PayByPhone Secures its Systems from a Critical Vulnerability Thanks To Mirai Security
PayByPhone is a global leader in parking payment solutions. The company's smart cashless parking app is used in more than 1,200 cities across three continents.
Founded in 2001, PayByPhone sought to take the pain out of parking. Its user-friendly mobile app eliminates the need to use coins or terminals, greatly simplifying the daily journeys of its growing customer base. Since then, it has accumulated more than 70 million users while processing hundreds of millions of payments each year.
PayByPhone’s tremendous success has brought its share of cybersecurity challenges, such as maintaining compliance with regional privacy requirements across three continents and ensuring the payment information of its massive user base is secure.
The Project
In 2022, PayByPhone hired Mirai Security to conduct a penetration test. The company had recently undergone a significant infrastructural change and was required to prove it could operate securely in its new environment.
Penetration testing is prescribed by the Payment Card Industry Security Standards Council (SSC), a global forum that maintains the Payment Card Industry Data Security Standard (PCI DSS). As these penetration tests must be conducted impartially, PayByPhone had to find the right cybersecurity partner to verify its infrastructure was secure.
Although PayByPhone maintains working relationships with several cybersecurity companies, Mirai Security was the only vendor available to conduct this test in a timely and efficient manner.
Alan Ottnad, PayByPhone’s Director of IT Compliance, cites Mirai’s professionalism and expertise during previous engagements as a deciding factor in trusting Mirai once again:
“There was no hesitation in hiring Mirai for this test, as we know the quality of the team Alex [Dow, Mirai CIO] has put together and the company’s leadership.”
During the test...
Mirai uncovered a previously unnoticed
and potentially COSTLY
vulnerability
Our penetration testers discovered a critical vulnerability that PayByPhone’s other security partners had yet to disclose. The vulnerability concerned the use of Microsoft’s Active Directory (AD) service, which is deployed by many companies to manage network resource access.
If left unchecked, the vulnerability could have been exploited and potentially allowed an attacker to gain domain access and wreak havoc on the company’s digital infrastructure.
In Ottnand’s words, “That could have become a breached account with a straight escalation of privilege to the highest level of authority within our organization. It could have done severe damage and basically shut us down.”
OUTCOME
Fortunately, our team acted quickly and professionally so the vulnerability could be patched.
“The communication aspect was really good,” said Ottnand. “I’m a little bit specific on the reports, that they need to be individual instead of all one because I have multiple audiences.”
“We had a call every Friday, we had a slack channel going and we had some high-priority stuff that we could fix up during the engagement.”
“My job is to make sure we get the best value for our audit dollar. Mirai found a vulnerability on our AD that the previous six years of pen testing hadn’t found. That’s value.”
IN CYBERSECURITY, IT’S BETTER TO BE PROACTIVE THAN REACTIVE
We offer the following security testing services to identify threats and vulnerabilities before they're exploited:
Receive clear, accurate, and consistent vulnerability reporting for your organization