Four Romanian nationals have been arrested in connection with a multimillion-dollar scheme to remotely steal payment card data from the point-of-sale systems of more than 150 Subway restaurants and other U.S. businesses, according to the U.S. Department of Justice.
The indictment, unsealed on Wednesday, charges the four with conspiracy to commit computer fraud, wire fraud and access device fraud.
Charged in U.S. District Court for the District of New Hampshire were Adrian-Tiberiu Oprea, 27, of Constanta, Romania; Iulian Dolan, 27, of Craiova; Cezar Iulian Butu, 26, of Ploiesti; and Florin Radu, 23, of Rimnicu Vilcea.
Authorities last week arrested Oprea in Romania, where he is still in custody. Dolan and Butu were arrested when they entered the U.S. in August and are still in custody.
Radu is still at large. There are more conspirators, but authorities appear to only know the online names of two of the missing conspirators: tonymontanamiami and marcos_grande6.
The DOJ claims that the thieves got their hands on the credit, gift and debit card data of more than 80,000 customers.
A POS system typically consists of a computer, monitor, and a debit/credit card reader. Most also include an integrated credit card processing system, a signature capture device and a customer pin pad device for entering passwords.
Although the indictment doesn’t identify the POS system used by Subway, Wired’s Kim Zetter reports that the chain announced in January 2009 that it was deploying the Torex Quick Service POS in all of its 30,000 restaurants.
Between roughly April 2008 until at least May 2011, the DOJ says the suspects swiped credit card data from compromised Subway restaurant systems in New Hampshire, New York, California and elsewhere to charge millions of dollars worth of purchases.
According to the indictment, this is how they did it:
- They remotely scanned the Internet to identify vulnerable POS systems with certain remote desktop software applications installed. They then logged onto the targeted POS systems, either by guessing the passwords or with password-cracking software programs.
- The conspirators then installed keystroke loggers onto the POS systems to record and store data that was keyed into or swiped through the merchants’ POS systems, including credit card data.
- They then installed a back-door Trojan into the POS systems to enable them to easily access the compromised POS systems in the future, to install or re-install additional hacker tools. The indictment charges the four with repeatedly downloading one particular hacker tool designed to evade detection, “xp.exe,” from the “kitsite.info” dump site onto the victimized merchants’ POS terminals.
- The credit card data was then transferred back to dump sites—i.e., servers used for storage, some of which were located in Europe, some in the U.S.
Some of the colorfully named dump sites:
ftp.shopings.info
ftp.justfuckit.info
ftp.cindarella.info
ftp.kitsite.info
ftp.tushtime.info
ftp.canadasite.info
These dump sites also included compromised computers belonging to unsuspecting small business owners or individuals, including one owned by a small business in Pennsylvania, according to the indictment.
The ill-gotten gains were monetized in various ways: by charging and then reselling goods, by selling the credit card data to other crooks, or by encoding the data onto phony credit cards.
The defendants each face a maximum of five years in prison for each count of conspiracy to commit computer related fraud, 30 years for each count of conspiracy to commit wire fraud, and five years for each count of conspiracy to commit access device fraud. They could be looking at fines up to twice the amount for fraud loss and restitution, the DOJ said.
This pricey scam is proof positive of what Sophos’s John Stringer was talking about just today when he wrote about end-of-year security prediction lists: Gartner’s forecasting the financial impact of cybercrime to grow 10% per year through 2016, thanks to new vulnerabilities.
Here’s a fun factoid I found when I was researching POS security: The U.S. accounts for 47 percent of debit and credit card fraud despite only accounting for 27 percent of transactions, according to a recent report.
Here’s what the publisher of the report, as quoted by atm marketplace, had to say about why we in the States are so pickpocket-able:
"The U.S. has a disproportionate percentage of the global total losses for two reasons. U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don't want to alienate their cardholder," said David Robertson, publisher of The Nilson Report.
I don’t know if Subway had unpatched vulnerabilities on its POS systems or what. But whatever merchants have to do, yikes, please do it.
Hold the mayonnaise on that sandwich, Subway, and please do alienate us if it keeps cybercrime from skyrocketing.
thank you for the heads up!
You are most welcome indeed!
After shopping at one of the Luckys in Santa Clara that was compromised (and my friend lost 200$ from her credit card from the hackers on that)…and then reading this (I shop at Subways all the time with my debit/credit card), I just now called my bank and got my that card canceled with a new one issued. I also am now going to use good old fashioned checks and regular credit cards for the time being.
Personally I advise everyone to only use credit cards for purchases and be cautious with ATMs. You can't ever be sure with an ATM, but some are more suspicious than others. Credit cards provide protection, and even if they don't want to protect you when there is a dispute you can always refuse to pay while you work it out. With a debit card you could have all of your cash reserves stolen and have a tough time of things.
As an independent IT tech I work on POS systems from time to time, and they all suffer from the same problem, they are made to be almost impossible to update.
The the most common units I work on run windows XP sp1 without a single patch, no av, and wide open to the world. The manufacture recommends they are behind a firewall etc, but in every case they are either behind a generic domestic router, or directly connected to the internet.
The worst units are the one with the touch screens, all they can display is their pos software, so to run updates etc you have to attach a keyboard, mouse, and monitor, and most restaurants don't have the space to do this, and, more importantly, they won't pay for this service, after all, the rep from the POS company told them it was unnecessary so why should they do it!
Even bank ATM's run windows xp, I found that by accident when at a local BofA the screen was out of alignment and the XP toolbar was visible, and yes, it worked! I was able to views the C drive of an ATM.
Sadly it has made me work in the cash world whenever possible.
Ian, thanks so much for weighing in on this. You describe exactly the kind of scenario I imagined was behind this: out of date operating systems and difficult to update POS systems. Is it really so cost-prohibitive to get these places on a safer OS, at the bare minimum?
What fine will the PCI folks levy against Subway for this?
What this story doesn't mention, that the indictment does, is that just 150 Subway stores were compromised. Subway currently has 35,000+ stores, so I think it's obvious that Subway caught this rather quickly.
The next time you're in a Subway take notice of the device used to swipe credit cards. It's a device that encrypts credit card data as soon as the card is swiped and provides end to end encryption for your credit card information. Subway has deployed these card swipers in all of its U.S. stores. Additionally, Subway has required all stores to run security software that provides antivirus, antimalware and internet blocking on every computer connected to the internal network, including the point of sale system.
Personally, I think Subway should be commended for finding this out very quickly and taking proactive steps with protecting customers credit card data directly at the point of sale. The stores currently have one of the safest and most secure credit card processing solutions.