Jump to content

How hackers gave Subway a $3 million lesson in point-of-sale security


Recommended Posts

.

irLyD.jpg

How hackers gave Subway a $3 million lesson in point-of-sale security

By Sean Gallagher | Published about 14 hours ago

hacked-sandwich-4ef0ccf-intro-thumb-640xauto-28675.jpg

Update: this story has been corrected and amended based on information received from Richard James of sendpace.com.

For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.

"This is the crime of the future," said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, "root them from across the planet, and steal digitally."

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses' generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems—which is why remote access software is banned from systems that handle payment cards by the PCI Security Standards Council, which governs credit card and debit card payment systems security.

"With PCI compliance, those apps shouldn't be on those systems," said Konrad Fellmann, audit and compliance manager for SecureState, an IT security firm with a practice in retail security auditing, in an interview with Ars. But because small retailers who don't store credit card data, they're not required to have the same level of auditing as larger companies, Fellmann said.

In the case of Subway restaurants, those requirements were provided to franchisees. But according to Evan Schuman, editor of retail technology trade site StorefrontBacktalk, some of the franchisees "directly and blatantly disregarded" Subway's security and POS configuration standards. "It's not like they had to install something and they didn't," Schuman told Ars. "They did it proactively," he said, downloading low-cost remote desktop software from the Internet and refusing to use point-to-point encryption as Subway dictated.

The Justice Department alleges that the hackers gained access to the remote desktop software by guessing or "cracking" the passwords they were configured with. Fellmann isn't surprised, based on his experience with retailers. Weak passwords, such as "password," are one of the most common things he discovers during POS penetration testing, he said. "Some people, you tell them what's required, and they'd rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place. " But, he said, "these people weren't thinking about point of sale security—they were just thinking about making a sandwich."

Skimming the till

Once they were in, the hackers then deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems—including credit card scans. They also installed a trojan, xp.exe, onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware, and prevent any security software updates.

Collected data from the loggers was posted by the malware to FTP "dump" sites on a number of Web servers in the US created with domains they registered using stolen credit card data through GoDaddy.com. In addition to using the stolen data to register their own domains and pay for hosting service, the hackers periodically rounded up the dumped transaction data and moved it to sendspace.com, a file transfer site. Richard James of sendspace.com says that his company cooperated with the FBI in the investigation of the hack. " Sendspace [is] a file hosting and transfer site used by millions every single day," he said in an email to Ars Technica,"and as such can indeed be used for activities which are against our TOS and that we do not condone."

Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines. One of the alleged hackers, Cezar Iulian Butu, was generating counterfeit cards with an embossing machine out of a house in Belgium in October of 2010, and working with a group, used the cards "among other uses [to] place bets at local French 'tobacco' shops," the Justice Department said in its filing. The rest of the stolen data was sold in blocks to other criminals from the Sendspace server.

According to a report by Schuman, Subway's corporate IT and a credit card company discovered the data breach "almost simultaneously." Subway Corporate Press Relations Manager Kevin Kane told Ars that "the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it." He said the company wouldn't discuss the measures taken, as "we don't want to give away the blueprint" to other potential attackers. And Kane added that Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.

But it wouldn't have taken cyber-security genius to figure out something was amiss. The dump site domains registered by the hackers included "tushtime.info" and "justcensoredit.info" —which, if any sort of traffic logging was done on POS systems, would have certainly aroused the attention of a system administrator.

Source: http://arstechnica.c...le-security.ars

--End

Steve

Link to post
Share on other sites

  • 3 weeks later...

Damn. This is the first time I'd ever heard of this.

Working for a company which, though different, uses somewhat similar POS systems, so may end up passing the information on to them (assuming I can get there attention). I also eat at Subway once every few weeks, going back a couple of years - Luckily, I was never hit, and, I'm extremely vigilant with tracking my assets, so I'd definitely know very quickly if I was. But the potential for it is worrying. Surprising how little care many big organisations out there give to their security systems. Have found a number of them before myself which I'd love to share, though it's probably better that I don't.

Definitely an interesting read - Thanks for sharing. :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.