Residents face ID theft risk in county online sign-up

Residents who sign up online for Salt Lake County parks and recreation programs are in danger of getting their identity stolen, according to county auditors.

A recent audit of the Salt Lake City Sports Complex criticizes the way in which credit card information is processed for people who register for programs on the Internet, saying it "potentially poses a risk of identity theft of credit-card numbers."

The sports complex is owned by Salt Lake City but operated by the county.

Auditors sent a letter to county officials in September outlining their concerns, but "there has been a real lukewarm reaction to what I view as a very serious problem," county director of internal audits Jim Wightman said.

Wightman conceded, however, that there has been no actual identity theft so far.

The danger arises with weaknesses in the handling of the credit card information. When a patron inputs his personal information on the county Web site, it is not immediately processed but first goes through a gateway or "portlet" computer at Peak Software, a local company, and thence to the terminal at the sports complex or other county facility. There, an employee prints out a transaction report listing online registrants and card numbers, and then processes the credit-card transactions manually, using the transaction reports for guidance.

Once the transaction report is printed, the card number is blanked out in the computer database.

At the sports complex, auditors found that the transaction report containing the card numbers is shredded immediately after the card transactions are processed, but "this may not be the case at all centers." Copies of individual transactions are still kept at the sports complex.

Auditors unfavorably compare the cumbersome process to simply using a third-party credit-card processing company. The county treasurer uses Official Payments Corporation for its online tax payments, and an independent testing firm found the process "secure from outside penetration by 'hackers.' "

Peak Software, which sold parks and recreation the system it uses, points out that it uses 128-bit encryption technology in transmitting credit card numbers, that credit-card data is no longer available online once it's printed out, and that using a third-party processor is more expensive.

Nevertheless, auditors say, "the use of a third-party processor, greatly reducing the identity-fraud risk, would outweigh the financial burden of the processing charge and should be implemented immediately."