Two Romanian hackers pleaded guilty to roles they played in the point-of-sale attacks that hit 100 Subway sandwich shops and other U.S. retailers. And details revealed in court expose common POS security vulnerabilities that remain a concern for smaller merchants and their banking institutions.
The breach, which remotely compromised Internet-connected POS devices and systems operated by numerous retailers, including Subway, compromised more than 146,000 cards and has been linked to more than $10 million in fraud losses.
Gray Taylor, executive director of the Petroleum Convenience Alliance For Technology Standards, says these types of POS attacks pose increasing concern to all players in the payments industry.
“This type of attack that affected Subway is exactly what everyone is worried about,” Taylor says. “You can be PCI compliant and have your devices PA-DSS [Payment Application Data Security Standard] approved. But if they leave networks open or default passwords in place, then they’re going to be breached.”
To help retailers address some of those common network vulnerabilities, PCATS, the Coalition of Associations for Retail Data Security and the National Restaurant Association are assisting smaller merchants with basic security steps – steps that address risk mitigation rather than security standard compliance, Taylor says.
“At PCATS, we have developed a list of eight points for POS security,” he says. “If Subway had these eight points, then it would not have been breached.”
The 8-Point Data Security Plan, as the NRA refers to it, aims to simplify POS security.
Liz Garner, director of commerce and entrepreneurship at the NRA, says the association is working with organizations like CARDS and PCATS to help restaurants look beyond Payment Card Industry Security standards.
“We’re trying to educate restaurateurs about security,” Garner says. “They just need a simple guide that provides the very basics. PCI is too complex.”
The Pleas and Attack
Iulian Dolan and Cezar Butu, both of Romania, pleaded guilty to charges brought against them by the Department of Justice in late 2011 for the roles they played in the Subway breach. Dolan pleaded guilty to conspiracy to commit computer fraud and conspiracy to commit access device fraud and was sentenced to seven years in prison. Butu pleaded guilty only to conspiracy to commit access device fraud and was sentenced to 21 months.
Two others, Adrian-Tiberiu Oprea and Florin Radu, also were indicted. Oprea is in U.S. custody and awaiting trial in New Hampshire. Radu remains at large.
In the plea, Dolan told the court he and Oprea remotely hacked POS systems where payment card data was electronically stored. Dolan admitted to remotely scanning the Internet first to identify U.S.-based POS systems that were vulnerable because of certain remote desktop software applications. Dolan said he used those RDAs to log on to POS systems over the Internet.
Though many of the POS systems were password protected, Dolan cracked the passwords and, where necessary, gained administrative access. He then remotely installed keyloggers or sniffers to record and store all card data that was keyed in or swiped at the POS.
From there, Dolan said he retrieved payment card data from the compromised systems and transferred that data to various dump sites, where Oprea could access the data to attempt using the stolen card information for unauthorized charges or funds transfers from accounts.
Dolan admitted to stealing data belonging to approximately 6,000 cardholders. He also said he received approximately $5,000-$7,500 in cash and personal property from Oprea for his efforts.
Butu, in his plea, said Oprea provided him with access to the dump site where the stolen card data was stored. Butu also admitted to attempting to use stolen card data for unauthorized charges or funds transfers, as well as sale or transfer to co-conspirators. Butu said he acquired stolen card data belonging to approximately 140 cardholders.
Taylor of PCATS says the Subway case highlights an alarming trend.
“It’s basically backdoor jiggling – using bots to scan the web, looking for door knobs to jiggle,” Taylor says. “That’s basically how they got into Subway, and it’s happening everywhere today. Anyone, retailers included, that’s connected to the Internet has the same vulnerabilities.”
And merchants that use popular POS systems are prime targets, he adds. “Why is Windows the most targeted operating system? Because it dominates the market,” Taylor says. “The same is true of popular POS devices and systems. Once you’ve got the keys to that kingdom – to that popular point-of-sale device – then all they have to do is get in and install a keylogger.”
John South, chief security officer at Heartland Payment Systems, a payments processor, says numerous industry players are working together to address increases in remote POS attacks, like the one that hit Subway.
“There has been a greater level or protection afforded to merchants who adopt a technology that encrypts the card data before it can enter their POS system,” South says. “This concept of taking the data ‘out of play’ affords protection from compromising the data if the encryption keys are properly managed and not accessible at the merchant level for decryption. The idea here is that if the data cannot be decrypted at the merchant site, it is of little value to the attackers.”
Heartland is working with some of its merchant clients to replace outdated POS equipment and enhance endpoint security (see Heartland Takes Aim at POS Fraud ).
“In addition, the sharing of intelligence about attackers and their methodologies has assisted many companies in being more proactive in their defenses,” South adds.
Taylor says ensuring that kind of information sharing is more important for smaller merchants than PCI compliance. PCI, though designed to protect card data, has proven too complicated for small merchants to understand, hr sffd.
The the 8-Point Data Security Plan, developed by PCATS and released in February, touches on common threats facing Level 4 merchants – which Visa defines as those processing fewer than 1 million transactions per year. Weak remote access portals and common or default account names and passwords are typical among this group, Gray says.
In its eight-point list, PCATS recommends smaller merchants address basic security features such as firewalls and two-factor authentication for remote access to POS devices and systems. Changing factory default passwords and setting up unique user accounts for network access also is recommended.
“The whole idea is that if we can dumb it down and keep it simple, then we’ve got a program we’re willing to push out there our retailers,” Taylor says. “We know it is something they can easily implement and understand.”