Pango USA Lacks Security, and It’s Scary

Many of you may not know what Pango USA is; here in Scranton, the parking authority has implemented this service to let us pay for meters through an app, without the need for quarters. It’s been a while since it was implemented, but over the weekend I decided to sign up. I was very annoyed at what I found.

Let me start off by saying security has been a bit of a hot topic lately due to some projects I was working on, what I’ve been teaching in class, and of-course, the whole Adobe debacle. So here is the basic chain of events:

  1. I signed up for a mypango account, using the amazing Dashlane to generate a password for me. It’s very, very secure.
  2. Shortly after, I get an text message with my username and password, as well as an “Account PIN.”
  3. I contact Pango on Facebook and they tell me that it was randomly generated by them. This is not true and I tell them as much.
  4. They said they’d get back to me.

Here is a screenshot of our Facebook correspondence. It’s of my opinion that the fastest way to get a response is to do it in a public complaint:

Screenshot 2013-11-18 13.22.42

As you can see, Pango does make an effort to explain that they store credit cards properly (that’s the PCI bit) and that they encrypt all communications. This does not touch on how passwords are stored, and that’s incredibly alarming. In my opinion, the password should not be sent at all- it should be encrypted and stored immediately. However, that’s not the most disturbing part.

They come back and they tell me that my password was randomly generated and sent to my phone to make it easier. That’s first of all, not correct. They text me the password I generated, which I verified by checking it against what I have in Dashlane. Second of all, I want to know (as you can see in my last comment) how they know my password was seemingly randomly generated. My guess is they were able to decrypt it, but I’m not certain about that yet. When you do reset your password, they do send you a new random password, not the one you put in, which is why I asked for clarification.

Finally, when you input a wrong password, it prints out the password you put in and says it’s wrong, which is another issue; they shouldn’t be printing anything like that out on the screen, especially since it was sent over the wires to check it against the current password.

At this point, I’m still waiting for them to get back to me, but the practices I’ve seen so far are incredibly alarming, especially from a company that’s asking us to store credit card info as well (though you go through some scrutiny with that information to become PCI compliant). Regardless, a lot of companies that are careless with passwords are surfacing within the last couple of years and it’s costing those companies dearly. Until Pango proves to me that they take password storage seriously, I’m not going to use the service and I’m going to strongly recommend others don’t as well. You of-course, can’t just delete your account, so I’ve emailed them with how to do so.