There's a new trend sweeping the credit card fraud business, and it takes the concept of money laundering quite literally: Criminals are swiping card details from car washes.
Krebs on Security reports that the Connecticut Financial Crimes Task Force, which includes includes the US Secret Service and state police, has discovered that at least 40 car washes across Connecticut have been hacked since February 2014. Criminals have made away with "countless customer credit and debit card" details which were then sold on.
Police became wise to the practice when PD Detective Michael Lavey heard of customers acting suspiciously, using multiple credit cards at a local Dollar Store. He explained to Krebs:
"The clerk told me they would come into the store in pairs, using multiple credit cards until one of them was finally approved, at which point they'd buy $US500 each in prepaid gift cards. We have two Family Dollar stores in Everett and a bunch in the surrounding area, and these guys would come in three to four times a week at each location, laundering money from stolen cards."
It seems that criminals stealing the original credit card details took advantage of ageing security in the car wash points of sale. All the targeted car washes are said to have used a system developed by Micrologic Associates, which used Symantec's pcAnywhere. That software allows remote access given the correct log-in details — and Micrologic hadn't changed those for years.
As a result, Micrologic has been urging its customers, including the car washes, to move away from using pcAnywhere. Instead, they suggest they should use multi-factor authentication, which is an option on the point-of-sale technology, instead. Well, duh. So, the problem is at least solved — or on it way to being solved — but that's not to say that other systems by other manufacturers couldn't present the same weakness. Who needs a clean car, anyway? [Krebs on Security]