We checked dozens of local government websites local residents use to pay water bills, apply for permits, and check tax records.
Tampa, Florida -- A few months ago Target and Michaels were among the few to announce a massive credit card security breach.
So 10 Investigates started digging deeper into other websites you use your financial information, create user names, and passwords to log-in. We checked dozens of local government websites local residents use to pay water bills, apply for permits, and check tax records.
We tested the page using Qualys SSL Labs, a site that tests the URL and reports a letter grade based on that website's vulnerability.
The results were surprising!
Hillsborough County, Pasco County, and the city of St. Petersburg utilities websites all earned failing grades.
A 10 News investigation leads to better web security for taxpayers using municipal sites.
We took our results to University of South Florida cyber security expert Dr. Manish Agrawal.
"The results that we have here really mean, at one point in the communication the information is unencrypted," Agrawal said, "What that means is if an attacker is able to, at some point in the communication, have access to the information exchange they will be able to read the rest of the communication."
Earl Williams is in charge of network security for Hillsborough County and we brought the county utility website test results to him.
"It is a surprise to me that is was an F," Williams said.
He says while his team is certain credit card and other payment information handled through third-party providers is safe, when it comes to user names and passwords there's room for improvement.
"In 2008 when that application was built, what they did, was standard then," Williams said. "What you have pointed out is that it has not been updated — and I want to point out the reason it has not surfaced — it has not been a problem."
We also brought the website vulnerabilities to the attention of Pasco County's IT security experts.
"Thanks to 10 News we were able to take a look at some of our security measures and enhance what we had already in place," said Pasco County's spokesperson Doug Tobin.
IT experts and Tobin said they were also surprised by the failing grade and worked to make immediate improvements to their site.
"Just the fact that we acted as quickly as we did," Tobin said, "should show you just how important we do believe making sure our customers' information is secure."
The counties and cities also point out there were no breaches of protected information and much of what could have been left vulnerable, would have been public information anyway.
Among the dozens of sites we tested, where user names and passwords were entered, most local municipal websites did receive As and Bs.
The City of St. Petersburg IT experts said they found nothing that would put their users at risk, but say they wanted to earn that A grade and made the simple changes needed to enhance security.
Hillsborough County also quickly made changes but said no one was ever at risk of having payment information compromised.
"If somehow they guessed your account number and then guessed your pin number the only thing they'd have access to is your water bill," said Williams of Hillsborough County Network Security. "So maybe they could pay it for you — I mean they don't have access to any other information — there is nothing else stored there."
Experts say despite the low risk, you can never be too cautious when it comes to cyber security, and one tip everyone agrees on is that you should never use the same user names and passwords for every site.
Agrawal said these public websites are paid for revenue from the taxpayers who deserve a website that is up to date when it comes to security.
"Yes it certainly cause for concern because it is a reasonably simple fix and it should be done," said Agrawal.
If that information is compromised, hackers could access more sensitive sites containing your banking and medical records.
If you'd like to test out the security on websites you frequent, test them on the Qualys SSL Labs site. Once on the homepage, click on "Test Server" and enter in the URL of the site you would like to test.
Since our report, several sites, including Hillsborough and Pasco utilities have received passing grades, B or higher on the Qualys SSL lab test.
Pasco County spokesperson Doug Tobin also issued this statement:
"Pasco County wants to assure our customers that securing customer information is extremely important to us. Please rest assured that your online utility payment information has been and remains secure and complies with Payment Card Industry – Data Security Standard compliance (PCI DSS).
"Steps have also been taken to improve security of the website. We have updated software resulting in an overall security rating of 'A,', from a previous 'B' rating. Pasco County will continue to diligently pursue effective measures for protecting sensitive customer information.
"Pasco County Utilities is utilizing a 3rd party vendor (payment provider) to handle online payments that are made using our new Customer Information System's (CIS) Online web portal. When a customer chooses the option to make an online payment, they are redirected to the 3rd Party Vendor's website (Harris Payment Gateway) which is certified to be PCI DSS compliant. Pasco County Utilities does not save any credit card information and when a customer provides their credit card information into the 3rd Party Vendor's web pages, the information is not saved and is only used for that specific transaction. Pasco County Utilities' Customers can be assured that their credit card information is secured when using the online payment option."
We also tested the Sarasota County Tax Collector website where users are to enter a password to access and organize multiple properties on their county website.
When tested, it too showed vulnerabilities.
We brought the report to the Sarasota County Tax Collector IT department who issued this statement:
"The site that your attachment refers to – Tax Tack – is actually no more than a simple online portfolio to make it easy and convenient for our residents to track their property accounts – all of which are public record and made available to everyone. There is no payment information stored there, nor are any transactions conducted there. It is merely a 'rolodex' of property information that an owner can create in order to make it easier to track those accounts. All of that tax roll information is available online to the public. Just to be clear, no user name or password is required to pay your property taxes online at our website and all transactions start and end at the very secure URL of https://www.governmax.com. We plan to work with our vendor so that the site receives a score of 'A.' Again, thank you for raising this important question."