City, state websites could be vulnerable to hackers

(NEWS CENTER) -- Credit-card data theft is exploding. It has increased 50 percent from 2005 to 2010, according to the latest figures from the U.S. Department of Justice.

However, many don't second guess using their credit card number online.

NEWS CENTER ran websites where Mainers pay their bills on line -- bills like water, sewer, parking tickets, fishing and hunting permits -- through Qualys SSL Labs.

"That [Qualys] test really just looks at what sort of encryption would be in affect if you were to engage with that website," A UMaine System's Network Systems Security Analyst said. "It's sort of like rattling the door to see if it's locked."

The website that Bangor, Kittery and Bar Harbor use to pay bills online, called "Official Payments," scored an A -.

The website used by the City of Portland residents to pay parking tickets scored a B. The city issued a statement that said, "we are looking into our grade now and will seek to make improvements with our vendor since it is changes they need to implement."

But the city of Lewiston's third party website used to pay city dues, called "Lewiston Citizen Self Service," scored an F because the security certificate expired.

NEWS CENTER contacted the City of Lewiston and alerted them to the failing grade. Lewiston's Information Technology Director Timothy Earle responded in less than 24 hours. They upgraded their website immediately.

"With the assistance of our vendor, we have resolved the rating of F that the analytic test showed. Currently, we are testing with a rating of an A. I have added this Qualys SSL Labs test to my tool kit. This will become part of my monthly testing procedure. Thank you for bring this to our attention," Earle said.

We completed the test again after receiving the statement and Lewiston's third party website then scored an A.

The state of Maine's website called "Paytixx" used to pay state traffic tickets also received an F when NEWS CENTER ran the original test. Greg McNeal (Executive Branch Chief Technology Officer), Paul VandenBussche (InforME General Manager), and Dave Packard (Maine Judicial Branch Chief Information Officer), all addressed the issue immediately.

The Maine Judicial Branch Chief Information officer responded with this statement:

"The State of Maine routinely completes security scans of its websites and applications on a continuous basis. When the scans identify items that need to be remediated, the remediation steps are taken within scheduled maintenance windows according to timelines that follow industry best practices (such as those outlined by the Payment Card Industry) and according to the level of risk. In the case of PayTixx, we were aware that remediation steps were needed, and the application was already scheduled to be fixed according to our standard maintenance process. Citizens can rest assured that the site you inquired about posed zero threat to them. The identification and remediation of identified vulnerabilities is a normal part of operations. The vulnerability in question did not result in the exposure of personally identifiable information or payment information. We are pleased to report that the maintenance of this site has been completed and all matters have been resolved."

Jordan told NEWS CENTER it isn't just the responsibility of city website administrators to stay up to date with security. Anyone using computers to pay bills online have responsibility too.

"It's really more about personal behavior, and how you compute, keep your computer up to date, " Jordan said. "Primarily, since we're talking about the internet, it's really about those applications that have an interface with the internet, so keeping your browser up to date, keeping your operating system up to date, whether it's MAC OS, or Windows or Lenox, keeping those things current."

There is no evidence that any of the sites NEWS CENTER tested have actually exposed citizens' personal information.

If you want to protect yourself, feel free to use the Qualys SSL test to grade any website you plan on using to pay bills on. Click here for the link to the Qualys website.


To find out more about Facebook commenting please read the
Conversation Guidelines and FAQs

Leave a Comment