Police in the US state of Massachusetts have busted what they say is a gang of thieves who were buying stolen credit cards – some of which were nicked from a Splash Car Wash in Connecticut – and using them to buy gift cards that were then exhausted of their balance, washed clean of data and reloaded with more stolen credit card data, security journalist Brian Krebs reports:
The cops call it money laundering, but in this case it might as well be called card washing.
Krebs writes that earlier this month, police in Everett, Massachusetts arrested a local man named Jean Pierre for possessing nine stolen credit cards.
Those cards hadn’t actually been stolen. Rather, they were gift cards that had been re-encoded with data from cards that were stolen from a variety of data breaches at merchants, including the Connecticut car wash.
Back in May, a South Carolina sheriff’s department called Everett police to tell them that a resident had reported his credit card being used repeatedly for bogus purchases at a Family Dollar store in Everett.
Everett Detective Michael Lavey got hold of security camera footage from the local Dollar Store and asked the store clerk if he knew the people who showed up in the video at the date and time of the fraudulent transactions.
The clerk said that yes, those suspects had been visiting the store for months, several times each week, to buy gift cards.
Krebs quotes Detective Lavey:
The clerk told me they would come into the store in pairs, using multiple credit cards until one of them was finally approved, at which point they’d buy $500 each in prepaid gift cards. We have two Family Dollar stores in Everett and a bunch in the surrounding area, and these guys would come in three to four times a week at each location, laundering money from stolen cards.
The suspect Jean Pierre was one of the men recognisable in the video. He had been questioned by Boston police at a city hospital after being stabbed in the legs and buttocks in an unrelated robbery, but he had refused to answer questions about the robbery or attack.
When police seized his trousers as evidence, they discovered several prepaid gift cards in the pockets.
Detective Lavey told Krebs that he subpoenaed the credit card records and, working with MasterCard and American Express, traced at least one of the cards down to having been stolen from Splash Car Wash in Connecticut.
Lavey was soon working with Michael Chaves, a Connecticut detective who’d been investigating card breaches at 14 separate car washes, including the one at Splash.
40 hacked car washes, all using the same POS devices
It turns out that at least 40 car washes across the country had been hacked, with thieves getting away with countless account details since at least February 2014, Krebs reports.
Upon interviewing some of the car wash owners, Chaves says he found they were all using similar point-of-sale (POS) systems, some of which were sold by US-based Micrologic Associates.
The store owners said that the POS devices had remote access via Symantec’s pcAnywhere enabled, which granted access to anyone who knew a single set of default credentials, according to Chaves:
The pcAnywhere credentials were created by Micrologic, but unchanged for years.
But it wasn’t just default passwords the crooks were exploiting, claims Micrologic President and CEO Miguel Gonzalez. He pointed the finger at vulnerabilities in the remote software, as well.
Krebs quotes him:
What the investigators we've worked with so far have been able to gather is that [the thieves] were exploiting not the pcAnywhere credentials, but a flaw in old versions of pcAnywhere.
In fact, as Krebs reports, Symantec in 2012 told users to pull the plug on pcAnywhere after discovering that its source code had been stolen 6 years earlier.
Krebs points to the disheartening frequency with which crooks use remote-access tools such as pcAnywhere to jimmy open PoS systems.
That’s reflected in Verizon’s 2014 Data Breach Investigations Report, which suggests that 2013 might well be dubbed “the year of the retailer breach”.
It was, Verizon said, a year of “transition from geopolitical attacks to large-scale attacks on payment card systems”, ushered in at the start by a new Citadel Trojan malware variant crafted to attack POS systems using a Canadian payment card processor, closing out with the whale-sized POS breach at Target in November, and stuffed with plenty of POS breaches at restaurants, hotels, grocery stores, and other brick-and-mortar retailers sandwiched in between.
In fact, the carwash combo of pcAnywhere with a POS system is the number one no-no on Verizon’s most current list of recommendations.
Verizon found that the shared vector for the major POS breaches of 2013 were combining third-party remote-access software with a POS system.
The security of the remote access products isn’t the issue, here, Verizon said – rather, it’s just that they’re often implemented in “a very insecure manner”, according to its report.
As the Verizon report bluntly puts it and Detective Lavey confirms, the money in each one of these rip-offs amounts to small potatoes on an individual basis.
But add them up, and we get a picture of serious money getting bled out of non-secure POS setups that gang members have figured out how to take advantage of.
Krebs quotes Lavey:
Individually, this card fraud doesn’t meet the threshold where the federal government is going to say 'Hey, let's grab these guys'. Locally, they're doing it across broad jurisdictions and jumping from state to state and coming away with hundreds of thousands of dollars.
Police obviously have their work cut out for them when it comes to tracking down POS system-bleeding crooks across jurisdictions.
In the meantime, it behooves businesses to do their best at securing systems so they don’t get fleeced.
Besides avoiding the risky combo of remote-access software and POS systems, Verizon suggests having serious business discussions with third-party POS management vendors about how and when they’ll access POS systems via remote access.
Another top priority involves making absolutely sure there aren’t any factory default passwords hanging around in the POS systems, be they the name of the device vendor, dictionary words, otherwise weak passwords or the like.
And if a third party deals with passwords, require and verify that they’re not giving you the same password that they hand out to other customers.
Other advice includes considering two-factor authentication, monitoring for suspicious network activity, using security software, and making sure nobody’s using the POS systems to do non-POS stuff online.
After all, POS systems are there to keep the cash coming. They’re pretty important.
UPDATE 26 June 2014: We’ve corrected the article to make it clear that only some (and not all) the POS systems were sold by Micrologic. Additionally, Micrologic President and CEO Miguel Gonzalez told us:
Micrologic has implemented additional measures to defend against further intrusions and will remain responsive in assisting Law Enforcement officials throughout their investigations.