500K Credit Cards Stolen in Australian Point-of-Sale Hack

Photo: Jim Merithew/Wired

Police in Australia are investigating a breach of half a million credit card numbers that reports say was conducted by the same gang that struck the Subway restaurant chain in the United States.

The intrusion occurred at an unidentified merchant in Australia and is being blamed on Eastern European hackers who installed keystroke-logging software on point-of-sale terminals (POS) and siphoned card data from the terminals remotely, according to SC Magazine.

The company’s network used default passwords and stored unsecured transactional data. The gang allegedly used an unsecured Microsoft Remote Desktop Protocol (RDP) connection to transmit the data.

“The network was setup by some local suppliers who didn’t understand IT security,” Det. Sup. Marden told the magazine. “It was a disaster waiting to happen.”

The hackers are believed to be members of the same Romanian group that was responsible for hacking 150 Subway sandwich shops and other unnamed retailers in the U.S.

Last December, four Romanian nationals – Adrian-Tiberiu Oprea, 27; Iulian Dolan, 27; Cezar Iulian Butu, 26; and Florin Radu, 23 — were charged in the District of New Hampshire with four counts related to those hacks, including conspiracy to commit computer fraud, wire fraud and access device fraud. The indictment also referred to two unindicted co-conspirators who used the online nicknames “tonymontanamiami” and “marcos_grande69.”

Few details have been released about the hack in Australia, but in the Subway case, the hackers compromised the credit-card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases, according to authorities.

From 2008 until May 2011, they allegedly breached more than 200 POS systems in order to install a keystroke logger and other sniffing software that would steal customer credit, debit and gift-card numbers. They also placed backdoors on the systems to provide ongoing access.

POS systems generally consist of a card scanner at a checkout register where customers scan their cards and type in a PIN or provide a signature, as well as a computer system for transferring the data to a card processor for verification and approval.

The indictment didn’t identify the POS system used by Subway, nor does the news from Australia indicate the brand of terminal attacked in that breach, but Subway announced in January 2009 that it was deploying the Torex Quick Service POS in all of its 30,000 restaurants.

The Subway case shared similarities to what occurred to seven U.S. restaurants that sued the maker of a POS in 2009 for failing to secure the product from a Romanian hacker who breached their systems.