Breach Exposes POS Vulnerabilities

Hackers Sentenced; Court Docs Reveal Attack Details

By , September 19, 2012.
Breach Exposes POS Vulnerabilities

Two Romanian hackers pleaded guilty to roles they played in the point-of-sale attacks that hit 100 Subway sandwich shops and other U.S. retailers. And details revealed in court expose common POS security vulnerabilities that remain a concern for smaller merchants and their banking institutions.

See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach

The breach, which remotely compromised Internet-connected POS devices and systems operated by numerous retailers, including Subway, compromised more than 146,000 cards and has been linked to more than $10 million in fraud losses.

Gray Taylor, executive director of the Petroleum Convenience Alliance For Technology Standards, says these types of POS attacks pose increasing concern to all players in the payments industry.

"This type of attack that affected Subway is exactly what everyone is worried about," Taylor says. "You can be PCI compliant and have your devices PA-DSS [Payment Application Data Security Standard] approved. But if they leave networks open or default passwords in place, then they're going to be breached."

To help retailers address some of those common network vulnerabilities, PCATS, the Coalition of Associations for Retail Data Security and the National Restaurant Association are assisting smaller merchants with basic security steps - steps that address risk mitigation rather than security standard compliance, Taylor says.

"At PCATS, we have developed a list of eight points for POS security," he says. "If Subway had these eight points, then it would not have been breached."

The 8-Point Data Security Plan, as the NRA refers to it, aims to simplify POS security.

Liz Garner, director of commerce and entrepreneurship at the NRA, says the association is working with organizations like CARDS and PCATS to help restaurants look beyond Payment Card Industry Security standards.

"We're trying to educate restaurateurs about security," Garner says. "They just need a simple guide that provides the very basics. PCI is too complex."

The Pleas and Attack

Iulian Dolan and Cezar Butu, both of Romania, pleaded guilty to charges brought against them by the Department of Justice in late 2011 for the roles they played in the Subway breach. Dolan pleaded guilty to conspiracy to commit computer fraud and conspiracy to commit access device fraud and was sentenced to seven years in prison. Butu pleaded guilty only to conspiracy to commit access device fraud and was sentenced to 21 months.

Two others, Adrian-Tiberiu Oprea and Florin Radu, also were indicted. Oprea is in U.S. custody and awaiting trial in New Hampshire. Radu remains at large.

In the plea, Dolan told the court he and Oprea remotely hacked POS systems where payment card data was electronically stored. Dolan admitted to remotely scanning the Internet first to identify U.S.-based POS systems that were vulnerable because of certain remote desktop software applications. Dolan said he used those RDAs to log on to POS systems over the Internet.

Though many of the POS systems were password protected, Dolan cracked the passwords and, where necessary, gained administrative access. He then remotely installed keyloggers or sniffers to record and store all card data that was keyed in or swiped at the POS.

From there, Dolan said he retrieved payment card data from the compromised systems and transferred that data to various dump sites, where Oprea could access the data to attempt using the stolen card information for unauthorized charges or funds transfers from accounts.

Dolan admitted to stealing data belonging to approximately 6,000 cardholders. He also said he received approximately $5,000-$7,500 in cash and personal property from Oprea for his efforts.

Butu, in his plea, said Oprea provided him with access to the dump site where the stolen card data was stored. Butu also admitted to attempting to use stolen card data for unauthorized charges or funds transfers, as well as sale or transfer to co-conspirators. Butu said he acquired stolen card data belonging to approximately 140 cardholders.

Alarming Trend

Taylor of PCATS says the Subway case highlights an alarming trend.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Reversal of Fortune: DHS Funding Approved

Congress has voted to fund the Department of Homeland Security through September, the end of the...

Latest Tweets and Mentions

ARTICLE Reversal of Fortune: DHS Funding Approved

Congress has voted to fund the Department of Homeland Security through September, the end of the...

The ISMG Network