So their POS...
really is POS??
(And I get credit for another fitting yet unlooked-for application of the Sherlock Holmes icon!)
Four Romanian nationals were charged with pocketing millions of dollars by hacking into the credit card processing systems of more than 200 businesses. The men remotely accessed point-of-sale systems of 150 Subway sandwich shops and 50 unnamed retailers and stealing credit card data for more than 80,000 customers, according to …
I know the media like to push the word hacking wherever possible, but this is also the fault of the retailers or whoever supplied them with the POS equipment. They should never have had the ability to remotely log on to them, and the passwords should have been very strong.
I wonder if the US has a similar system to the PCI compliance we have here which is supposed to stop things like this happening.
How on earth did these devices end up publically accessible, with default or brute forceable passwords? Sure, string up the guys who took advantage of this loophole but the people responsible for exposing their customer's credit cards in this fashion need to be taught a serious lesson.
It also shows that CnP security isn't a magic bullet. I wonder when the banks and credit card companies will wake up to this fact.
"The men allegedly scanned the internet to identify POS terminals that used certain remote desktop software applications and then gained unauthorized access to them by guessing or brute forcing passwords."
Whoever nus the IT department needs to be fired. Those devices have no need for Internet access and if they must be accessed remote, you make sure the whole Internet doesn't have access. A VPN should have been used. The head of the IT department should be equally liable in this case. If the equipment was properly secured this would never have happened.
These will be plug-and-play type systems, I've no doubt. They could be powered by the screaming souls of the damned for all the Subway franchisees know, or care.
But do let us know what magic other operating systems use to prevent the use of default passwords?
to write it for you. A lot of times it's foreign nationals who write the good software, because most americans and englishmen won't even bother to study computer science.
Now go patrol that border fence to keep 'Murrica safe from them Mexicans, ok Governor Perry ? Or is this Senator McCain ?
To quote, "Oprea was arrested last week in Romania and is in custody there. Dolan and Butu were arrested upon entering the U.S. last August. Radu remains at large."
Dunno about the 'let in so easily' as they appeared to have been out of the country at the time the crime was committed. But lets not let these tedious so-called 'facts' get in the way of a good rant about immigration.
These Subways stores are independently owned and are responsible for providing their own Internet. The software they use is not up to them,. The last time I set up DSL service for subway I had to set up static IPs. Oh and just for food for thought you have a major insurance company in the US that makes each office provided their on net access with no VPN. It requires a static public IP. Since you need a password to access their software it's consider secure .
.. in not implementing chip and pin into their terminals and cards. If the same thing had happened in the UK, the chip based transaction data would not have allowed the cloning of the magstripe or the chip and the details would have been pretty much worthless.
Yes its culpable that the merchant manufacturer/merchant left a terminal open to the world with potentially lucrative information on it, but it hides the bigger problem of the insecurity of magstripe transactions/cards and the ease with which they are cloned.
My own chip card denies fall back to mgstripe and I am grateful for it.
...... while I will continue to think chip+pin was only introduced to push the blame further onto the card holder.
The terminals were comprimised, and chip+pin does not encrypt at point of entry, just at transmission so if they are on the POS they have your pin. In fact knowing the slack standards banks have I doubt any of the info is encrypted at point.
So I suspect there is no single IT firm overseeing their infrastructure. It's more likely a 'Subway MegaCorp suggest you buy this kit for your local Subway shop', and the shop owner then does as they are told and buys it and puts in in as default - straight onto the web with default settings.