The latest credit card scam to come to light isn't one that you would expect. I bet you were thinking that another retail chain had been hit.
I'll give you a hint: It has something to do with car washes and "cleaning."
In the newest scam to be uncovered, credit card numbers have been stolen from dozens of car washes across the country. But the criminals who were caught didn't have the original cards on them. Instead, this is a case of card/money laundering.
This slick scheme was uncovered when police in Massachusetts arrested a man in possession of nine stolen credit cards.
Criminals were taking advantage of the outdated Point of Sale (PoS) systems in several car washes around the country. The credit card numbers stolen at the car washes would be sold to criminals who would take them to a local Family Dollar store, where the credit cards would be swiped until one worked.
When the crooks found a working credit card number, they would purchase $500 worth of gift cards through Family Dollar, like Visa and MasterCard. The crooks could then walk away and ditch the stolen credit numbers when the limit ran out, because they had legitimate money on the gift cards.
Car washes across the country had been exploited as far back as February of 2014. But how were these criminals able to get a hold of the credit card numbers?
The answer is through unsecured Point of Sale (PoS) at the car washes. The culprit seems to be MicroLogic Associates, a PoS system that enables remote access via Symantec's PCAnywhere software. The login credentials, created by MicroLogic, had been unchanged for years.
When the compromised car wash was confronted in New Hampshire, they decided to cooperate with the U.S. Secret Service.
“The Secret Service told us they were running an old version of Micrologic that had the same, one login for everything, and were using an old version of Windows XP.”
"Micrologic President and CEO Miguel Gonzalez said that only about one-third of the 40 or so car washes on the Secret Service’s list of compromised stores were running Micrologic point-of-sale software; the rest, he said, were using products made by other software vendors."
So, if it's not an outdated version of Windows XP that's causing the whole problem, then how are the thieves getting the credit card numbers? It seems that the breached companies have been using old, outdated version of PCAnywhere from Symantec.
The highlighted locations show the car washes that were running MicroLogic PoS registers. Click for a larger image.
But it gets even better. Symantec acknowledges that in 2012 the source code for the PCAnywhere systems had been stolen. To Symantec's credit, the company urged its customers to update the software to repair the breach or change out the software completely.
So the next time you visit a car wash, try using cash or a prepaid gift card instead. Click here to find the 4 other places you should never swipe your debit card.