Subway Sandwich’s $3M Security Lesson

Weak LinkInstead of coming in with guns and robbing the till, criminals can target small businesses, and steal from them digitally, across the planet.  The tools used in the crime are widely available to anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on inexpensive software packages makes them easy pickings. 

In a scheme dating back at least to 2008, ArsTechnica reports a band of Romanian hackers has been stealing payment card data from the point-of-sale (POS) systems of hundreds of small retail businesses, including over 150 Subway restaurant franchises, ringing up over $3 million in fraudulent charges.  In an indictment unsealed in a New Hampshire court, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims. 

The methods used by the attackers were not sophisticated.  The compromised systems were located through an IP addresses scan for any systems with a specific type of remote desktop access software running (port scan).  The software was either unprotected or used poor passwords as protection, and provided back door access to the POS systems. Remote access software is banned from systems that handle payment cards by the PCI Security Standards Council, which governs credit card and debit card payment systems security.  Because small retailers aren’t audited to the same degree as larger companies, this can go unnoticed.  In the case of Subway restaurants, requirements were provided to the franchisees, but  Subway’s security and POS configuration standards were blatantly disregarded.

Once they were in, the hackers deployed their tools to the POS systems, including keystroke logging, data capture tools, and backdoor malware, just in case the remote control software was removed, secured, or otherwise fixed, and also to interfere with patches and security control updates.  The data collected was automatically posted to FTP “dump sites” on a number of Web servers in the US registered and hosted using some of the stolen credit card data.

Subway’s corporate IT and a credit card company both discovered the data breach.  Subway’s PR Manager says IT moved to block the theft of data quickly.