California duo charged with selling ready-to-hack Point-of-Sale systems to Subway branches

An alleged Point-of-Sale cybercrime duo from California were confronted with criminal charges late last week in Boston, Massachusetts.

The US Justice Department (DoJ) reported that the pair, Shahin Abdollahi, 46, and Jeffrey Thomas Wilkinson, 35, were charged with one count of conspiracy to commit computer intrusion and wire fraud, and with one count of wire fraud.

The indictment alleges that they:

  • Hacked into at least 13 Subway Point-of-Sale (PoS) systems.
  • Fraudulently added at least $40,000 in value to Subway gift cards.
  • Used some of the hooky gift cards to make purchases at Subway.
  • Sold other fraudulent cards on eBay and Craigslist.

What makes this a bit different from the usual “alleged crooks steal ‘digital money’ from retailer through hacking” story is how the pair are said to have pulled off the cyber-break-and-enter part of the attack.

Abdollahi and Wilkinson, claims the DoJ, ran a number of Subway franchises in Southern California between 2005 and 2008.

During this time, it looks as though they didn’t just make lots of sandwiches. They also learned enough about Subway operations to come up with a plan to make money out of the franchise on two fronts at the same time.

So they quit the sandwich supply business and started a business called POS Doctor, selling and installing point-of-sale systems into the Subway ecosystem.

Yep! You guessed it!

The POS Doctor systems came with a handy additional feature, at no extra charge: a preconfigured remote-access toolkit that allowed the crooks to connect in after hours.

They regularly added fraudulent credit onto Subway gift cards in at least 13 Subway outlets around the USA.

As mentioned above, they then spent some of the gift cards at Subway branches in California (they must have developed a taste for the product during their time as franchisees), and sold others of them on eBay and Craigslist.

Amusingly, it looks as though the alleged crooks went to the trouble of registering their fraudulent cards online with Subway, using email addresses from domains they owned themselves.

This precaution gave them the chance to reclaim unused funds if any of their bogus cards were lost or stolen.

Of course, this “dishonour amongst thieves” also ensured that the DoJ has been able to rack up additional evidence connecting the alleged perpetrators with the claimed criminal activities.

Hoist [*], if you don’t mind me saying so, by their own petards!

[*] Allegedly.