
Card Breaches at Car Washes - Garbage
http://krebsonsecurity.com/2014/06/card-wash-card-breaches-at-car-washes/
======
nuxi7
"Chaves said the store owners told him the devices had remote access via
Symantec’s pcAnywhere enabled, access that was granted to anyone knew the same
set of default credentials."

Maybe its because The Cuckoo's Egg is what got me into this field, but I
cringe everytime I hear this. Its 25 years later and we are still getting
breaches based upon using default credentials.

This isn't even a hard problem to solve, you have three options: 1\. Do not
have a default password and prompt the user for one during setup. 2\. Do not
have the same default on every device, create it automagically from a serial
number or something. 3\. Have the system be unusable for the intended purpose
until the default password is changed.

~~~
graylights
A lot of these default passwords on non-consumer devices aren't user admin
accounts but tech support accounts. So #1 and #3 don't work, because the user
doesn't get the password.

But there is also a 4th option, the user somehow enables the support account.

------
x0x0
I get the low level carders (or whatever you call them -- the folks buying
card data and attempting to steal goods with it). If you're stealing $500
worth of gift cards at a time, it's not like you have many life alternatives.

But somewhere there's a series of folks that (1) engineered a symantec breach;
(2) someone else either knew #1 or figured out how to get their hands on
source; (3) security audited said source; (4) scanned the internet to find
vulnerable servers; (5) pulled cards off those servers, and (6) sold them. It
seems like there's more than enough technical knowhow here that these folks
should be able to get software or security jobs, no? It doesn't seem like the
card thieves make so much money that the reward / federal pound-me-in-the-ass
prison ratio skews far enough.

And the more I read krebs, the more I think I should get a $2k limit credit
card and use it for all purchases that aren't on amazon.

~~~
cstejerean
That assumes that the people doing all of this are located somewhere where
better paying legitimate jobs are easy to come by. They usually aren't.

~~~
x0x0
even if they don't, they seem like they have enough technical chops that said
jobs would find them...

~~~
thaumasiotes
> they seem like they have enough technical chops that said jobs would find
> them...

In my experience, jobs don't find you. By what mechanism do you think this
would happen?

~~~
dfox
That depends on your exposure to people interested in you working for them.
It's certain that when you are well connected jobs just find you. On the other
hand it is imaginable that for many people in computer security most "jobs
that find them" are not exactly ethical.

While I would not exactly position myself into computer security, I've got my
share of borderline black-hat offers, although in all cases the other party
believed that what they are doing is perfectly legal.

------
josephlord
Credit card numbers aren't particularly secret (if you think of all the retail
staff online, on the phone and offline) that have access to them. The thing
that manages fraud and keeps the value of card numbers down is the difficulty
in converting card numbers to cash or goods safely and anonymously.

I'm slightly surprised that the gift cards scheme works as I don't see why
there couldn't be a revocation list for gift cards circulated amongst stores
that is added to when a chargeback occurs. Even if it doesn't it still exposes
the criminal when buying the gift card.

~~~
dfox
Security of credit card industry is built not on hard computer security
principles but on auditing and ability to point fingers. This breaks with
enough levels of indirection and gift cards add such additional level of
indirection.

Also gift cards have secondary (and probably more important) use for thieves.
Giftcard is legitimately looking magstripe card that in many cases gets
processed in same way as card payment, so you can just write stolen magstripe
data onto giftcard and get something that does not raise suspicion (store
clerk is not going to verify that card number matches or event that payment
method matches).

------
Nursie
_Given how easy it is to buy stolen cards, encode them onto gift cards and
then use those cards to buy goods in big-box stores that can be easily resold
for cash, Lavey said he wonders why old-fashioned bank robberies are still a
problem._

EMV.

I know it's far from perfect, but it raises the bar considerably. You can't
just clone EMV cards that way. The USA really ought to try to catch up with
the rest of the world on this front.

------
burial
“The clerk told me they would come into the store in pairs, using multiple
credit cards until one of them was finally approved, at which point they’d buy
$500 each in prepaid gift cards,”

"We have two Family Dollar stores in Everett and a bunch in the surrounding
area, and these guys would come in three to four times a week at each
location, laundering money from stolen cards"

You would have thought they would report them.

~~~
ljf
You might think, but a few years ago, but when credit was crazy cheap in the
UK and they were just throwing credit cards at people, I had friends who would
go through this process each time they were picking up a bar tab. The credit
card company won't let you go over your limit and don't forget just a few
years ago there was no easy way to check your limit other than waiting for the
bill or calling the company.

I wouldn't be surprised if many people in the service industries still see
this type of multi card roulette daily.

I can imagine if the clerk did report his concerns, he'd likely be told they
were good customers so why rock the boat....

~~~
kalleboo
> I can imagine if the clerk did report his concerns, he'd likely be told they
> were good customers so why rock the boat....

Isn't the merchant liable for the chargebacks? Or in this case, who was
footing the bill for this fraud?

~~~
edent
The merchant may be liable - but the minimum wage clerk...?

~~~
aestra
Minimum wage clerk is not liable due to many laws that protect employees from
wage abuse without a judgement in court[1] but they can surely get fired for
negligence in reporting suspicious activity.

[1]
[http://www.seyfarth.com/dir_docs/publications/NEHT01120810.p...](http://www.seyfarth.com/dir_docs/publications/NEHT01120810.pdf)

>As a practical matter, the Court’s decision means that employers can- not
safely take deductions for theft or damage to property unless fault and value
have been determined by a court of law or government agency.

------
hyperion2010
One of the most striking things to me is this sentence: "Trustwave and other
companies that get hired to investigate breaches involving card data is that
far too many point-of-sale breaches start when the thieves abuse some kind of
remote access tool installed on the point-of-sale device itself."

We have an incredibly secure and successful piece of remote access software
(ssh) that is used on billions of computers and yet that sentence exists. It
seems that sometimes it's not just an engineering problem.

~~~
kijin
SSH is no better than some random Windows-based remote admin tool if the same
default password is used.

~~~
hyperion2010
Ah yes of course, and the portion that I quoted didn't include this tidbit
which I guess is what I was actually thinking about: “What the investigators
we’ve worked with so far have been able to gather is that [the thieves] were
exploiting not the pcAnywhere credentials, but a flaw in old versions of
pcAnywhere,”

Then again old versions of SSH are probably equally vulnerable.

It would seem that there is no substitute for having a real root who has
responsibility for the system, though perhaps the comment from nuxi7 is a
simple way to engineer around part of the problem. Sane defaults or in this
case an explicit lack of defaults could be useful.

------
cbhl
Considering how expensive point-of-sale systems are, I'm not surprised that
these systems are running old, vulnerable software. Heck, there are still ATMs
running OS/2 Warp in the United States; the only reason people don't hack
those is because it's so obscure.

My father still uses a small pre-computer cash register to this day; I've had
no luck convincing him to buy a new computerized one so he can accept credit
cards.

~~~
XERQ
I'm surprised these PoS systems aren't managed with automatic updates, since
the merchant service providers (along with the banks) are usually the ones
losing money if they get hit with chargebacks.

~~~
dfox
In europe typical deployment solves this problem (EMV is quite orthogonal to
this) by the fact that card data does not touch the PoS system itself. In fact
any other approach is not feasible as PoS systems themselves are invariably
horrible mess of accumulated kludges and backward compatibility restrictions.
And there are quite powerful economic incentives to keep this state of things.
Security-wise this is one of the few situations where semi-air-gapped network
makes sense (for the PoS part, with card terminals having their separate
network).

------
nwh
Prolexic hosts this site which has for some reason kills connections from my
entire IP address range (residential DSL).

Wonder what one of my IPv4 neighbors did to piss them off.

~~~
cbhl
I've copied the plaintext here for you.

[http://pastebin.com/d4vFzJDC](http://pastebin.com/d4vFzJDC)

