Payment Card Industry data-security standards continue to fail merchants in their most vulnerable hour, as one restaurant chain might have prevented a credit card fraud scheme if it equipped its payments systems better to address third-party intrusions, a security expert contends.
Federal authorities have snuffed out a colossal fraud scheme that involved four Romanian nationals who allegedly stole credit, debit and gift card data from more than 200 point-of-sale systems nationwide.
The criminals allegedly remotely hacked the systems, which included 150 located in Subway restaurants, and used the data to create counterfeit cards they used to spend millions on unauthorized goods, according to the indictment filed in the U.S. District Court of New Hampshire.
Authorities arrested three of the defendants, and the other remains at large.
The hackers allegedly used various methods to obtain card information from some 80,000 consumers.
The U.S. Attorney’s office in New Hampshire alleges the men scanned the Internet to find vulnerable POS systems with certain remote desktop software applications installed on them, according to the indictment. The hackers allegedly hacked into the apps and logged on to systems over the Internet either by guessing the passwords or by using password-cracking software.
Once in the systems, the hackers allegedly installed software called keystroke loggers into the POS systems, which would record and store data keyed into or swiped through the merchants’ POS systems.
The criminals also allegedly installed a computer virus that enabled continued access to the compromised systems to install or reinstall hacker programs.
After the hackers collected payment information, they allegedly stored it on several “dump sites” and then transferred the data to computers they controlled overseas.
The suspects allegedly used the information to create fake credit cards and make purchases at merchant locations, mostly in Europe, the indictment says.
Authorities charged Adrian-Tiberiu Oprea, 27; Iulian Dolan, 27; Cezar Iulian Butu, 26; and Florin Radu, 23, with conspiracy to commit computer fraud, wire fraud and access-device fraud. Radu is still at large.
They face a maximum of five years in prison for each count of conspiracy to commit computer-related fraud, 30 years for each count of conspiracy to commit wire fraud and five years for each count of conspiracy to commit access-device fraud.
The hackers’ alleged methods are not new, notes Avivah Litan, vice president security analyst at Gartner Group. “It’s been going on for a couple of years now, where the bad guys get system administration access and figure out how services work from different vendors and learn which merchants buy those systems,” she says.
PCI standards are based on previous attacks and not on what is happening at the moment, Litan notes. “Merchants need more fraud- and breach-prevention systems,” Litan says. “The PCI standards are not enough.”
What do you think about this? Send us your feedback.
