Card Wash: Card Breaches at Car Washes

Ooh, you might not ever get rich
But let me tell ya, it’s better than diggin’ a ditch
“Car Wash” by Rose Royce

An investigation into a string of credit card breaches at dozens of car wash locations across the United States illustrates the challenges facing local law enforcement as they seek to connect the dots between cybercrime and local gang activity that increasingly cross multiple domestic and international borders.

Car WashEarlier this month, police in Everett, Massachusetts arrested a local man named Jean Pierre for possessing nine stolen credit cards. The cards themselves weren’t stolen: They were gift cards that had been re-encoded with data from cards that were stolen from a variety of data breaches at merchants, including a Splash Car Wash in Connecticut.

How authorities in Massachusetts connected Pierre to a cybercrime at a Connecticut car wash is a mix of odd luck and old-fashioned police work. In May, the Everett police department received a complaint from a sheriff’s department in South Carolina about a resident who’d had his credit card account used repeatedly for fraudulent transactions at a Family Dollar store in Everett.

Everett PD Detective Michael Lavey obtained security camera footage from the local Dollar Store in question. When Lavey asked the store clerk if he knew the individuals pictured at the date and time of the fraudulent transactions, the clerk said the suspects had been coming in for months — several times each week — always purchasing gift cards.

“The clerk told me they would come into the store in pairs, using multiple credit cards until one of them was finally approved, at which point they’d buy $500 each in prepaid gift cards,” Lavey said. “We have two Family Dollar stores in Everett and a bunch in the surrounding area, and these guys would come in three to four times a week at each location, laundering money from stolen cards.”

Not long after Lavey posted snapshots from the video footage on a state-wide police network, he heard from an officer in Boston who said a suspect resembling one of the men in the photos was recently questioned at a city hospital after being stabbed in the legs and buttocks in an unrelated robbery. The assailant in that attack was arrested, but his victim — Jean Pierre — refused to answer questions about the incident. The police seized Jean Pierre’s pants as evidence in the assault case, and discovered numerous prepaid cards in the pockets of the trousers.

Lavey said he subpoenaed the credit card records, and working with investigators at American Express and Citibank was able to determine that at least one of the cards had been stolen from the Splash Car Wash in Connecticut. In effect, thieves were buying stolen cards to finance the purchase of gift cards, some of which would later serve as hosts for new stolen card data once their balance was exhausted. The cops call it money laundering, but in this case it might as well be called card washing.

WILL THAT BE A SUPER OR DELUXE WASH?

Soon enough, Lavey had linked up with Michael Chaves, a detective with the police department in Monroe, Conn. who’d been investigating card breaches at 14 separate car washes in his state, including the Splash case. Working with the Connecticut Financial Crimes Task Force, a broad law enforcement group that includes the U.S. Secret Service and state police, they determined that the local company was but one of at least 40 car washes across the country that had been hacked and relieved of countless customer credit and debit cards since at least February 2014.

A list of car washes allegedly compromised by card thieves this year.
A list of car washes identified by various banks as compromised by card thieves this year.
Chaves said he interviewed several of the car wash owners, and discovered that they were all using the same point-of-sale systems developed by Randolph, N.J.-based Micrologic Associates. Chaves said the store owners told him the devices had remote access via Symantec’s pcAnywhere enabled, access that was granted to anyone who knew the same set of default credentials.

“The pcAnywhere credentials were created by Micrologic, but unchanged for years,” Chaves said.

That was the same conclusion independently reached by Detective Steven LaMears with the police department in Keene, N.H. Earlier this month, a police captain at the Keene Police Dept. saw fraudulent charges show up on his credit card shortly after using it at the town’s Key Road Car Wash, an establishment which used Micrologic’s point-of-sale system.

LaMears also heard from a company in New York which reported that two its executives each had their cards compromised multiple times after visiting the Key Road Car Wash in Keene.

“We confronted them, and working with the U.S. Secret Service got them back up and running,” LaMears said of the local compromised car wash. “The Secret Service told us they were running an old version of Micrologic that had the same, one login for everything, and were using an old version of Windows XP.”

MICROLOGIC POS: CAR(D) WASHING SOFTWARE?

Micrologic President and CEO Miguel Gonzalez said that only about one-third of the 40 or so car washes on the Secret Service’s list of compromised stores (see above left) were running Micrologic point-of-sale software; the rest, he said, were using products made by other software vendors.

logicwash

Gonzalez said Micrologic recently began urging all of its customers to transition away from pcAnywhere and adopt multi-factor authentication that involves the use of a one-time code that is sent via text message to the administrator’s mobile device.

Asked about the claim that crooks may have been abusing default credentials in Micrologic’s software to steal card data from car washes running its product, Gonzalez said the breached companies were running older, outdated versions of pcAnywhere . He said attackers appear to have targeted vulnerabilities in the remote access software itself — not merely abusing some set of default credentials.

“What the investigators we’ve worked with so far have been able to gather is that [the thieves] were exploiting not the pcAnywhere credentials, but a flaw in old versions of pcAnywhere,” Gonzalez said.

In January 2012, Symantec acknowledged that hackers had stolen the source code to the popular remote access software, and it urged users to either update the software — which included fixes for several critical bugs — or remove the program altogether.

Whether the crooks are exploiting software vulnerabilities or weak/default credentials in this case, security experts routinely advise companies to avoid using remote administration tools on point-of-sale devices — or else to severely lock them down with strong passwords and other restrictions. One stubbornly static finding in data-breach reports published annually by Verizon, Trustwave and other companies that get hired to investigate breaches involving card data is that far too many point-of-sale breaches start when the thieves abuse some kind of remote access tool installed on the point-of-sale device itself. Typically, this involves the attackers scanning the Internet for remote administration software, and then using automated tools that can break into any systems that are protected with weak passwords.

THE NEW THUG LIFE

Point-of-sale compromises at restaurants, retailers, car washes and elsewhere are frequently attributed to hackers in Romania, Russia, Ukraine and other parts of Eastern Europe. But according to Detective Lavey, the buyers of these stolen goods increasingly are street gang members here in the United States. Lavey said Jean Pierre — the stabbing victim who was found in possession of nine stolen credit cards — is a member of the Bloods an African American street gang.

Surveillance camera footage from Dollar Stores where police say these individuals used stolen credit cards. Source: Monroe, Ct. Police.
Surveillance camera footage from Dollar Stores where police say these individuals used stolen credit cards. Source: Monroe, Ct. Police. Jeanne Paul is pictured top right.
“All these kids are Blood gang members, tattooed up or self-admitted,” Lavey said. “And they’re starting to work smarter, not harder. Individually, this card fraud doesn’t meet the threshold where the federal government is going to say ‘Hey, let’s grab these guys.’ Locally, they’re doing it across broad jurisdictions and jumping from state to state and coming away with hundreds of thousands of dollars.”

Lavey said he recently worked a case where a number of kids in their late teens were using stolen credit cards to go on shopping sprees at multiple Target stores along the east coast.

“We just wrapped up a case where these kids were coming up from New York, and they were hitting every Target store in the area for $6,500 a whack,” Lavey said. “In one weekday, they did this hitting all Target stores up and down the eastern seaboard. They now have charges pending in New York, New Jersey, Virginia and Pennsylvania.”

Given how easy it is to buy stolen cards, encode them onto gift cards and then use those cards to buy goods in big-box stores that can be easily resold for cash, Lavey said he wonders why old-fashioned bank robberies are still a problem.

“Honestly, the fact that we still have bank robberies is sort of perplexing,” he said. “Rob a bank and you’re lucky if you get away with $600. But you can rob a credit card company and all the banks are afraid to have their name associated with a case like this, and they quickly reimburse the victims. And most of the retailers are so afraid of having their name in the press associated with credit card fraud and data breaches that make the job doubly hard for us.”

Thank God the company in NJ was on the up and up, otherwise, this story would have been doomed to contain the word Sopranos at some frigging point.

Obtaining the data is sophisticated but perpetrating the actual theft was amateur night at the apollo. These guys established a common denominator by going to the same dollar stores and sticking out like sore thumbs by going in groups. Also going to every target on the east coast....what the story doesnt mention is that the fraud departments for card companies are sometimes ex fbi agents and other LE and along with sophisticated anti fraud soft ware, they look for patterns and can usually tell if the same person or group is doing the crime.
Back in the day they used to steal card numbers and punch the numbers on blank cards. It was obvious that the store accepting the card knew the cards were fake, they were blank. The secret service would lean on whomever made the sale and bamm!!!, the whole ring would go down. They then determined the card numbers came from 4 places, a hotel, a restaurant, a clothing store and somewhere else, i forgot. All the cards numbers that were compromised orininally made legit purchases at one of the 4 places..common denominator established and surveilence starts..you know the rest.

It's not even that difficult. Here's how it works: First of all, it almost always starts with servers at restaurants because they have access to your credit card out of eyeshot. They have a card swiper that is small enough to fit in your palm, and they quickly swipe the card. The info on the card is saved to an SD card in the swiper. They give your card back to you like normal. THEN (and this is probably the step that makes it hard enough so that not everyone tries to do it) you either take the SD card and plug it into a computer and then use the info to buy things online, OR you have a card punch/encoder and you print/clone the stolen cards onto a blank. It sounds like these guys were just encoding the data onto gift cards and then laundering the money through greendot pre paid cards, but the guys I knew who did this would actually print out a card with your real name on it, but the number (and the money connected to the card) were someone else's. This way, if you are asked for ID you don't have to run for the doors. To make things even harder, some people would use a fake ID and have multiple of these cards. The only drawback was that they looked kind of bootleg and cheap. Most people wouldn't notice, but I could spot a fake card a mile away. The guy would drive the swiper down to NYC and come back with a trash bag full of formerly blank credit cards that he would sell for $50 each. It was kind of a crap shoot, because you could spend the 50 and end up with a cancelled card, or you could spend the 50 and end up with some rich guy's black card that he uses for travel and therefore doesn't notice a few hundred in a different city.