A group if alleged credit card thieves were busted by the police in Massachusetts. The nicked credit cards used to buy gift cards, even came from a Splash Car Wash in Connecticut. The credit cards have all been stripped of data, drained of balance, and reloaded with more stolen credit card information.
Just earlier this month, the cops arrested a man named Jean Pierre for possessing nine stolen credit cards. According to security journalist, Brian Krebs, those cards were cleverly garbed as gift cards with re-encoded data from various data breaches at certain establishments, including the Connecticut carwash.
Groundwork
“The clerk told me they would come into the store in pairs, using multiple credit cards until one of them was finally approved, at which point they’d buy $500 each in prepaid gift cards. We have two Family Dollar stores in Everett and a bunch in the surrounding area, and these guys would come in three to four times a week at each location, laundering money from stolen cards,” explains Detective Michael Lavey of Everett, where a stolen credit card has reported activity at a Family Dollar store. A call from the South Carolina sheriff informed Lavey that a resident’s credit card has been used for repeated phony purchases.
Apparently, the suspects have been in and out the store for months, several times a week, to purchase gift cards. Security camera footage from the Dollar Store showed the date and time of transactions, and the store clerks confirmed that to Detective Michael Lavey. Jean Pierre was one of the men recognizable in the video.
When he got involved in a robbery in Boston, Jean Pierre was questioned by police at a City Hospital when he was stabbed in the leg and buttock. Although he refused to answer questions, when his pants were taken as evidence, they found several prepaid gift cards in the pockets. Detective Lavey subpoenaed the credit card records and, working with MasterCard and American Express, traced at least one of the cards have been stolen from Splash Car Wash in Connecticut.
Lavey then worked with Michael Chaves, a Connecticut detective who started a probe on 14 car wash card breaches, including the one at Splash.
Faulty POS Devices
The investigation showed that since February 2014, at least 40 car washes across the country have had hacking incidents where cyber thieves get away with a number of account details. To blow the case even bigger, they found out that all of the interviewed car wash owners use the same point-of-sale (POS) systems. The problem being that the installed POS, provided by US-based Micrologic Associates, remained unchanged for years. It can be remotely accessed when Symantec’s pcAnywhere is enabled, granting access to anyone who knew even a single set of default credentials.
“What the investigators we’ve worked with so far have been able to gather is that [the thieves] were exploiting not the pcAnywhere credentials, but a flaw in old versions of pcAnywhere,” says Micrologic President and CEO Miguel Gonzalez. It was not only default passwords that the perpetrators were using; they exploited vulnerabilities in the remote software as well. Krebs also reported that Symantec’s source code for pcAnywhere has been stolen 6 years ago, thus anyone plugged in is at risk of data breach.
Remote softwares are most commonly exploited to breach POS data. In fact, Verizon’s 2014 Data Breach Investigations Report, suggests that 2013 is the “Year of the Retailer Breach.” It was the year when purchasing transitioned from ‘geopolitical attack to large scale attacks on payment card systems,’ marked by the Citadel Trojan malware variant crafted to attack POS systems using a Canadian payment card processor, followed shortly by the massive POS breach at Target in November, and plenty other POS breaches at restaurants, grocery stores, hotels, what have you.
In addition, Verizon found out that the shared vector for the major POS breaches of 2013 were combining third-party remote-access software with a POS system. The carwash breach with pcAnywhere and a remote POS is the biggest DON’T on Verizon’s recommendations.
Although the amount ripped off from individual credit cards would not amount to much, the sum of all individual portions would draw a picture of a serious case of atypical robbery. Hackers have mastered the way to take advantage of a non-secure POS.
“Individually, this card fraud doesn’t meet the threshold where the federal government is going to say ‘Hey, let’s grab these guys’. Locally, they’re doing it across broad jurisdictions and jumping from state to state and coming away with hundreds of thousands of dollars,” says Lavey. Tracking down POS attackers also proves to be difficult with the serious question of jurisdiction.
Verizon suggests extensive research about POS and their management providers about the safety of POS system remote access. Also, vendors must be attentive to default passwords, making sure they have been changed and not imprinted on any part of the POS system. It is also important to consider two-factor authentication, monitor suspicious network activity, and use security software to make sure nobody uses the POS system for non-POS business online.