Based on my first hand experience of discovering approximately 3000 credit card images, and drivers licenses / passports in a data breach, the answer is:

Vendor
Note
Pass / Fail
I received a token gesture of "we will look into it, but we don't want any details". 2 weeks later I'm still waiting for someone to get back to me
"Don't call us, call the issuing banks, we don't want to be bothered". After calling them out publicly on twitter, I got an initial "we want to help" message, but that soon lead nowhere with no response back on how to get them the details.
Within 20 mins I was called back by a local security employee, and a physical hand off was completed within 6 hours of initial contact
After finding the right person within Discover, I was able to fax in the card numbers and have them addressed. Every customer rep who I talked to on the phone, apologized for the situation, and thanked me for taking my person time to ensure their customers were notified properly


In today's age of never ending massive data breaches, you would expect companies like Visa and Mastercard to have procedures in place for 3rd parties to report data breaches, but I guess they would rather ignore the problem, and hide their head in the sand.



Background:

During the recent development of an MQTT related security analysis tool, I came across an MQTT server run by "A stealth mode AI startup disrupting the on-demand economy" Jobox.ai which was exposing the messages between two national services dispatch companies, and the individual locksmiths.

Inspecting the MQTT server directly (dns, port scan, whois, etc) did not lead to any significant clues on the "owner", so I attempted to identify the party by looking at the content of the messages being passed.

After several minutes of review it because clear that there were two very distinct and concerning types of messages being passed. Both contained a URL in the message that gave me clues on who the parties involved might be.

{
"type": "APPLOZIC_02",
"message": {
    "fromUserName": "Yossi [(469) 929-5770]",
    "message": "Company: American Services
Job: 5WQ9S  
Name: Amanubel  
Phone1: 775-990-3367  
Job Type: Car Lock-out  
2002 TOYOTA Corolla Silver  
Price: Service Fee 29.00 Price From: 19.00 - 200.00  
Address: 1442 South Parker Road  
Denver, CO 80231  
Job  
Notes: verify address @ Walmart Neighborhood Market  
customer answered and said, HAVE TECH CALL ASAP PLEASE SEND K  
Accept Click Below  
http://dispatchlogin.net/link/j/1O6WY8QJ1Z/accept/1/1  
Thank you  
I offer hem 75 he’s saying company told hem 30$",  
    "createdAt": "Nov 10, 2018 11:57:39 PM",
},
}, {
"type": "APPLOZIC_02",
"message": {

    "fromUserName": "Aaron [(619) 966-8194]",
    "message": "JOB #JF7-4FP9 ACCEPTED \u0026 IN PROCESS
--------------------------------------
Job Details:  
24/7 locksmith misha office  Deloris   (14702033616 #601)  
    2701 Peach Orchard Road, Augusta, Georgia 30906  Car Lock Out   
    Confirm: s1j.co/j/BT5CXY Notes:",

    "metadata": {
        "summary": "[{\"jobId\":206973,\"createdAt\":1541865334352,\"senderId\":1585,\"receiverId\":3717,\"notes\":\"\",\"fee\":0,\"tax\":6,\"id\":757218,\"fraction\":35,\"status\":\"ACCEPT\"}]",
        "jobox_type": "JOB_STATUS",
        "description": "24/7 locksmith misha office  Deloris   (14702033616 #601)  2701 Peach Orchard Road, Augusta, Georgia 30906  Car Lock Out   Confirm: s1j.co/j/BT5CXY Notes:",
        "receiver_name": "Aaron Hayman",
        "job_reference_id": "JF74FP9",
        "status": "ACCEPT"
    },
}

Observations from the messages:

There are 3 items of interest in the messages above

APPLOZIC_02

Applozic is a Chat SDKs and Messaging APIs used to build Realtime Messaging that uses MQTT. I have found several Applozic servers during my research which are misconfigured to allow anyone to subscribe to the "#" topic and receive all messages.

s1j.co/j/BT5CXY

There where several messages which contained short URLs which redirected to the WorkIZ Field Service Scheduling Software site My initial reach out about the misconfiguration of the MQTT server were directed at WorkIz. After hearing back from them, it was identified that there is actually a 3rd party (jobox.ai) who is acting as a "broker" to the messages.

http://dispatchlogin.net/link/j/1O6WY8QJ1Z/accept/1/1

While I was waiting for a response back from WorkIZ, I decided to check out the dispatchlogin.net site (This investigation eventually led to the Data Breach discovery )

The DispatchLogin Mystery



While attempting to identify the corporate entity who owns the dispatchlogin.net site, it became clear that there was an obvious attempt to hide who owns and runs the site. (Whois privacy, DNS, HTML source of the login page. 1-800 reverse lookups, Backlink checking, Google Search etc).

Using one of my regular techniques, I attempted to look at the HTML source, and any images which were on the page. The end goal to check if directory listings where enabled.

<img src="http://dispatchlogin.net/assets/admin/img/logo_test.png/>

BINGO.

Directory Listings were enabled in the /assets/admin/img directory and several hundred images where present. In order to speed up the viewing of the images, used to determine who the company actually was, I set up my usual site downloader.

Unintented Discovery

After letting the downloader run, I had forgotten about it, and it ended up (surprisingly) running for several hours and downloading a few gigabytes of data.

After a few mins of reviewing the data it became clear that something was seriously wrong with the configuration of the server as well as the companies business practices of confidential data use. (Eg. PCI compliance)

The follow items were observed based on the data exposed:

  • The company operated under several industry standard terms like: "Locksmith services" "American Services" "24 hour locksmith service"
  • The company operated under several emails, several of which were generic gmail accounts
  • There were images and PDFs of:
    • Both sides of credit cards including CVV #'s
    • Drivers Licenses, Passports, Military ID's
    • Recording of calls between the dispatch and customers
    • Emails between the Dispatch, Locksmiths, and customers
    • Customer invoices

Note: *There was only a single reference in a set of files to a corporate entity which could be responsible for running the service. * this eventually led me to the owner American IP Marketing

Researchers Dilemma

After an initial reach out to an email listed on the on some of the invoices, and letting them know of the misconfiguration, I became concerned about some of the wording used in the responses, the continued avoidance of identifying themselves, and the commitment to notifying their customers of the breach.

At that time I decided to notify the credit card companies directly, and inquire about how to get them the card numbers to notify their members.

It's now been over two weeks since the initial discovery, and both Visa, and MC have yet to take any action on the information of the breach that has been provided to them.

Makes you wonder why the merchant fees keep going up due to fraud but MC/Visa don't take timely action to prevent it when it's wrapped up in a bow and hand delivered to them.

Darryl Burke

Darryl Burke

Over 25 years of Information Technology, Security, Hardware and Software architecture leadership, focusing on complex systems integration and mission critical applications.

The great white north http://www.burke-consulting.net