Idaho State prison officials said they recently found an elaborate scheme of 364 inmates exploiting a software vulnerability found in JPay . Through the exploit they were able to artificially increase their JPay balances.
The tablets in question are used around the country by many prisons. They allow users to stay in touch with their family, purchase movies and other entertainment options, in exchange for JPay Credits, which can be bought for money.
Yet, these tablets had a software vulnerability that inmates across five prisons were able to exploit. Jeff Ray -a spokesperson for the jail- said
“Fifty inmates credited their accounts in amounts of more than $1,000. The highest amount credited by a single inmate was $9,990.35.”
Furthermore, he goes on to say that;
“This conduct was intentional, not accidental, it required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.”
The company behind JPay – CenturyLink- refused to comment on how the software was breached but says that all vulnerabilities have been fixed and that $65,000 of the $225,000 has been recovered. Century Links also noted that the money stolen was not taxpayer money.
While this particular issue is unique to prisons the overarching lessons can be applied to all organizations. In this case, the prisoners (Internal Actors) make serious exploitations from inside the prison, in your organizations employees can do the same thing (either on purpose or by accident). With a strong UEBA solution we believe that this attack could have been easily compromised. The solution would work as so, a baseline set of behaviors would be created for prisoners, once the system picks up the large increase of JPay credits – which is an obvious variance in prisoner behavior-analysts would be able to investigate and find the vulnerability much faster.
This isn’t the only attack that prisons have faced this year. In April a young hacker was sentenced to 7 years in prison after he hacked Washtenaw County Jail systems and modified their record to get his friend out early.
The Hacker News reports that he did this by;
“install[ing] malware on the IT staff computer that eventually gave [the hacker] complete control over the Jail’s network, allowing him to steal search warrant affidavits and personal details of over 1,600 employees, including names, email addresses, and passwords.”
To keep your organization safe from a host internal and external threats make sure to reach out and contact us.
Internal Threats have you worried? Make sure to check out our other blog posts where we show you how to protect yourself from the inside;
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.