Subway Breach: Hacker Sentenced

Prison Time for First of Four Accused Romanians
Subway Breach: Hacker Sentenced

As the Zaxby's restaurant breach investigation begins, another high-profile point-of-sale breach has resulted in a prison sentence.

See Also: Silos: Banking's Silent Menace

A federal district courtin New Hampshire recently sentenced one of the four Romanians indicted in late 2011 for the roles they allegedly played in a multimillion-dollar fraud scheme that struck more than 200 U.S. merchants and compromised more than 80,000 U.S. consumers.

The scheme, which targeted merchant computer networks, including one used by restaurant chain Subway, spanned two years and compromised at least 40 million debit and credit cards, authorities say.

On Sept. 17, Cezar Butu of Ploiesti, Romania, admitted he participated in a conspiracy to hack into hundreds of U.S.-based computers to steal payment account numbers and detail when he pleaded guilty to conspiracy to commit access device fraud. On Jan. 7, he was sentenced to serve 21 months in prison.

Authorities charge that from 2008 through May 2011, Butu, along with Iulian Dolan, who also pleaded guilty Sept. 17, and alleged co-conspriators Florin Radu and Adrian-Tiberiu Oprea, remotely hacked POS and checkout systems to steal credit, debit and prepaid card data. More than 150 Subway restaurant franchises were among those targeted, investigators say. The compromised card data is believed to be linked to millions of dollars in unauthorized transactions.

Butu and his co-conspirators used stolen payment card data to make unauthorized purchases and funds transfers from cardholders' accounts, authorities say. Butu admitted in his plea that he repeatedly asked an alleged co-conspirator to provide stolen payment card data. He said that the alleged co-conspirator then gave instructions for accessing a website where a portion of the stolen payment card data was stored. Butu later attempted to use the stolen payment card data to make unauthorized charges or funds transfers from the accounts.

Butu also attempted to sell or transfer stolen payment card data to other co-conspirators for use in a similar manner, according to his plea. Butu admitted to acquiring stolen payment card data belonging to about 140 cardholders during the course of the scheme.

Dolan pleaded guilty to charges of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, has already agreed to serve a seven-year sentence. His sentence hearing is set for April 4. Oprea is scheduled for trial on Feb. 20. Radu remains at large.

Network Hacks Expose Card Details

Earlier this month, a breach similar to the one involving Butu and his co-conspirators struck Atlanta-based Zaxby's Franchising Inc.

The source of the attacks was not disclosed in the Jan. 11 Zaxby's statement, but the restaurant chain says compromised computer systems at certain locations were found to have been infected by malware and other suspicious files. The compromised systems were discovered after several locations were identified as common points of purchase for payment cards linked to fraudulent activity, Zaxby's spokeswoman Debbie Andrews says.

Andrews says the systems that were breached include a combination of locally managed computer and point-of-sale systems.

Gartner analyst Avivah Litan, a fraud expert, says attacks against retailers' networks or computer systems, which affects a database that has stored or temporary files containing sensitive information, continue to plague the industry.

"Now the weak link is what they're doing locally, and what they're storing on systems that run parallel to the POS," Litan says in reference to the Zaxby's breach. "That's not to say we still don't have holes out there in processing to address; but in this particular case, it sounds like what they were doing locally was the issue."

Secret Service's Advice for Banks

In 2012, Erik Rasmussen , a special agent within the Cyber Intelligence Section of the Secret Service's Criminal Investigative Division, said the Subway case and others highlight network and system vulnerabilities many U.S. merchants have failed to address.

"POS systems need remote access for systems repair," Rasmussen said. "But if you're a retailer that is using all the defaults for passwords, as an example, you can see how easy it is to compromise."

He said that nearly half of the card breaches investigated by the Secret Service involved malware, adding that the retail, food and beverage, and hospitality sectors are the most vulnerable. "Once the hackers get into the system, it's all become too easy for them."

But card-issuing institutions can take steps to mitigate their risk, even if they can't control the security of the systems at the retail level, Rasmussen said. His No. 1 recommendation is increased information sharing and collaboration with law enforcement.

Retailers also need to be mindful of specific risks, Rasmussen said, including:

  • Insider Threats. Have employees knowingly exposed or stolen cardholder or account information, or are employees vulnerable to socially engineered schemes, such as phishing?
  • Systems Vulnerabilities. Can your system be remotely accessed? And have default passwords and logins been updated and changed?

And some additional steps to mitigate risks include:

  • Involve Law Enforcement. Investigators can install sniffers to monitor incoming and outgoing traffic, as well as images, to identify malware and the destinations to which stolen data is sent.
  • Outsource Forensics. Merchants should hire third-party forensics firms to evaluate their networks and systems, and then provide information to the Secret Service when breaches are discovered.
  • Update Risk Assessments. Ongoing and regular risk assessments ensure new vulnerabilities and risks don't go undetected.
  • Improve Education. Employees and customers need to know what the latest threats are and how to mitigate their risks.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.