Dozens of car washes across Connecticut have leaked “countless” credit and debit card details to cybercriminals, according to a new investigation by security blogger Brian Krebs.
The card breaches came to light after a man was arrested in Massachussets for possessing nine stolen credit cards – or the data from them, which had been re-encoded onto gift cards as part of a money-laundering scheme, according to Gizmodo’s report..
Jeanne Pierre was arrested after officers identified him from security footage in a Family Dollar store, where he was one of several individuals buying large numbers of gift cards with stolen credit cards, according to PYMNTS.com. Pierre was in police custody after he was the victim in an assault case, and police found multiple reprogrammed gift cards on his person.
The data on them came from a series of leaks at car washes in Connecticut using pcAnywhere software for remote access to their point-of-sale terminals – the source code for which leaked in 2012. According to Krebs, several of the car washes used software from Micrologic Associates.
Krebs spoke to officers from several forces who confirmed that Micrologic’s software had been involved in several known breaches. Several car washes had also been using old usernames and passwords, unchanged after they were chosen by Micrologic, and some were still running Windows XP, according to SC Magazine’s report.
Micrologic’s CEO, Miguel Gonzalez said that the company had been urging customers such as the car wash to switch from using pcAnywhere to modern remote-access software with additional security measures such as multi-factor authentication, according to Krebs.
Chavez said, “What the investigators we’ve worked with so far have been able to gather is that they were exploiting not the pcAnywhere credentials, but a flaw in old versions of pcAnywhere.”
As Gizmodo reports, cybercriminals had been buying the gift cards using stolen credit cards, then using the cards to “host” data from other stolen cards.
“The clerk told me they would come into the store in pairs, using multiple credit cards until one of them was finally approved, at which point they’d buy $500 each in prepaid gift cards. We have two Family Dollar stores in Everett and a bunch in the surrounding area, and these guys would come in three to four times a week at each location, laundering money from stolen cards,” Krebs writes.
Author Rob Waugh, We Live Security