As many as 80,000 customers who used a credit or debit card to buy a Subway sandwich may have had their account information stolen by a ring of Eastern European crooks who tampered with the payment terminals in 150 different Subway locations. Subway’s signature item might be its $5 footlong sub, but these crooks were after a much bigger bite. These thieves made a total of $3 million in fraudulent transactions with the ill-gotten numbers. The worst part? This was going on for three years before law enforcement caught up with them.
A trade group called the PCI Security Standards Council makes rules for businesses to follow in order to prevent this kind of crime. But mall retailers — like the Subway franchisees whose stores were targeted — aren’t monitored with the same vigilance as bigger companies that store customers’ credit card data.
According to a retail technology expert interviewed by Ars Technica, an IT news website, some Subway franchise owners didn’t follow the rules for securing their payment systems — probably in order to save a few bucks. “These people weren’t thinking about point of sale security—they were just thinking about making a sandwich,” he tells the website.
The crime ring was able, essentially, to pick a flimsy lock to break into stores’ point-of-sale system by guessing the passwords that protected it. From there, they installed malware and trojan horses — software that recorded account information when a customer swiped their card, and prevented the machines’ owners from upgrading their security.
More malicious software sent the stolen data to websites the cybercrooks had set up. With blank plastic and embossing machines, the criminals were able to create fake cards, which authorities say they used for things like gambling.
If this sounds like a huge security hole, it is. Ars Technica points out that some of the addresses to which the thieves were transmitting pilfered data had slang terms, curse words and vulgarities. “[I]f any sort of traffic logging was done on POS systems [this] would have certainly aroused the attention of a system administrator,” the site says.