.
  • 06-11-2019 20:21 – I requested info about how to access all other information that the data controller has about me and reiterated the question on retention and purpose of keeping the data for so long.
  • 18-01-2019 10:16 – reply received from the data controller saying that  We  delete the information’s after 30 days, if the fine is payed and there  has been no objection on it. You can read more about it on our website  under “Persondata”. Emails are deleted after it has been answered.” Even though
  • 18-01-2019 14:30 – I reply, highlighiting that images of the car were still available online and that their explanation does not make sense.
  • 18-01-2019 14:59 –  reply receiving saying that data related to complaints can be kept up to 5 years . The privacy policy states that it is done in the case of accounting material. “at opbevare regnskabsmateriale på betryggende vis i 5 år fra udgangen af det regnskabsår, materialet vedrører.” Not sure how photos of my car and my personal data is relevant for their accounting.
  • 02-12-2019 09:55 – I filled a complaint to Datatilsynet
  • 03-12-2019 – i receive an automatic reply from Datatilsynet
  • 09-12-2019 20:20 – I follow-up with Datatilsynet on eBoks
  • 13-12-2019 11:53 – Datatilsynet replies on email asking to confirm the complaint scope
  • 16-12-2019 14:50 – I reply to Datatilsynet on email, confirming their identified points and adding a 3rd one
  • 10-01-2020  – Datatilsynet replies on eBoks, mentioning that 1) the case will be handled within 8 months or depending on the nature of the case and 2) CityParkering has been informed about the case and that a reply is needed from them within 3 weeks of the then-current date. That means CityParkering has to get back to Datatilsynet by 31-01-2020
  • 29-01-2020 – Cityparkering replies to Datatilsynet (2 days before their deadline) with answers that deflect the actual question.
  • 31-01-2020 – Datatilsynet replies on eBoks requiring my input within the next 3 weeks.
  • 04-02-2020 – i reply to Datatilsynet on eBoks reiterating my points and explaining how Cityparkering is not properly answering the questions.
  • 27-03-2020 – Datatilsynet replies on eBoks ; Datatilsynet has asked City Parkeringsservice A/S for an additional statement

Disclaimer

In case Cityparkering.dk is not too happy with this post, they can read the following  :

  1. Details about security vulnerabilities were published after they were fixed and Cityparkering.dk cannot hold me liable for any direct or indirect impact to their technical setup because of the details posted  in this article.
  2. No invasive actions were performed to uncover the information above. The findings only contain publicly available information which can be obtained using the same piece of software (a web browser) that was used to access their platform