You know what’s scary? The fact that even when using every
security precaution at my disposal, my information is still at risk because the
morons I deal with on a daily basis don’t take my digital security seriously.
In this case, the morons are the IT folks at Subway
restaurants whose point of sale (PoS) terminals were compromised by a group of
Romanian hackers.
Dolan (hacker No. 1) admitted that he, along with Oprea (hacker No. 2), remotely hacked into U.S. merchants’ “point-of-sale” (POS) or “check out” computer systems, where customers’ payment card data was electronically stored. Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, Dolan logged onto the targeted POS systems over the internet. These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access. He would then remotely install software programs called “keystroke loggers” (or “sniffers”) onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data. [DOJ]
According to the U.S. Department of Justice, the hackers
stole credit card information for nearly two years, obtaining more than 146,000
credit card numbers and stealing over $10 million.
The pair of hackers were charged last December and
extradited from Romania in May and have just this past week plead guilty as
part of a plea deal.
While such an egregious absence of security considerations
seems completely mind blowing to us security-minded folks at SumRando, it’s
probably safe to assume that if data at a company as large as Subway can be
breached so easily, there are certainly other easy marks out there.
No comments:
Post a Comment