What to learn from the $10 million Subway POS hack
By Sarah Jacobsson Purewal
PCWorldSep 20, 2012 3:16 pm PDT
Two Romanian hackers will serve time for targeting Subway in a $10 million point-of-sale conspiracy involving 150 restaurants in 2011.
Iulian Dolan pleaded guilty Monday to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, while Cezar Butu pleaded guilty to one count of conspiracy to commit access device fraud. Dolan was sentenced to seven years in prison while Butu received 21 months. The third alleged hacker is awaiting trial in New Hampshire, while a fourth remains at large.
It’s not just the hackers who are to blame, however; Subway’s sloppy business practices left the chain vulnerable.
Remote access software—the weakest link
The hacking scheme exploited remote desktop software installed on the computers connected to the point-of-sale (POS) devices. Remote access software allows a third-party to access a PC or other device, usually for the purpose of updating, repairing, or otherwise monitoring said device.
In this particular hack, Dolan identified vulnerable POS systems using the Internet. Next, Dolan hacked into these systems using the pre-installed remote desktop software, and installed key-logging software on them. The key-logging software allowed Dolan to record all of the transactions that went through the compromised systems, including customers’ credit card data.
Dolan then transferred the credit card information to dump sites, where it was used to make unauthorized purchases and transfers by Oprea and, to a lesser extent, Butu.
In a similar—perhaps related—case in 2009, Romanian hackers targeted the POS systems of several Louisiana restaurants. These systems were also hacked via exploitation of remote access software, which had been installed by the devices’ reseller, Computer World (no relation to the IDG publication, Computerworld), for the purpose of providing remote support.
How not to get hacked
This type of hack is a cautionary tale for both consumers and small business owners, who may not even realize their point-of-sale devices are running pre-installed remote access software.
Remote access software can be a godsend for business owners who aren’t all that tech-savvy, since it allows someone offsite to control and troubleshoot a device from afar. If your device has remote access software installed, take these steps to help keep the hackers away:
Regularly check your Windows Task Manager (press Ctrl+Alt+Delete and click “Start task manager”) to ensure that there are no shady processes running when they shouldn’t be.
Change the default password of the remote access software.
Update your computer regularly and use a good antivirus program, which will help keep sketchy programs (such as keyloggers) from being installed on your computer.
According to Verizon’s 2012 Data Breach Investigations Report, 97 percent of data breaches are avoidable using simple measures, such as using firewalls on all Internet-connected services, changing default credentials, and monitoring third parties that manage your business’s point-of-sale systems.
In other words, if there is remote access software installed on your point-of-sale computer because a third party needs to access it, it’s very important to ensure that that third party also keeps its security up to par.