You know what’s scary? The fact that even when using every security precaution at my disposal, my information is still at risk because the morons I deal with on a daily basis don’t take my digital security seriously.
In this case, the morons are the IT folks at Subway restaurants whose point of sale (PoS) terminals were compromised by a group of Romanian hackers.
Dolan (hacker No. 1) admitted that he, along with Oprea (hacker No. 2), remotely hacked into U.S. merchants’ “point-of-sale” (POS) or “check out” computer systems, where customers’ payment card data was electronically stored. Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, Dolan logged onto the targeted POS systems over the internet. These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access. He would then remotely install software programs called “keystroke loggers” (or “sniffers”) onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data. [DOJ]
According to the U.S. Department of Justice, the hackers stole credit card information for nearly two years, obtaining more than 146,000 credit card numbers and stealing over $10 million.
The pair of hackers were charged last December and extradited from Romania in May and have just this past week plead guilty as part of a plea deal.
While such an egregious absence of security considerations seems completely mind blowing to us security-minded folks at SumRando, it’s probably safe to assume that if data at a company as large as Subway can be breached so easily, there are certainly other easy marks out there.