How hackers gave Subway a $3 million lesson in point-of-sale security
For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.
In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.
"This is the crime of the future," said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, "root them from across the planet, and steal digitally."
The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses' generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.
While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The
PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn't have.
"With PCI compliance, those apps shouldn't be on those systems," said Konrad Fellmann, audit and compliance manager for
SecureState, an IT security firm with a practice in retail security auditing, in an interview with Ars. But small retailers who don't store credit card data are not required to have the same level of auditing as larger companies, Fellmann said.
In the case of Subway restaurants, those requirements were provided to franchisees. But according to Evan Schuman, editor of retail technology trade site StorefrontBacktalk, some of the franchisees "directly and blatantly disregarded" Subway's security and POS configuration standards. "It's not like they had to install something and they didn't," Schuman told Ars. "They did it proactively," he said, downloading low-cost remote desktop software from the Internet and refusing to use point-to-point encryption as Subway dictated.
The Justice Department alleges that the hackers gained access to the remote desktop software by guessing or "cracking" the passwords they were configured with. Fellmann isn't surprised, based on his experience with retailers. Weak passwords, such as "password," are one of the most common things he discovers during POS penetration testing, he said. "Some people, you tell them what's required, and they'd rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place. " But, he said, "these people weren't thinking about point of sale security—they were just thinking about making a sandwich."
