Posted by Phil Neray in PCI, Retail, Security Intelligence

There was an interesting story last week about four Romanian nationals that were charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers.  According to the Federal indictment (pdf), the hackers compromised the credit card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases.

No details yet on how the cybercriminals gained access to the retail point-of-sale (POS) systems on which they installed sniffers in order to steal credit card information, but this story sounds a lot like the Dave & Buster’s hack which occurred in March 2008.  In that case, Maksym Yastremkiy (“Maksik”) and Aleksandr Suvorov (“JonnyHell”) — Ukrainian colleagues of Albert Gonzalez, who hacked Heartland and TJX in the infamous operation he called “Get Rich or Die Tryin” — used social engineering as well as administrative passwords stolen from a POS service provider to steal approximately 5,000 credit and debit cards from Dave & Buster’s. (Maksik is now serving a 30-year sentence in a Turkish prison for hacking into 12 Turkish banks).

There is also similarity with a 2009 POS hack in which cybercriminals used a commercial remote access program to steal credit card information from POS systems.  A POS service provider installed the pcAnywhere program on store POS systems to allow its technicians to fix technical problems remotely — except they used the same username and password for all of the POS systems in various retail chains (according to Wired, the default login was “administrator” and the password was “computer”)!

According to the 2010 Data Breach Investigations Report, stolen and/or weak credentials are the number one hacking type.  The report states that “Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS alerts or be noticed by other detection mechanisms.”  And in the 2011 Data Breach Investigations Report, exploitation of default or guessable credentials is #2 in the “Hacking” category.

The point?  All of these examples highlight a weakness in traditional, credential-based POS security, emphasizing the need for retailers to adopt continuous monitoring, combined with security intelligence, to immediately identify unauthorized or suspicious activity — such as unknown files being uploaded from POS devices to unknown servers (in this case, the files contained stolen credit card numbers, and the servers belonged to the cybercriminals).  Relying on credentials alone is simply not sufficient anymore.

Learn more about how Q1 Labs is helping retailers protect sensitive information — and pass their compliance audits faster and with less effort — by leveraging Security Intelligence, in this data sheet.

PS: This heist also points to the global nature of cybercrime — and the reason why you need centralized, automated, enterprise-scale technology to monitor and correlate security events across multiple devices, systems and geographies.  Operating from Romania, the hackers targeted multiple individual stores in Plaistow, NH, East Northport, NY, Ocala, FL, Fairborn, OH, and Tulare, CA.  They exfiltrated the stolen information to a compromised server belonging to a small business owner in Mechanicsburg, PA, created phony credit cards from a rented house in Belgium, and then used the phony cards to make purchases in France.