Two men have been indicted on charges that they hacked into Subway POS systems, pilfering $40,000 in the process. That's 8,000 $5-foot-longs for those of you keeping count. The interesting part is in how they did it. One of the men charged, Shahin Abdollahi, actually ran the company that originally sold the POS systems to the Subway franchise. Those systems came preloaded with remote-access software. In responsible hands, remote-access tools are wonderful for troubleshooting or leveraging computers at various locations to perform a task when you aren't right in front of them. In this case however, the hands turned out to be not so responsible, and the task turned out to be creating bogus.gift cards, bringing a whole new meaning to the term "losing pounds with Subway" (£26,530 pounds by today's conversion rate).
What's the lesson? Don't buy POS systems with remote-access software pre-installed on them from shady vendors. The software that was used is completely legitimate. The problem is in how it was used. Further, it's hard to find a compelling reason to risk having remote-access software installed on a POS system to begin with.
The indictment is available in the article from venturebeat here.
Only seven months ago, Romanian hackers netted $10 million via different methods. In that case, they managed to install keyloggers on POS terminals, pilfering over 6,000 credit card numbers. POS systems in particular can often be weak points in many retail and foodservice industries, with a lot of them being antiquated and not very well maintained. Considering the importance of those computers and the information they contain, the necessity of a good anti-malware solution cannot be understated.
Webroot provides a very good solution for POS systems with Webroot SecureAnywhere Business Endpoint Protection. If you're running a franchise that could make use of it, please take a look at our free trial.
