Subway’s $3 million lesson in point-of-sale security

December 24th, 2011 by Stephen Jones Leave a reply »

In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers-  The hackers are alleged to have gathered the credit and debit card data from over 80,000 victims. and over $3 million in fraudulent charges.

Small businesses’  poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

In the case of Subway restaurants, those requirements were provided to franchisees. but it seems  that, some of the franchisees “directly and blatantly disregarded Subway’s security and POS configuration standards.

The basics also apply here. Limit remote access, patch your software, and above all, don’t allow any default, or extremely easy passwords


Comments are closed.