What's new

Subject: Urgent! CryptoPay Tap Exploit - Free Washes & Missing Transactions

Carwashmafia

Member
Joined
Nov 26, 2019
Messages
34
Reaction score
24
Points
8
Hi everyone,

I'm reaching out to see if anyone else has encountered a serious issue with the CryptoPay Tap system at car washes. I've been experiencing a situation where people seem to be exploiting the tap system, getting unlimited car washes for free.

Here's what's happening:

  • Customers are able to tap their cards hundreds of times on the CryptoPay Tap reader, and the transactions are getting declined.
  • However, despite the declined transactions, these same customers are still receiving unlimited time car washes.
  • On my end, there's no record of these attempted transactions in my CryptoPay account. The only evidence I have is video footage of these customers washing their cars for free.
I've already contacted CryptoPay support about this issue . They assured me it had been fixed. Unfortunately, the problem persists.

This is causing significant financial loss for my business.

Has anyone else on the forum experienced this with CryptoPay Tap?
 
Etowah

Carwashmafia

Member
Joined
Nov 26, 2019
Messages
34
Reaction score
24
Points
8
Mafia....what alerted you to this issue?
I suspect this is affecting others, too. Car wash owners using CryptoPay, be aware of a critical issue that's costing me money, and I believe it's impacting others as well.

The Problem:

I reviewed security footage and discovered customers washing their cars for extended periods without any record of payment in the CryptoPay system.
Shockingly, CryptoPay allows washes to proceed with credit cards and debit cards when the internet connection is slow or even down.
Here's the real kicker: customers have figured out how to exploit this! CryptoPay allows these washes to proceed even if the card swipe doesn't initially connect.
The Exploit: Customers can repeatedly swipe their cards multiple times, even if they're invalid! This essentially allows them to exploit the system and potentially steal a wash.
Even with a stable internet connection (like my high-speed Starlink) this exploit seems to be happening. CryptoPay's system appears to be overwhelmed by repeated swipes.
The Risk:

CryptoPay's approach creates a massive security risk for car washes, especially high-volume ones like mine. Someone with a bad card can exploit this by repeatedly swiping for a free wash, leaving you out of pocket with only camera footage as evidence.

CryptoPay is sending another coordinator to my location, supposedly to improve the wireless connection between the card readers and the Coordinator. I have 26 card readers at my high-volume car wash, and frankly, I'm not confident this will solve the underlying security issue. I'll keep you updated on the results. Cryptopay is aware of this problem but do not have a definite solution.

Please share any advice or similar experiences
 

Flex- Wand

Member
Joined
Jun 13, 2020
Messages
100
Reaction score
19
Points
18
You know mafia, the other day I saw a lady on camera swipe repeatedly, vigorously for awhile an was thinking most people just leave but the wash turn on. To watch her it was ruff.
 

GoBuckeyes

Self-Serve and Automatics
Joined
Aug 30, 2007
Messages
1,076
Reaction score
347
Points
83
Location
Cleveland
Mafia,
at all my washes I keep an expired or voided credit card to swipe in all my devices (Hamilton, Cryptopay, Unitec etc) just to make sure they're reading and attempting to process cards. Last week or the week prior, I tried the card on a cryptopay tap on my ACW and shockingly it loaded a wash. It caught me offguard and I wrote it off as a fluke. Now I am going to have to double check and see if I can recreate the issue.
 

Carwashmafia

Member
Joined
Nov 26, 2019
Messages
34
Reaction score
24
Points
8
There's a serious issue with CryptoPay's car wash system. Evidence suggests a widespread vulnerability that could be silently draining money from YOUR business.

What's the Problem?

Car washes using CryptoPay might be unknowingly exposed to financial risk. This potential security hole could be costing you without you even realizing it.

What Needs to Happen?

  • CryptoPay Needs to Come Clean: We need them to publicly acknowledge the vulnerability and its scope so car washes can take action.
  • Fix It Fast!: CryptoPay needs to develop and deploy a solution as soon as possible.

The security of your business is on the line. We need to hold CryptoPay accountable for immediate action.
 

PaulLovesJamie

rural 5 bay SS
Joined
Aug 30, 2007
Messages
1,320
Reaction score
229
Points
63
Location
Kutztown PA
...
Shockingly, CryptoPay allows washes to proceed with credit cards and debit cards when the internet connection is slow or even down.
...
This is not shocking at all, in fact this is the way I want it to work for my unattended wash - I do NOT want my customers waiting and waiting and waiting on a slow verification, I want them to begin washing immediately, and then shut off the equipment if the verfication fails and not allow that card to swipe again for some period of time.
IMO, what the equipment should do if the system is unable to verify is a more accurate description of the issue you've encountered.
And Im not sure there is a simple or a one-size-fits-all answer to that question.

I do agree with you 100% that we need to know exactly how cryptopay handles this, and a good solution if it is "expoitable".
 

Carwashmafia

Member
Joined
Nov 26, 2019
Messages
34
Reaction score
24
Points
8
Accepting any credit card, regardless of validity, to access services or equipment is a significant security risk that invites widespread fraud.

This lax approach creates a prime target for criminals to exploit, leading to substantial financial losses. Without rigorous transaction verification, businesses face a perfect storm of:

  • Increased Fraud: A lack of card validation encourages fraudulent activity, resulting in unauthorized charges and chargebacks.
  • Hidden Losses: Without detailed transaction records, the true extent of financial damage is difficult to assess, making it challenging to identify and prevent future losses.
  • Lack of Accountability: The absence of clear transaction data hinders the ability to pinpoint responsibility for fraudulent activities.
 

soapy

Senior Member
Joined
Sep 1, 2007
Messages
2,896
Reaction score
855
Points
113
Location
Rocky Mountains
The Etowah valley system will start the wash but if it can not get verification in 30 seconds it shuts the wash off. I get a few calls thinking they have been charged when they really haven't.
 

RAAOO7

Member
Joined
Aug 31, 2014
Messages
79
Reaction score
13
Points
8
Location
USA
There has been multiple issues on all my tap plus units. I have over 45 units at all my washes. There is an issue where it doesn't read the tap cards. Most of the time i have to power off the bay or vac for 10 seconds then turn it back on. This is getting very annoying for our customers and staff to keep doing this. I have called cyptopay many times about this issue. They are "aware" and still don't have a fix for this. Always trying to blame the "internet" connection or wiring. I spend a lot of money and if i new this was going to happen i would have never swiped from my swipers to tap plus units. I am very unhappy with the results.
 

Flex- Wand

Member
Joined
Jun 13, 2020
Messages
100
Reaction score
19
Points
18
I recently installed cryptopay tap plus an swipe on a goldline an bin watching closely. I haven't approached or ask yet to see what type of card but I'm noticing alot of rejection. Well I will take that back some or few . Not sure if it the card or the person but have find out before fall.
 

Greg Pack

Wash Weenie
Joined
Sep 3, 2007
Messages
4,391
Reaction score
2,169
Points
113
Location
Hoover, Alabama
Bumping this post. A local friend brought to my attention a problem he has been having with his swipers and thinks people have figured out a vulnerability similar to what has been described by carwash mafia. He sent me a screenshot of multiple declines.

You can't see the declines on cryptopay control panel but you can on virtual terminal. I've found several instances of multiple declines within a short time frame and will go back on video and see if I can figure out what is taking place.

His proposed solution is to have cryptopay program the system so they won't startup unless the card is validated.
 

Overachiever

Active member
Joined
Feb 26, 2014
Messages
343
Reaction score
92
Points
28
Location
IL
If your preauth is $5 and you have $6 in your account, then spend $20 on count up, does it just let you use $20 worth of time and then decline the charge?
 

Greg Pack

Wash Weenie
Joined
Sep 3, 2007
Messages
4,391
Reaction score
2,169
Points
113
Location
Hoover, Alabama
If your preauth is $5 and you have $6 in your account, then spend $20 on count up, does it just let you use $20 worth of time and then decline the charge?
I'm pretty sure you get a chargeback for $14

I've changed my preauth to 10.02 to hopefully bounce a $10 gift card.

This is not what is happening in this instance though. The customer is getting services and the owner has no idea that this is happening. It is also not limited to just tap plus, but any cryptopay device
 

Carwashmafia

Member
Joined
Nov 26, 2019
Messages
34
Reaction score
24
Points
8
Bumping this post. A local friend brought to my attention a problem he has been having with his swipers and thinks people have figured out a vulnerability similar to what has been described by carwash mafia. He sent me a screenshot of multiple declines.

You can't see the declines on cryptopay control panel but you can on virtual terminal. I've found several instances of multiple declines within a short time frame and will go back on video and see if I can figure out what is taking place.

His proposed solution is to have cryptopay program the system so they won't startup unless the card is validated.
Cryptopay suggested this solution to prevent fraud, but it wouldn't work for me. That's because my car wash is completely cashless. If the internet goes down, even for a short time, I'm essentially out of business."
 
Top