FYI.

This story is over 5 years old.

Tech

How Romanian Hackers Stole $10 Million From Subway Customers

Two Romanian hackers have fessed up to their involvement in a three-year-long credit card conspiracy that targeted over 150 Subway sandwich shops and as many as 146,000 of their unsuspecting customers. From 2008 to 2010, Iulian Dolan and Cezar Iulian...

Two Romanian hackers have fessed up to their involvement in a three-year-long credit card conspiracy that targeted over 150 Subway sandwich shops and as many as 146,000 of their unsuspecting customers. From 2008 to 2010, Iulian Dolan and Cezar Iulian Butu worked with two other Romanian nationals to break into the point of sale (POS) systems of Subway franchises and at least 50 other small retailers. At the end of the day, the hackers netted $10 million from the heist, and they never even had to leave their living rooms.

Advertisement

It was actually a pretty straightforward hack. Under the instructions of the gang’s ringleader, Adrian-Tiberiu Opera, Dolan and company identified a vulnerability in Subway’s POS system. Court documents didn’t name the company responsible, but all signs point to Georgia-based Radiant Systems, maker of the Aloha POS system. Apparently, when they bought the software from Computer World, the retailer installed a remote-access program called PCAnywhere that would allow technicians to log-in to the system off-site and fix any problems. The problem with that plan, however, was that Computerworld’s technicians didn’t do a very good job securing the system. According to a Wired report, the default log-in for system was “administrator” and the password was “computer.”

Needless to say, access to Subway’s payment system was low-hanging fruit. Once Dolan and the other hackers cracked the password, they installed keystroke loggers to record all of the data input into the computers, including the payment information of customers. Then, they just sat back and collected credit card numbers which they transferred to dump sites where they could leech funds from the accounts. They also installed a backdoor that would allow them to install more malware and prevent the system from installing automatic security updates. They even used some of the data to print fake credit cards using blank plastic cards and an embossing machine. “This is the crime of the future,” Dave Marcus, director of security research and communications at McAfee Labs, “told Ars Tecnica”http://arstechnica.com/business/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security/. All the thieves had to do to steal from these small business was “root them from across the planet, and steal digitally.”

Dolan and Butu negotiated lenient sentences with authorities in New Hampshire, where the two were arrested, in exchange for information about the other hackers. Opera is also in custody there and awaiting trial. Subway is still making sandwiches.

Image via Flickr