Security Review: Michael’s Toyota Service Center

By jessicaf at 8:18 pm on March 14, 2008 | 2 Comments

My check engine light came on last week, so I called up Michael’s Toyota Dealership and Service Center in Bellevue, WA.  I made an appointment and had my husband bring the car into the shop and take a shuttle to work.  Later in the afternoon, the car is finished and I start walking over to the dealership to pick up my car.  With my mind on a hundred other things, I had left my purse at home!  With no time to go back home before the dealership would close, I decided just to try to get the car and hope it wasn’t going to cost me anything and that I wouldn’t need any ID to pick it up.  I told the Service Center attendant I was there for my car and what my last name was.  She typed it into the computer, found the service number, and called for the car to be brought up to the front.  Everything was covered under warranty, so I climbed into my car and went on my merry way.  So why do I tell you all this?  Because it seems to me that I could have picked up any old car with just a last name.

How to steal a car

First of all, the car was purchased at Michael’s Toyota by my husband, Dan.  Only his name is on the title and in the database at Michael’s.  I obviously am a female and Dan is a male name, but that did not spark any concern in the attendant.  I was not even the one who dropped off the car, so they certainly could not have recognized me.  I showed no ID, no other information other than my last name.  Now think about this… sure this was convenient for me, but it kinda makes you worry.  It seems awfully easy to come in with some one’s last name and pick up a car that does not belong to you.  Now you have the keys, no damage to the car, and a newly washed car to do whatever you feel like.

It wouldn’t be too hard to figure out the last name of someone who had dropped off their car to be fixed.  An adversary could eavesdrop in the morning when a customer drops off their car.  They could just try some common last names, though that might get them into trouble if they are wrong.  Social engineering could also be used.  An adversary could ride in the van with other customers and strike up a friendly conversation.  Then, they could introduce themselves (of course with a fake name) and get the customer’s name. 

Who would do this?

There are a lot of adversaries that could be interested in stealing a car.  Organized crime, individuals in need of a car, young adults looking for some fun, and others are all potential adversaries.  A stolen car could then be sold or just used by the thief.  Even though stolen cars would be hard to sell because there is no title with it and the serial number inside the car would come up as stolen if someone looked into it, stolen cars can be smuggled out of the country and sold overseas.

Shouldn’t Michael’s have a more stringent security policy?

At first glance it seems like this could be a big problem, but really there are many defenses involved.  Not much defense in the way of prevention, but the threat of consequences is enough to deter most adversaries.  The theft of a vehicle is easily detected.  When the rightful owner comes to pick up their vehicle and it has already been picked up, the car can be reported as stolen.  Once a car is reported as stolen, the police will be watching the roads to see the license plate.  You could change the plates, but it would be hard to get legal ones because the DMV checks the serial number on your car when you register it.  Even if you could forge one, if you ever got pulled over, the cops would check your license plate against their database and find that it is fraudulent.  In the United States, 1.3 million cars are stolen each year.  Two-thirds of these are recovered (

Another deterrent is video surveillance.  When a customer finds that their car has been picked up by someone else, Michael’s could go back through video records to see who picked it up.  This is assuming that the service center keeps good records of when customers picked up their car and who helped them.  Otherwise it would be hard to know where in the video, the car was picked up.   

A conviction of grand theft auto comes with heavy penalties.  In some states, it carries up to 20 years in prison for a first offense (  As you can see, there are many measures in place to deter people from stealing cars.  I don’t think Michael’s needs to change its policies because there are so many detection and response methods to help deter adversaries and laws and governmental agencies to help recover cars if they are stolen. 

Side Note: The Seattle/Bellevue/Tacoma metropolitan area ranked sixth in the nation for the highest rate of car thefts.  33,494 cars were stolen in 2005 which equates to a rate of 1,057.60 stolen cars for every 100,000 people (

Filed under: Physical Security,Security Reviews2 Comments »


  • 1
    Get your own gravatar for comments by visiting

    Comment by John Turner

    April 15, 2008 @ 5:32 am

    Nice analysis.

    My dealership is completely different. To pick up your car, even if it is ready and you know its ready, you have to meet with your service advisor to go over the bill.

    Second, you don’t get anything unless you pay the bill.

    Third, after you pay the bill, they give you a ticket with a number on it, and they radio back to a porter to bring your car up.

    Fourth, when the porter brings your car up, you have to give him/her the ticket you got after paying your bill…no ticket, no vehicle, even if you have a convincing story.

    Threat of consequences isn’t all that much of a deterrent if you ask me.

    Getting a valid plate is easy…all you have to do is swap plates with another vehicle that looks like the one you stole. Check big parking lots like shopping malls, airport parking lots, hotels, etc. Find a vehicle like yours (pretty easy to do unless you’re driving a Bentley or something) and swap the plates.

    Even better…carry with you a few temp forms that most DMVs issue for temporary plates. Any inkjet printer can print out a reasonable facsimile. In my state, for example, its just a form with a date written on it using a Sharpie. Steal a vehicle, take the plate off, fill out a date on your fake form for 4 or 5 days in the future, and slap the fake temp form in your back window.

  • 2
    Get your own gravatar for comments by visiting

    Comment by car moving

    May 9, 2008 @ 12:25 pm

    If you need that car of yours moved from one state to another, my company transports cars nationwide, check out my web site at –, thanks.

RSS feed for comments on this post