Point-of-Sale (POS) Fraud: How Hackers Strike – Again

I just read an article in Bank Information Security on how hackers gained access to corporate and consumer data in one attack. It feels like the movie “Ground Hog Day”. They reported that four Romanian suspects were indicted by the U.S. Department of Justice earlier this month for their alleged connection to a multimillion-dollar point-of-sale fraud scheme.

Investigators believe hundreds of U.S. merchants, including 150 Subway franchises, and more than 80,000 U.S. consumers were likely victims.

The defendants are accused of war-driving – a hacking method that involves remotely scanning for open or vulnerable Internet connections to POS systems. Once a weak system was detected, the four allegedly hacked internal computers and installed keylogging software onto the POS systems. In many cases, according to the indictment, they also installed Trojans, which allowed them ongoing access to the systems, giving them the ability to install and reinstall malware over time.

Between 2008 and May 2011, the perpetrators, are believed to have remotely hacked POS and checkout systems to steal credit, debit and prepaid card data. According to the charges, card data they compromised resulted in millions of dollars in unauthorized transactions.

The news is just one in a growing line of POS-related card fraud schemes. From the Michaels POS PIN pad swapping scam, which hit in May, to the Save Mart Supermarkets self-checkout breach announced in the last two weeks, merchant-level card security is garnering new attention.lick to Get Updates on the Latest Information Security News

McAfee consultant Robert Siciliano says coders, programmers and criminal hackers know how to access dedicated ports used for remote servicing: “ATMs, POS and just about everything connected to the Internet.”

Anyone with inside knowledge of payments can easily hack a POS system. “Then they simply use tools to crack a Windows remote desktop – defaults at port 3389 – program’s password, and they are in,” he says.