This is a crazy story about a bunch of car wash businesses that fell victim to crooks, poor security standards, bad luck, and the latest turn in street gang wars. It starts with a fraud victim in South Carolina, involves a car wash in Connecticut and ends with an arrest in Massachusetts. The story is reported in the digital security news blog Krebs On Security. What follows is a summary and some lessons at the bottom for car wash businesses. But to read the whole thing, click the link above.
Early this month, police in Everett, Massachusetts, arrested a dude named Jean Pierre who had been using gift cards from Family Dollar that had been re-encoded with other people’s credit card accounts. Many of those credit card accounts had been stolen by hacking into the point-of-sale systems used by car wash businesses around the country.
The case blew open when Pierre was stabbed in Boston. (He’s allegedly a member of the Bloods street gang.) Police took his bloody pants into evidence for the stabbing but also discovered nine credit cards in his pockets. He’d been using the stolen credit cards to purchase $500 prepaid gift cards at Family Dollar, where one attendant said these dudes would come in multiple times a week, swiping multiple credit cards till one worked, and walking out with the same $500 gift cards each time. No idea why he didn’t think that was suspicious.
When police announced the arrests and the name of the point-of-sale service, Micrologic in New Jersey, everybody blamed somebody else. Police said it was Micrologic’s use of the same authentication passwords for years and years. Micrologic said the car washes were using outdated versions of their software and old computers.
We don’t think it’s ever fair to blame the user. If a user isn’t secure, the software company needs to compel that user to download the new version of the software or update their passwords. Read the report from Krebs On Security, and then see our list of things to learn from this wild story:
- A lot of the problem was out of the car wash businesses’ hands. The cashier at Family Dollar made the most obvious mistake, letting these guys come in repeatedly with stolen credit cards.
- Also, it seems there needs to be tighter security and identity verification at the retail locations where these guys are using their “gift cards.”
- But there are also things you can do to protect yourself. Make sure you’re keeping up with software updates.
- Make sure your POS system provider is updating its credentials frequently. The Micrologic software was using the same password for years.
- If you have any question about the security of your customers’ credit cards, contact your software provider immediately. In fact, it’s worth making a phone call even if you aren’t concerned. Don’t risk losing loyalty over worries about credit card security.