If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Network World)   Former Subway POS pleads guilty to POS hacking   (networkworld.com) divider line 19
    More: Dumbass, Subway POS, Subway, Rialto, IDG News Service  
•       •       •

2799 clicks; posted to Geek » on 16 May 2014 at 1:56 PM (14 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



19 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2014-05-16 10:49:41 AM
$40,000.00 at Subway?  That is a lot of $5.00 foot longs, even with a soda and a bag of chips.
 
2014-05-16 11:18:55 AM
What a POS.
 
2014-05-16 12:32:51 PM
Wow, so stealthy. Installing a legitimate remote software program that lists itself clearly in the registry and on the C drive?

How did this genius ever get caught?
 
2014-05-16 02:04:13 PM

SecretAgentWoman: Wow, so stealthy. Installing a legitimate remote software program that lists itself clearly in the registry and on the C drive?

How did this genius ever get caught?


I'm wondering how this scheme worked in the first place. Does Subway normally let its franchises buy third-party equipment?

That and I'm surprised they don't reconcile their gift card activations against the cash/credit card receipts. And there's no close process after which no transactions can be run.
 
2014-05-16 02:14:09 PM
Hey its not surprising, my work doesnt really check to see if what i buy with a company credit card actually ends up at the customer office, or if we even bill them for it. Giant purchases yea but they barely notice 100-300 here or there. It comes down to the manager trusting i did(i do) the right thing, also sometimes we give things away for free to make someone happy or if they just spent like 200k.
 
2014-05-16 02:19:02 PM

Arkanaut: SecretAgentWoman: Wow, so stealthy. Installing a legitimate remote software program that lists itself clearly in the registry and on the C drive?

How did this genius ever get caught?

I'm wondering how this scheme worked in the first place. Does Subway normally let its franchises buy third-party equipment?


Since he himself was a franchise owner, I bet he knew the rules and loopholes.  In this case, I;m betting Subway francisees are allowed to buy used equipment, so long as it is "Subway standard".

That and I'm surprised they don't reconcile their gift card activations against the cash/credit card receipts. And there's no close process after which no transactions can be run.

This.  Gift card transactions are easy enough to track.  And having the register active after close is ridiculous.  At close the cash drawer should be removed to the safe and the machine should be turned off/ deactivated until the next day.  That's just standard retail procedure.
 
2014-05-16 02:19:42 PM
I've always wondered what someone would have access to at the company I work for if they booted from a Linux USB drive at one of our registers.
 
2014-05-16 02:31:27 PM
Ah, the stupid things people do who work for POS companies.

When I worked for one we had one genius use one of the testing cards to get gas for their car back when gas was all of $1/gallon.  So for under $20 they got fired.

The security on them used to be laughable.  Not sure if it any better today.
 
2014-05-16 02:32:15 PM

kittyhas1000legs: I've always wondered what someone would have access to at the company I work for if they booted from a Linux USB drive at one of our registers.


At smaller establishments you quite often find POS equipment on the same LAN as the free customer WiFi.

I was at a wedding reception a couple of months back, and was just running a quick scan over the LAN.  Not only were the bar POS machines on the same LAN, there were AC controllers and all sorts of other things on the same LAN.

I usually take a note of the company name and pass the details onto our sales guys. :-)
 
2014-05-16 03:17:12 PM

Walker: What a POS.


A Ford.  I had no idea that selling a Ford to a subway franchisee was illegal
 
Ant
2014-05-16 03:41:59 PM
Installing commercially-available software is hacking now?
 
2014-05-16 04:36:47 PM

Pinko_Commie: kittyhas1000legs: I've always wondered what someone would have access to at the company I work for if they booted from a Linux USB drive at one of our registers.

At smaller establishments you quite often find POS equipment on the same LAN as the free customer WiFi.

I was at a wedding reception a couple of months back, and was just running a quick scan over the LAN.  Not only were the bar POS machines on the same LAN, there were AC controllers and all sorts of other things on the same LAN.

I usually take a note of the company name and pass the details onto our sales guys. :-)


Luckily the 8,000+ store chain doesn't do that. If your phone automatically notices wifi, it will bring up two or three gibberish-named password-protected networks in our stores. The computers can only go to a few sites (our own, fedex, etc) but run IE6. We also use satellite internet along with our landline internet. I assume the satellite communications are encrypted. I'd hate to have someone be able to point a dish at 91W and use Skygrabber to intercept our traffic.
 
2014-05-16 05:00:10 PM

TheGreatGazoo: Ah, the stupid things people do who work for POS companies.

When I worked for one we had one genius use one of the testing cards to get gas for their car back when gas was all of $1/gallon.  So for under $20 they got fired.

The security on them used to be laughable.  Not sure if it any better today.


Slightly better. The most important part of the register resides in an embedded OS PC heavily firewalled to the main POS. The only access is via a challenge password which only the manufacturer has. So in theory it would take a manufacturers rep getting the entire list in order to breach.
 
2014-05-16 05:01:26 PM
On a side note, wouldn't this be a very large violation of PCI-DSS if a major chain allowed their franchises access like this? (Although I think Subway allows franchises to run their own credit cards unlike gas stations)
 
2014-05-16 05:32:31 PM

SecretAgentWoman: Wow, so stealthy. Installing a legitimate remote software program that lists itself clearly in the registry and on the C drive?

How did this genius ever get caught?


All depends on if the people he sold it to knew if it was supposed to be there or not. You can do this with a lot of things and until there is a problem and you bring somebody into fix it, or somebody who has a little computer knowledge just happens to see it and ask why is it there, nobody will know it isn't supposed to be there.
 
2014-05-16 08:19:27 PM
What a Subway POS might look like:
2.bp.blogspot.com

/mean
 
2014-05-16 11:04:45 PM

aerojockey: What a Subway POS might look like:


/mean


For some reason, Subby's headline had me thinking it WAS Jared who hacked their point of sale system.
 
2014-05-17 01:03:02 AM

kittyhas1000legs: I've always wondered what someone would have access to at the company I work for if they booted from a Linux USB drive at one of our registers.


At a decent place? Jack and shiat. Dot1x and profiling would shut the port down. Same thing you do when someone plugs in random switches into the network.

Had a guy try to use a 'dumb' switch at his desk. Kept wondering why it didn't work, but his laptop would.
 
2014-05-18 02:01:26 AM
I dont get too many of these, but since this is what I get paid for, I'll lend my knowledge to the situation.  I write and maintain POS software for a small company In PA.  So here's my take on the following points i've seen.

DrunkWithImpotence: Arkanaut: SecretAgentWoman: Wow, so stealthy. Installing a legitimate remote software program that lists itself clearly in the registry and on the C drive?

How did this genius ever get caught?


We install LogMeIn on all of our Backoffice Computers so we can do remote maintenance, and apply software patches as needed.  This is a standard, and built into our contracts.  And is in no way a red flag of something wrong.  Alot of companies do the exact same thing.   

I'm wondering how this scheme worked in the first place. Does Subway normally let its franchises buy third-party equipment?


Not sure about subway specifically, however we have installed in plenty of chain restaurants.  And with the exception of things like giftcards, we have had to follow 0 instructions for data transfers to corporate.  Giftcards are the exception, since they are transferable between restaurants.

Also, Say subway wants to have a specific peice of software installed. ex: Aloha POS.  They dont goto Aloha to install it, they goto one of their countless business partners who's job it is to install the software, hardware, and to maintain it.


Since he himself was a franchise owner, I bet he knew the rules and loopholes.  In this case, I;m betting Subway francisees are allowed to buy used equipment, so long as it is "Subway standard".

you'd be surprised what lack of standards there are out there when it comes to POS registers

That and I'm surprised they don't reconcile their gift card activations against the cash/credit card receipts. And there's no close process after which no transactions can be run.

And that there is the rub.  They do reconcile it. I'm figuring he tried something like back dating the receipts.  To put the actual sales into years already past, so they wouldn't come up in reports. and thought when it all crashed down the manager/owners would take the heat for it.



This.  Gift card transactions are easy enough to track.  And having the register active after close is ridiculous.  At close the cash drawer should be removed to the safe and the machine should be turned off/ deactivated until the next day.  That's just standard retail procedure.

Easy enough if your looking for them.  If you do what I said previously you wouldnt look for them.  It would eventually fall apart when subway started asking for their money from the giftcards though.  And as for the secondhalf of the statement. thats all well in good to turn off your cash registers at close.  But I can guarantee you that was not his point of attack.    It was the backoffice computer.  Which would be left on 24hrs a day, whether the restaurant is opened or closed.   Since it has to do things just after midnight. like upload Credit card info to visa/MC.

You CC doesnt get charged until that happens.  During the day, you place holds on the money for the credit cards, and at end of day you go and actually tell the CC companies, ok. give me all the money from those holds.  Some businesses have different policies on when they clear those holds.  I've seen some that do it every 2-3 days. which is kinda weird.


That being said, with my own software, I could easily hide transactions by using logmein, and noone would be the wiser.  Using the other software "Aloha" that the place i do work for also sells, i could easily run any kind of transaction i would ever want, but would expect for it eventually fall apart for giftcards, due to their very nature of it being MANDATORY to pass that info on to corporate.  with a system that has CC built in, I could cancel my CC charges if i called before they made the upload at end of night. and then remove my transactions from the system, but that would only save me the price of a meal.  My guess is he was trying to sell the subway cards online.
 
Displayed 19 of 19 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report