How hackers gave Subway a $3 million lesson in point-of-sale security

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars

By Sean Gallagher
Ars Technica
December 21, 2011

For thousands of customers of Subway restaurants around the US over the 
past few years, paying for their $5 footlong sub was a ticket to having 
their credit card data stolen. In a scheme dating back at least to 2008, 
a band of Romanian hackers is alleged to have stolen payment card data 
from the point-of-sale (POS) systems of hundreds of small businesses, 
including more than 150 Subway restaurant franchises and at least 50 
other small retailers. And those retailers made it possible by 
practically leaving their cash drawers open to the Internet, letting the 
hackers ring up over $3 million in fraudulent charges.

In an indictment unsealed in the US District Court of New Hampshire on 
December 8, the hackers are alleged to have gathered the credit and 
debit card data from over 80,000 victims.

"This is the crime of the future," said Dave Marcus, director of 
security research and communications at McAfee Labs in an interview with 
Ars. Instead of coming in with guns and robbing the till, he said, 
criminals can target small businesses, "root them from across the 
planet, and steal digitally."

The tools used in the crime are widely available on the Internet for 
anyone willing to take the risks, and small businesses' generally poor 
security practices and reliance on common, inexpensive software packages 
to run their operations makes them easy pickings for large-scale scams 
like this one, Marcus said.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn