Four Romanian nationals were charged with pocketing millions of dollars by hacking into the credit card processing systems of more than 200 businesses. The men remotely accessed point-of-sale systems of 150 Subway sandwich shops and 50 unnamed retailers and stealing credit card data for more than 80,000 customers, according to a …
So their POS...
really is POS??
(And I get credit for another fitting yet unlooked-for application of the Sherlock Holmes icon!)
2 Factor Authentication
Seeing as my email uses 2FA, and all my bank cards use chip+pin, why is it OK to store hundreds of card details on the open internet behind guessable and brute forceable passwords?
Truth in Advertising
From the website of Toreex, who provided the point of sale software:
"Torex ‘liberates Point of Sale’: Launches browser based POS"
You can't make this stuff up....
POS from the Internet? Huh?
How on Earth can a point of sale computer be visible from the Internet and allow any kind of incoming connection? no NAT, no router with outgoing-only connections? do the IT folks at Subway have any common sense?
Yeah the IT people most likely do and the good ones have probably all left by now, it's the PHBs that insist on cutting the margins down to razor thin lines that buggers most things up!
I know the media like to push the word hacking wherever possible, but this is also the fault of the retailers or whoever supplied them with the POS equipment. They should never have had the ability to remotely log on to them, and the passwords should have been very strong.
I wonder if the US has a similar system to the PCI compliance we have here which is supposed to stop things like this happening.
It's called PCI.
Just because there are rules, doesn't mean people always follow them.
This might be a silly question, but why are the POS systems hooked up to the net, and how is it possible for the attackers to find them?
Wait, what credit card?
Subway only accepts cash, bro. At least, this is the case in Malaysia.
Paris, because of the question mark.
Evidence would suggest Subway Malaysia and the Subway USA are different in this regard, then.
FWIW, I pay with debit and credit at Subway here in Eurotopia.
150 subway stores
What's the chances that Subway used one password for ALL of their POS machines?
What's the chance that it's: "Subway123".......
Hack and go to prison. A very simple concept.
Plenty of guilt to go round, here
How on earth did these devices end up publically accessible, with default or brute forceable passwords? Sure, string up the guys who took advantage of this loophole but the people responsible for exposing their customer's credit cards in this fashion need to be taught a serious lesson.
It also shows that CnP security isn't a magic bullet. I wonder when the banks and credit card companies will wake up to this fact.
"The men allegedly scanned the internet to identify POS terminals that used certain remote desktop software applications and then gained unauthorized access to them by guessing or brute forcing passwords."
Whoever nus the IT department needs to be fired. Those devices have no need for Internet access and if they must be accessed remote, you make sure the whole Internet doesn't have access. A VPN should have been used. The head of the IT department should be equally liable in this case. If the equipment was properly secured this would never have happened.
And that's what you get
when you have tills running (I'm guessing here) Windows. What's wrong with a till that is just a till and cannot, with any amount of even physical access, be anything more?
Incompetence is platform independent.
These will be plug-and-play type systems, I've no doubt. They could be powered by the screaming souls of the damned for all the Subway franchisees know, or care.
But do let us know what magic other operating systems use to prevent the use of default passwords?
Why the hell are these pos terminal sitting on the Internet with inferior defences.
Presumably subway had an in house solution that was weaker than most.
Anyone who manufactured one of these pieces of crap should be open to class action suits.
Isnt it amusing
That in USA and the UK, it's always the foreign nationals who they let in so easily that go on to commit this type of fraud?
That's right! Our own home-grown criminals are just not trying hard enough as far as I'm concerned.
Maybe we should retrain all those old-school bank robbers that are doing a long stretch, give them some IT skills - that'll show them pesky foreigners how to properly rob you blind!
It's also amusing that racist pricks like you can't write software, so you need foreigners
to write it for you. A lot of times it's foreign nationals who write the good software, because most americans and englishmen won't even bother to study computer science.
Now go patrol that border fence to keep 'Murrica safe from them Mexicans, ok Governor Perry ? Or is this Senator McCain ?
Did you read the Wired article?
To quote, "Oprea was arrested last week in Romania and is in custody there. Dolan and Butu were arrested upon entering the U.S. last August. Radu remains at large."
Dunno about the 'let in so easily' as they appeared to have been out of the country at the time the crime was committed. But lets not let these tedious so-called 'facts' get in the way of a good rant about immigration.
POS systems on the internet and only protected by a guessable password? Real smart guys.
"by guessing or brute forcing passwords"
They can't have been particularly strong passwords then... Some sort of preset password which worked in all 150 shops maybe? Embarrassing.
Sounds just like something out of "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground" by Kevin Poulsen - companies using cheap SIs to install systems with no thought to security.
Would you like...
... and extra credit card charge with that, sir?
These Subways stores are independently owned and are responsible for providing their own Internet. The software they use is not up to them,. The last time I set up DSL service for subway I had to set up static IPs. Oh and just for food for thought you have a major insurance company in the US that makes each office provided their on net access with no VPN. It requires a static public IP. Since you need a password to access their software it's consider secure .
It really is the fault of the US
.. in not implementing chip and pin into their terminals and cards. If the same thing had happened in the UK, the chip based transaction data would not have allowed the cloning of the magstripe or the chip and the details would have been pretty much worthless.
Yes its culpable that the merchant manufacturer/merchant left a terminal open to the world with potentially lucrative information on it, but it hides the bigger problem of the insecurity of magstripe transactions/cards and the ease with which they are cloned.
My own chip card denies fall back to mgstripe and I am grateful for it.
You keep thinking that .....
...... while I will continue to think chip+pin was only introduced to push the blame further onto the card holder.
The terminals were comprimised, and chip+pin does not encrypt at point of entry, just at transmission so if they are on the POS they have your pin. In fact knowing the slack standards banks have I doubt any of the info is encrypted at point.
So how does it work with some old cash machines then?
I think mine requires both; I recently had a card whose magstripe died. Cash machines would let me view my balance (whilst continually re-reading my card) but refused to let me get any cash out.
Subway is not a single company - it's a franchise
So I suspect there is no single IT firm overseeing their infrastructure. It's more likely a 'Subway MegaCorp suggest you buy this kit for your local Subway shop', and the shop owner then does as they are told and buys it and puts in in as default - straight onto the web with default settings.
@ "it's a franchise."
Would you like to restate this before it becomes a source of innocent merriment?
Perhaps the password...
was one of their items for sale - could even be the sub named after the only surviving kamikaze pilot.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market