Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Monday July 30 2018, @07:45PM   Printer-friendly
from the hackonopoly dept.

Hundreds of Idaho prison inmates have hacked jail software to "artificially" boost the amount of money in their own accounts, officials say.

The Idaho Department of Corrections said 364 inmates were "intentionally exploiting a vulnerability" to take nearly $225,000 (£171,000).

Fifty prisoners credited their accounts with more than $1,000 each while another inmate transferred $9,990.

A prisons spokesman said the "improper conduct involved no taxpayer dollars".

In a statement to BBC News, Idaho Department of Correction spokesman Jeff Ray said the inmates had hacked the JPay system.

JPay is a private firm that allows US prisoners access to portable devices which can transfer money, download music and games, and exchange communications with family members.

[...] JPay has so far recovered more than $65,000 worth of credits from the prisoners.

They have been suspended from downloading music and games until they pay the company for its losses, but they are still able to send and receive emails.

The Idaho Department of Corrections has also issued disciplinary reports to the inmates that were involved, meaning that they would lose certain privileges and be reclassified to a higher security risk level.

Wired adds:

[...] Unlike the Kindle Fire or the IPad, these tablets are specific to JPay and an imprisoned population—one cannot access the Internet or other services through the tablet. But it allows users to to listen to music, read e-books, play video games, and avoid the lengthy lines at the JPay kiosks to read and write e-messages. All of these services come at a cost. In Idaho, sending a single e-message costs 47 cents, while downloading music costs as much as $3.50. As 363 people in Idaho found out, they can also use those tablets to get around these costs.

[...] As the sole provider of e-messaging and digital services within Idaho's prison system, it might stand to reason that the company's monopoly increased its risk of hacking. "If you're forced to buy from one entity, I could see the increasing motivation," says Jake Williams, a security expert and founder of Rendition Infosec. "But I don't think this [monopoly] increases vulnerabilty to hacking."

Instead, says Williams, any system offering an app over a device operates at a risk."Any time you have a mobile app—whether it's a phone or a tablet—the user has a lot of control over any data stored in the device itself," he explained. In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet. "A malicious user can access that back-end data," says Williams.

It's a problem that Williams sees often. He points to a recent vulnerability assessment that Renditions conducted on a mobile shopping app. To limit the amount of data being transmitted over the network, the app stored the item price on the SQLite database, a back-end storage mechanism on the app itself. But by modifying the price on that back-end system, "we could change the purchase price and buy the item for whatever price we wanted," Williams recalls. "This is not an uncommon flaw with mobile apps."

For JPay or any other provider offering tablets, a person's credit balance is most likely stored on the tablet rather than being transmitted on JPay's infrastructure to a centralized server. This makes it accessible for someone savvy enough to hack into the SQLite database and change their account.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Troll) by realDonaldTrump on Monday July 30 2018, @09:01PM (3 children)

    by realDonaldTrump (6614) on Monday July 30 2018, @09:01PM (#714935) Homepage Journal

    In the summary they're saying, guys could transfer money. And then they say, with family members. And there's different ways to read it. Many different ways. But I think a lot of times they'd have a guy in there and his family wants to transfer money to him. Because, not so easy to make money in prison. But, maybe it went the other way. And the guys in prison hacked the cyber to send money to their families.

    But, stealing music isn't great either. Because JPay, probably they pay for the music. They pay the record companies, right? I mean, you'd expect that. Lot of money going to the record companies, no money coming in from the bad guys. Big loss for JPay. They're providing cyber for guys who wouldn't have it otherwise, a lot of those guys did things that weren't nice. Terrible!!

    Starting Score:    1  point
    Moderation   0  
       Troll=1, Redundant=1, Funny=1, Underrated=1, Total=4
    Extra 'Troll' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by LoRdTAW on Monday July 30 2018, @09:37PM

    by LoRdTAW (3755) on Monday July 30 2018, @09:37PM (#714953) Journal

    I'd tell JPay they're fired.

  • (Score: 0) by Anonymous Coward on Monday July 30 2018, @11:02PM (1 child)

    by Anonymous Coward on Monday July 30 2018, @11:02PM (#714976)

    Did Jared send money to his father when he was in prison? That's what a good son would do.

    • (Score: 0) by Anonymous Coward on Tuesday July 31 2018, @10:17AM

      by Anonymous Coward on Tuesday July 31 2018, @10:17AM (#715115)

      And whose money was it?