George L. Koroneos
Vertical Systems Reseller
Romanian Hackers Guilty in Huge U.S. Credit Card Theft
A pair of Romanian hackers will serve lengthy prison terms for their part in a global point-of-sale hacking scheme that netted them approximately 146,000 credit cards with losses exceeding $10 million.
Iulian Dolan and Cezar Butu pleaded guilty to a litany of charges, including conspiracy to commit computer fraud and conspiracy to commit access device fraud. Dolan was sentenced to seven years in prison, while Butu (who only plead guilty to a lesser charge) will serve 21 months. A third co-conspirator, Adrian-Tiberiu Oprea, is currently awaiting trial in the U.S.
The official judgment offers a wealth of insight for POS VARs and solution providers about how the hackers pulled off this international crime and what VARs can do to help their clients secure their systems.
“Dolan admitted that he, along with Oprea, remotely hacked into U.S. merchants’ ‘point-of-sale’ (POS) or ‘check out’ computer systems, where customers’ payment card data was electronically stored,” court documents revealed. “Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, Dolan logged onto the targeted POS systems over the internet. These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access. He would then remotely install software programs called ‘keystroke loggers’ (or ‘sniffers’) onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data.”
The hackers illegally broke into POS systems belong to several hundred U.S. businesses (mostly Subway restaurants) and repeatedly returned to the “scene of the crime” to steal additional payment card information. Stolen credit card data was then moved to electronic storage “dumps” where Opera, allegedly, used the information to purchase goods and attempted to sell the information to other co-conspirators.
The big takeaway for POS VARs is the danger of using remote access software with weak passwords.
“The Subway case is a clear indication that privileged and administrative accounts are increasingly targeted and used by criminals to steal sensitive information,” said Adam Bosnian, vice president of products, strategy and sales at Cyber-Ark Software. “In this case, the attackers were able to simply do an Internet search for remote desktop applications that were used by the restaurants, and through simple password cracking techniques, they were able to gain administrative access to the systems. This enabled them to easily steal sensitive financial information from unsuspecting customers.”
While few security systems are bulletproof, POS VARs are encouraged to bundle antivirus services that can detect keystroke loggers into a POS solution and educated clients about the need to create stronger passwords and change them regularly. Sadly, POS VARs, dealers and integrators could be found liable if payment card fraud occurs on their POS systems.