Subway Hit with POS Hack

  • 17 March 2013
  • 3 replies
  • 1551 views

Userlevel 7
  • Retired Webrooter
  • 1581 replies


 
Two men have been indicted on charges that they hacked into Subway POS systems, pilfering $40,000 in the process.  That's 8,000 $5-foot-longs for those of you keeping count.  The interesting part is in how they did it.  One of the men charged, Shahin Abdollahi, actually ran the company that originally sold the POS systems to the Subway franchise.  Those systems came preloaded with remote-access software.  In responsible hands, remote-access tools are wonderful for troubleshooting or leveraging computers at various locations to perform a task when you aren't right in front of them.  In this case however, the hands turned out to be not so responsible, and the task turned out to be creating bogus.gift cards, bringing a whole new meaning to the term "losing pounds with Subway" (£26,530 pounds by today's conversion rate).
 
What's the lesson?  Don't buy POS systems with remote-access software pre-installed on them from shady vendors.  The software that was used is completely legitimate.  The problem is in how it was used.  Further, it's hard to find a compelling reason to risk having remote-access software installed on a POS system to begin with.
 
The indictment is available in the article from venturebeat here.
 
Only seven months ago, Romanian hackers netted $10 million via different methods.  In that case, they managed to install keyloggers on POS terminals, pilfering over 6,000 credit card numbers.  POS systems in particular can often be weak points in many retail and foodservice industries, with a lot of them being antiquated and not very well maintained.  Considering the importance of those computers and the information they contain, the necessity of a good anti-malware solution cannot be understated.
 
Webroot provides a very good solution for POS systems with Webroot SecureAnywhere Business Endpoint Protection.  If you're running a franchise that could make use of it, please take a look at our free trial.

3 replies

Userlevel 7
Badge +54
Well it took a long time coming but here is the sentence.
 
Adam Greenberg, Reporter  November 25, 2014
 
http://media.scmagazine.com/images/2014/05/15/458110823_593516.jpg?format.jpg&zoom=1&quality=70&anchor=middlecenter&width=320&mode=pad
Most or all of the POS machines sold to Subway were loaded with a remote desktop application known as “LogMeIn.” "A California man was sentenced last week for remotely accessing point-of-sale (POS) machines that he sold to Subway restaurant franchises, and loading at least $40,000 onto.gift cards – which were later used or sold.
Shahin Abdollahi, who operated under the name Sean Holdt, was sentenced on Friday to 18 months in prison with two years supervised release, and also must pay $34,712 in restitution, according to a Department of Justice release.
Abdollahi pleaded guilty in May to one count of conspiracy to commit computer intrusion and wire fraud, and one count of wire fraud.
Abdollahi owned and operated Subway restaurant franchises in Southern California for roughly three years beginning in 2005, and during that time gained experience with Subway POS systems and.gift cards, according to an indictment filed in March 2013."
 
Full Article
Userlevel 7
OK, please forgive me, but SOMEONE has to say it.
 
In this case, the perpetrator was caught, and law enforcement can actually claim a success in taking a bite out of crime.  Well, a whole lot of bites in this case LOL!
 
 
Another way of looking at this is that $40,000 is a LOT OF BREAD.          :)
Userlevel 7
Badge +56
@ wrote:
OK, please forgive me, but SOMEONE has to say it.
 
In this case, the perpetrator was caught, and law enforcement can actually claim a success in taking a bite out of crime.  Well, a whole lot of bites in this case LOL!
 
 
Another way of looking at this is that $40,000 is a LOT OF BREAD.          :)
Or allot of Dough! ROFL
 
Daniel 😃

Reply