One thing I really enjoy about computer sercurity is learning from other peoples’ mistakes.
While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.
“With PCI compliance, those apps shouldn’t be on those systems,” said Konrad Fellmann, audit and compliance manager for SecureState, an IT security firm with a practice in retail security auditing, in an interview with Ars. But small retailers who don’t store credit card data are not required to have the same level of auditing as larger companies, Fellmann said.
It’s hard to believe a corporation as large as Subway put so little effort into PCI compliance, but this could have easily been discovered with an external scan, log monitoring, in-scope review, systems change monitoring, malware scanning, and so on and so forth.
So will Subway now have to post the Black Mark of Shame in every franchise?