Civica pay hack / data leak council tax card payments.

boneofo

I suspect Civica pay services for Manchester city council have had a data leak or breach. They were down for over a week at the start of September and at the time when I looked into it, other local authorities using Civica for revenues payments (council tax) were fine.
The company did not respond to a queries about it and since the middle of October, my card which only Civica has the CVV for has been used for digital services purchases that don't need SCA approval.

Zanderman

You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.

flaneurs_lobster

Zanderman said:

You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.

@boneofo 's point is that only Civica/MCC have been given the CVV for the card that has been used for unauthorised purchases, and that these purchases have not triggered 2FA authorisation.

Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 

I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.

Changing the payments for Council Tax to Direct Debit can't hurt either.

boneofo

Zanderman said:

What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.

Your perceptive on the amazon purchase but I didn't know about the CVV. Thanks.

flaneurs_lobster said:

Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 

Recent hacks such as large goverment supplier Capita took a while to become public.

SiliconChip

It's unlikely that you have a customer relationship with Civica which is probably why they didn't respond to you. More importantly, what have Manchester City Council said to you about it when you asked them, and have you raised it with your councillor? I suspect, like other posters, that you've made a bit of a leap but if it's bothering you the council is the place to turn to for answers.

masonic

flaneurs_lobster said:

Zanderman said:

You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.

@boneofo 's point is that only Civica/MCC have been given the CVV for the card that has been used for unauthorised purchases, and that these purchases have not triggered 2FA authorisation.

Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 

I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.

Changing the payments for Council Tax to Direct Debit can't hurt either.

The security of the device(s) used to go online and pay the council tax should also be examined, as a compromise on the individual's side is much more likely if the alleged breach has only so far affected one individual. But as you say, it's more likely to be a physical compromise, perhaps by someone the OP knows, if the pattern of transactions isn't typical of a seasoned fraudster.

FWIW, I use Civica, as I suspect do many other forumites. There's been enough time since the OP's troubles started for any more widespread problem to have come to light.

born_again

flaneurs_lobster said:

Zanderman said:

You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.

@boneofo 's point is that only Civica/MCC have been given the CVV for the card that has been used for unauthorised purchases, and that these purchases have not triggered 2FA authorisation.

Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 

I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.

Changing the payments for Council Tax to Direct Debit can't hurt either.

Retailer do not store CVV. That is a breech of card detail storage & leads to a very big fine.

https://www.globalpaymentsintegrated.com/en-us/blog/2020/01/14/card-verification-codes-pci-rules-for-data-storage#:~:text=In the case of a,only under very specific reasons.

Card verification codes are a security feature typically used in a card-not-present environment (e-commerce, mail order/telephone order). The intent of this code is to ensure that the customer has the physical card during transactions where the merchant is unable to physically swipe the card. CVV data is not necessary for card-on-file transactions or recurring payments, and storage of this data is prohibited by the PCI-Data Security Standard.

 In the case of a recurring or card-on-file transaction, the CVV is not expected. PCI-DSS requirement 3.2.2 specifically prohibits storage of the card verification code or value after authorization. The only entity that can ever store this data is an issuer, and only under very specific reasons.

Surprising Netflix & m365 are very common fraud.

Zanderman

Taking on board born_again's comments that no-one stores the CVV, the original premise, that the Civica system has been hacked, seems yet more unlikely.  OP says only Civica had the CVV, but actually, from the info above, they just had it once  to authorise ongoing C Tax payments and could not store it, so they don't have it.

And as pointed out earlier many online retailers, particularly some digital services, don't need a CVV anyway. OP's reply comment re Amazon doesn't confirm that use has been at Amazon, but doesn't say it wasn't either!

Other usage of the card, when the number and end date could be taken, seems just as likely, more likely probably bearing in mind there are no reported issues with Civica, to be the cause of the problem rather than Civica.

masonic

Zanderman said:

Taking on board born_again's comments that no-one stores the CVV, the original premise, that the Civica system has been hacked, seems yet more unlikely.  OP says only Civica had the CVV, but actually, from the info above, they just had it once  to authorise ongoing C Tax payments and could not store it, so they don't have it.

And as pointed out earlier many online retailers, particularly some digital services, don't need a CVV anyway. OP's reply comment re Amazon doesn't confirm that use has been at Amazon, but doesn't say it wasn't either!

Other usage of the card, when the number and end date could be taken, seems just as likely, more likely probably bearing in mind there are no reported issues with Civica, to be the cause of the problem rather than Civica.

I don't think Civica supports ongoing payments (at least I've found no way to set that up). They process only one-off payments for my LA. For ongoing payments a DD is required.

Amazon does request the CVV when adding a new card, and presumably uses it to set up a CPA for ongoing payments thereafter.

If any of the OP's transactions were verified by CVV, then as you say, it strongly points away from a provider data breach.