Fraud cases hasten $4m upgrade of city carparks

A parking machine in Auckland's Downtown carpark. Photo / Greg Bowker

Auckland City Council has fast-tracked a $4 million upgrade of the payment machines at four inner-city parking buildings after thieves hacked the system and obtained the credit card details of tens of thousands of commuters.

Details of the fraud remain shrouded in secrecy, with the banks, the council and police reluctant to reveal how many cards were affected and how much money was stolen while the crime, believed to have involved a criminal network operating from overseas, is investigated.

It is thought that at least 100,000 credit cards were replaced after what police yesterday described as a "hacking" of a database from the Downtown carpark in central Auckland in November.

Auckland City Council's parking manager, Dale Clements, said the council hoped to have the new "state-of-the-art" system in place by the end of the year.

He said parking prices would not rise because of the new system and the money had been sourced from the council's capital expenditure budget a year early. Ratepayers wouldn't miss out on anything as a result of the funding reshuffle, he said.

The Downtown carpark's payment system was 10 years old and was due to be replaced and, because that was being upgraded, the council had also decided to replace the machines at the Civic, Victoria St and Karangahape Road carparks.

Mr Clements said the new system would be more secure, with software that could be more easily upgraded than the old system. It would also be linked to a security camera network.

Mr Clements said police had not told the council where the security breach had occurred and they awaited the outcome of the inquiry.

But, information technology security expert and forensic investigator Daniel Ayers - whose own Visa card was replaced by ASB bank because of the fraud - said the breach meant that either the council's automatic payment machine or a related computer system containing credit card details had been hacked.

He said the council's exposure to fraud was "outrageous".

"Should they have allowed themselves to get in this situation? No, they shouldn't have," he said. "I guess the next question is: 'What else [is being] stolen from inside the council? ... Is it isolated to credit card data?"'

Thieves who hacked a system could save the credit card details on to generic cards, which they used as if they were the original, he said.

Two victims of the scam told the Herald their cards had been used in Phoenix, Arizona, which implied hacking from overseas.

Many others who used the payment machines were sent new cards by their bank as a precautionary measure, even though their cards had not been used.

Mr Clements defended the council's security, saying that since the fraud was discovered, credit card payments could be made only at a staffed booth, which was more secure because the Eftpos system used went directly to the bank.