On Wednesday, Summit County announced that a third-party vendor may have had a credit card breach that impacted up to 951 credit card and debit card purchases at the Summit County Fair. This impact has reportedly led to multiple County residents receiving unauthorized charges up to $5000. The County has sent a letter to each person effected and posted information online. While the County hasn’t confirmed the vendor’s name, the Deseret News stated, “[The County Spokesperson] said it is believed a third-party vendor offering online sales of tickets to the rodeo and derby was compromised.”
While the ticket vendor has been removed from the summitcountyfair.org website, the Internet Wayback Archive indicates it was:
Meanwhile, in Aberdeen South Dakota, the Brown County Fair has just wrapped up. However, weeks before Summit County had been notified of an issue by residents, Brown County was finding out they had a security issue as well. According to the Aberdeen News, “An investigation into unauthorized charges appearing on the credit card bills of some people who bought Brown County Fair grandstand entertainment tickets online is still ongoing, according to the state. There have been roughly 50 reports concerning the charges, said Tom Schmitt, chief deputy with the Brown County Sheriff’s Office. Whether the ticketing website used by the fair is a common denominator is being looked into by the state Division of Criminal Investigation.”
What company managed online ticketing for Brown County? EZticketlive.com.
There have been no formal charges against EZTicketLive in Aberdeen and The Summit County Fair incident is still being investigated. No guilt has been assessed for these credit card crimes. It should not be assumed that EZTicketLive was involved or culpable in any manner.
Yet, as a citizen of Summit County, we should take a look at their site and assess whether we would feel comfortable buying tickets from the company in the future.
Below is the website that appears to have been used for our fair:
The first thing to notice is that the site is Copyright 2006. That’s a long time ago. That doesn’t mean it was last updated then, but it does mean there is little attention to detail being paid to parts of the site. Next, when “security” seals that are supposed to indicate trust, like Credit Card Guard, are clicked, one that says the site was last scanned in 2012. Another says it was scanned July 19, 2014 and is scanned quarterly for vulnerabilities. With the pace of hackers, that just isn’t good enough. Daily security scans, which attempt to find vulnerabilities every day, are available from many major vendors. Finally, we see a seal from Authorize.net, their credit card processor, that says they are a customer. That means very little to me when I think of overall security.
The problem with all of this is that even if they are using computer scans there are so many other ways a system could be compromised. It’s far more important to be on up to date on technologies, with good programmers, who are constantly looking for problems. Unfortunately we don’t have access to that information, so we are forced to look at other tells, like a 2006 copyright, outdated seals, and that their platform that uses a previous generation technology (ASP), that is still supported by Microsoft, but is very long in the tooth.
Hindsight is 20-20, but in the future we need to demand more from our government in Coalville. Whether this theft of credit card details is related to online ticket purchases or not, we need decision makers to ensure that applications that collect our personal information, capture credit cards, or maintain sensitive data are best in class. While no system is 100% secure, the systems that our County chooses for us to use should at a minimum have the appearance of being well maintained. It is also our job as citizens to stand up, raise our hands, and not use systems that don’t appear to have our best interests at heart. That is one way to ensure we are receiving the protection we need.