![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Car washes hacked
Jun. 24th, 2014 09:57 amI thought it was going to be about card skimmers being installed on automated, unattended car washes, but it wasn't. The car wash chain in Connecticut was compromised apparently using a vulnerability in an older version of PC Anywhere, a remote administration tool. They all used the same access credentials, not a two-factor system, so once one site was compromised all in the chain by the same vendor were compromised.
The idiot thieves in Massachusetts were going in to the same dollar store every week buying gift cards for various big box stores, having burned the stolen credentials on to that discount store's gift cards. They'd try card after card until one worked. The interesting bit was that the guy arrested was admitted to the emergency room with multiple stab wounds in his legs, several stolen cards were found in his wallet, and this was the police tip needed.
I initially thought that if this was a card skimmer, then the advice would be to not pay at the car wash, pay (if possible) at the gas pump such as if it's in a grocery store front lot and the pumps are much more closely monitored. But if the internal infrastructure is compromised, it doesn't matter.
Another interesting bit is that they're using the criminal gang The Bloods to cash out these cards. But the last paragraph definitely deserves quoting, from Everett, MA police detective Michael Levey: "Honestly, the fact that we still have bank robberies is sort of perplexing,” he said. “Rob a bank and you’re lucky if you get away with $600. But you can rob a credit card company and all the banks are afraid to have their name associated with a case like this, and they quickly reimburse the victims. And most of the retailers are so afraid of having their name in the press associated with credit card fraud and data breaches that make the job doubly hard for us.". Emphasis mine.
http://krebsonsecurity.com/2014/06/card-wash-card-breaches-at-car-washes/
The idiot thieves in Massachusetts were going in to the same dollar store every week buying gift cards for various big box stores, having burned the stolen credentials on to that discount store's gift cards. They'd try card after card until one worked. The interesting bit was that the guy arrested was admitted to the emergency room with multiple stab wounds in his legs, several stolen cards were found in his wallet, and this was the police tip needed.
I initially thought that if this was a card skimmer, then the advice would be to not pay at the car wash, pay (if possible) at the gas pump such as if it's in a grocery store front lot and the pumps are much more closely monitored. But if the internal infrastructure is compromised, it doesn't matter.
Another interesting bit is that they're using the criminal gang The Bloods to cash out these cards. But the last paragraph definitely deserves quoting, from Everett, MA police detective Michael Levey: "Honestly, the fact that we still have bank robberies is sort of perplexing,” he said. “Rob a bank and you’re lucky if you get away with $600. But you can rob a credit card company and all the banks are afraid to have their name associated with a case like this, and they quickly reimburse the victims. And most of the retailers are so afraid of having their name in the press associated with credit card fraud and data breaches that make the job doubly hard for us.". Emphasis mine.
http://krebsonsecurity.com/2014/06/card-wash-card-breaches-at-car-washes/
