Massive Subway Cyber Attack Ripped Into Weak Remote Access, Unencrypted Card Swipes

Written by Evan Schuman
December 15th, 2011

The latest major retail data breach—involving 150 Subway locations and more than 50 other retailers, payment-card data from more than 80,000 shoppers and more than $3 million in bogus, but completed, transactions—is different than its predecessors for several reasons. Most notably, it appears to be the first major breach that was initially detected by a chain’s own IT team.

An indictment unsealed on December 7 charged a group of four Romanians with attacking the chains, using brute-force attacks to guess passwords. The essence of the attacks’ success, though, was based on two weaknesses: different unsecured remote-access packages used by various franchisees of Subway, which enabled easy Internet access to POS systems; and card swipes with minimal encryption. That meant key-capture software installed by the cyberthieves was able to grab data in the clear, as it was being swiped.

The details of the attack, culled from federal filings and more than a half-dozen sources involved in the probe, outlines a three-year series of assaults beginning in 2008 and not fully halted until May 2011. The accused—Adrian-Tiberiu Oprea, Iulian Dolan, Cezar Iulian Butu and Florin Radu—were described as running a low-tech operation seeking soft targets. And it seems they found such targets in Subway franchise locations. Subway has since revamped its POS security, deploying point-to-point encryption, which required replacing its card swipes with encrypted magstripe readers, among other changes.

The more than 50 other retailers involved were not identified, but one official involved in the probe said they were mostly “smaller mom-and-pop choices” and a small regional chain with 20 to 30 stores and perhaps one slightly larger chain, which had “no more than two stores” attacked.

How the attack was discovered is an interesting side note to the case. Typically, with most of the major retail data breaches that have been prosecuted recently (including TJX, Hannaford, 7-Eleven, Wet Seal, JCPenney, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21 and Dave & Buster’s), it has typically been a card brand detecting fraud and tracing it to a common point of purchase or the Secret Service learning of a breach (perhaps through wiretaps or intercepted messages) while investigating some other breach. The closest to a retailer discovering the breach was Target, which detected the breach after it happened, but that was long after the probe was ongoing with other victims of the same attackers (the Albert Gonzalez gang).

In this case, it seems frauds detected by a card issuer and a breach detected by Subway IT happened almost simultaneously. The issuer detected some frauds in New Hampshire and contacted law enforcement to try and figure out what was happening. That probe had just started when Subway detected its breach and reported it to the government.

Subway’s IT group “found it independently,” said one official involved in the probe.

Oddly enough, a Subway statement said law enforcement had first discovered the breach, a position disputed by multiple sources involved in the probe. “Upon learning about this (federal) investigation, we immediately took steps to improve our point-of-sale systems in the stores to make our customer transactions even more secure,” said the Subway statement. Subway declined to explain the apparent contradiction.

Note: Almost no one involved in the probe from various federal agencies—including the U.S. Justice Department, the U.S. Attorney’s Office in New Hampshire or the U.S. Secret Service’s field office in Boston—or any of the many victims was willing to discuss the case for attribution.

The remote access software was put in place by various franchisees, apparently not following Subway guidelines. “It created an open door. The franchisees did this on their own,” said one official.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.