Buy Here-Pay Here Gains Unwanted National Attention

The buy here-pay here industry garnered significant international attention in mid-Feburary when a disgruntled ex-employee of Texas Auto Center in Austin, Texas allegedly used the password of a co-worker to gain access to the dealership’s computer system and shut-down nearly 100 vehicles.

The employee was able to get gain access to Pay Technologies LLC, GPS and starter-interrupt system and disabled vehicles, ordered nearly $130,000 of the WebTeck starter-interrupt devices from Pay Technolgies, activated vehicle horns, which help repo agents locate hidden vehicles, and even changed customer names in the system such as, Tupac Shukar, the dead rapper.

Joe Estrada, a manager at Texas Auto Center, said the tampering incidents occurred over a weekend in mid-February, and he and the staff were quickly inundated with dozens of complaints from customers on the following Monday.

Estrada said he quickly contacted Austin police to report what was obvious tampering with his computer system. With the help of Pay Technologies, the alleged perpetrator, Omar Ramos-Lopez, 20, was eventually arrested and charged with felony breach of computer security.

James Krueger, president and CEO of the Cleveland, Ohio-based firm, Pay Technologies, said his systems have the ability to track all login and password usages that gain access to a dealer’s system, and his tech staff was able to determine from where the security breach had occurred.

Austin police said Ramos-Lopez used a former colleague’s password to deactivate starters and set off car horns. Several car owners said they had to call tow trucks and were left stranded at work or home.

Customers began calling the dealers to reporttheir cars wouldn’t start, or that their horns were going off incessantly, forcing them to disengage the battery.

“He caused these customers, now victims, to miss work,” Austin police spokeswoman Veneza Aguinaga said. “They didn’t get paid. They had to get tow trucks. They didn’t know what was going on with their vehicles.”

Ramos-Lopez was in the Travis County Jail on in mid-March with bond set at $3,000.

Kreguer maintains this is the first time his system has been breached, and that there are “hundreds of thousands of these units in service and working 24/7.” He notes that while many of the hundreds of print and electronic news stories published in throughout North America referred to Ramos-Lopez as “hacker” the system wasn’t truly hacked. Kreuger said this was a case of “insider invasion.”

“He knew how to activate the WebTeck system connected to vehicles, which is generally only activated when the owners fail to pay,” Kreuger stated in a press release.

Kreuger was busy for several days in mid-March when media outlets from across the country and around the world called his Cleveland, Ohio, offices for details on what amounts to the first major incident of its kind involving the now very popular starter-interrupt devices.

Starter-interrupt and GPS devices have been around for almost 25 years now, but truly gained acceptance in 2000, when Mel Farr, a former Detroit Lion cornerback, and franchised and buy here-pay here dealer in Detroit was sued by two of his customers who claimed he had shut their vehicles off while they were driving.

A several month long court battle was dropped after it was determined the devices could not shut a vehicle off while they were driving because of fail-safe systems, which prevent such a safety hazard from occurring. The judge at the time, did rule that use of the devices to shut off a vehicle for non-payment were just like a public utility shutting off power or electricity or water to a home owner or renter for non-payment.

Within months of that decision being reported in national trade publications, vendors were regularly selling the devices as a means to curtail delinquencies and help locate skips. Today, the devices are ubiquitous not only among buy here-pay here dealers but also among many subprime finance companies.

Kreuger said its was because of the PayTeck software system, the necessary information was captured and provided to the Austin police department. The police examined those records and traced the unauthorized access back to Omar Ramos-Lopez.

Others in the payment assurance technology industry were quick to point out the need for industry-wide standards to avoid similar occurrences to what happened in Austin, and the greater care among the dealers to maintain the utmost security in their computer systems.

Estrada said he’s been in the buy here-pay here business for 10 years and has been using the devices for two years without incident. He said new security measures are now in place at the dealership and all steps have been taken to avoid a similar occurrence.

“It’s been very stressful and embarrassing for us,” Estrada said. “We have apologized to our customers, but we’re pleased we were able to rectify the situation quickly and were able to find who we believe to be the perpetrator.”

This story gained quick international attention, because of the obvious growing technological intrusions in the lives of average citizens. The story appeared for three days on the home page of the Drudge Report, an international, mostly political Web site, which gets about 1.9 million visitors a day. It was picked up by the wire services, bloggers, international newspapers and electronic media, TV stations, and was the talk of many a morning radio show hosts across the U.S.

“What we hope dealers take away from this story is that it’s important to manage logins and passwords carefully, and to invest in a system that is secure and backed up by the type of technological support that will ensure that any breaches, should they occur, are managed efficiently and effectively,” Krueger said.