Hacking Subway's POS System

The story of how Subway's point-of-sale system was hacked for $3 million.

Posted on December 26, 2011 at 8:39 AM • 18 Comments

Comments

JeffDecember 26, 2011 9:40 AM

Everyone is missing the point with credit card security - the whole system is a terrible design from a modern security POV, because everyone you make a payment to is trusted. There's no reason why, to make a payment to company X, I have to give out the ability (knowledge of my CC#) to make additional payments from my account to a different company Y.

It's almost trivial to design a better system using cryptography - are Visa/Mastercard just stupid, or do they benefit from theft somehow?

Mark WilsonDecember 26, 2011 9:56 AM

Does anyone know which remote control application was hacked? VNC? Remote Desktop? TeamViewer?

LoriDecember 26, 2011 10:23 AM

I think a lot has to do with a false sense of security. They felt if they weren't storing the credit card data, then there was no risk. The PCI rules of 2nd factor remote access should be for any device that collects, stores or scans credit card data.

LinkTheValiantDecember 26, 2011 11:02 AM

It's almost trivial to design a better system using cryptography

It's trivial to design just about anything having to do with cryptography. Designing it for actual implementation is another situation altogether. That's not to say it can't be done, or shouldn't be done, but the CC companies are certainly not stupid. The economic incentives are not there.

There's a very strong disincentive, in fact, because such a cryptographic system would require crazy amounts of education to implement correctly, at a cost far higher than simply building the system. No, they aren't stupid. The current system is decidedly broken, but it is broken in a way the public and the law know, accept, and understand. Such will not be the case with any new system.

StudentDecember 26, 2011 11:11 AM

Also, the security of the credit card system is and has always been primarily based on detection of fraud (instead of prevention) and pushing the costs of the fraud towards the initiator of the transaction.

DanielDecember 26, 2011 2:53 PM

@LinkTheValian

"it is broken in a way the public and the law know, accept, and understand."

That's correct. There's a term for this situation, however, and it's called status quo bias. Because it's equally true looking into the future 20 years down the line the status quo cannot hold. So the question isn't if the system will change it's only a question of how and who is going to pay for it.

LinkTheValiantDecember 26, 2011 3:49 PM

So the question isn't if the system will change it's only a question of how and who is going to pay for it.

Oh, it's certain that it won't be paid for by the companies unless they're forced to it. After all, the only reason credit cards have the customer protections they do enjoy is that they were legally forced to implement them.

So you're really left with two choices. You can have to have someone design this system, from scratch, on spec, and then demonstrate to the law that it SHOULD be this new way, and that the CC companies should pay for it.

Or you wait till the current system collapses under its own weight, and the CC companies are forced to implement something fast, in which case it's nearly certain it will be as broken as the old system.

Not very comforting, but it is the way business design works, sadly enough. Gotta love human nature.

WillDecember 26, 2011 9:07 PM

@LinkTheValian

"It's trivial to design just about anything having to do with cryptography"

Hmm, don't think so. On the other hand, this blog's following does have an above average chance of succeeding in designing a secure system and implementing it correctly too.

"The economic incentives are not there."

Spot on, as Bruce keeps saying, and keeps suggesting ways to rectify.

"it is broken in a way the public and the law know, accept, and understand."

Really? Do a spot test of friends and family that aren't the in the security business, or people in your local highstreet. Then do a spot-test of barristers and judges.

I think you'll be disappointed by their ignorance and shocked by their trust.

RobertTDecember 26, 2011 11:23 PM

"It's almost trivial to design a better system using cryptography - are Visa/Mastercard just stupid..."

In many ways this insanely simple method protects consumers better than more advanced systems, because EVERYONE can see how simple it is to defeat, and rules accordingly in court cases.
If you look at the Chip and Pin credit card systems deployed in Europe they are significantly more secure BUT can still be hacked. The big difference is that with "Chip and Pin" systems the average Joe does not understand how it can be defeated so, so they assume the purchase is real, even when hacking is to be strongly suspected...

Additionally you have to be careful what you wish for, because the credit card issuers are not politically stupid. If they add costs by implementing of "chip and Pin" they extract a favor, such as legislation which raises the bar, in proving that the losses were due to hacking.


ArclightDecember 27, 2011 12:45 AM

@RobertT:

Thanks for saying exactly what I was thinking. The reason credit card fraud doesn't hurt consumers more (other than mostly in the form of higher prices) is that our courts and legislature understand the issue and make policy that places security responsibility and economic responsibility onto the banks. Changing this balance would be disastrous for consumers.

MitchBDecember 27, 2011 1:06 AM

Money wise, there is not much motivation that I can see for Visa/MC/Amex to really fix this.

I'm a relatively small merchant and I can tell you from experience that when fraud occurs with a transaction that we are involved in, we are left holding the bag everytime. The consumer and, especially, the bank do not pay a dime. The consumer I can understand. I'm a bit bitter when we get a perfectly good authorization, with CVV and AVS matches and we still get a charge back.

We are all victims of the banks and their true, meaningful lack of improvement of this system.

nDecember 27, 2011 3:48 PM

Has anyone mentioned blink? This uses RFID smart cards (I believe) to authorize one-time purchases only. If everyone moves toward this system, wouldn't that solve (or greatly limit) the problem?

"blink is SECURE. Your card can only be read for one purchase at a time and only by one reader at a time. Your blink card cannot be more than 2 inches away — about the length of your car key — to make a purchase."

Clive RobinsonDecember 27, 2011 7:15 PM

@ n,

"blink is SECURE. Your card can only be read for one purchase at a time and only by one reader at a time. Your blink card cannot be more than 2 inches away — about the length of your car key — to make a purchase."

Yup it makes a great sounding marketing sound bite / advert just like those ones for "stain removers". And as any one who has a raw silk shirt that has been ruined by an alcoholic drink with blackcurrent juice in it splashed against it knows, there is no stain remover you can name from adverts that works...

More precisely "near field" communications by EM radiation in the normal low microwave and below radio frequencies has range issues.

That is to get that "two inch" to work under the majority of use cases (for commercial reliability) it will work at greater distances. The question is how far, and that depends on a number of things, firstly the actual frequency, secondly the effective transmission medium thirdly the respective antenna gains location and orientation.

In most cases the "joker in the pack" is the "transmission medium" especialy at the lower end of the RF spectrum and it is the bete noire of TEMPEST's raison d'etre and the bane of the lives of it's designers and technicians.

This is because any old conductor including a plastic pipe with ordinary tap water in it or the proverbial "wet string" can act as an "enhanced transmission medium", especialy if it couples into the RFID's effective "near field".

I've seen and demonstrated wooden topped tables [1] act as field distorting conductors because of their moisture content and plastics used for packaging and sound etc insulation do similar due to their dielectric effects [2]. Then there are the less common ferromagnetic and other effects that can change the properties of conductors around them and in some cases act as transducers converting EM energy to other energy types such as sound by for example magneto constriction. Thus such an RFID adjacent to keys or coins in your wallet could find it's range quite significantly altered.

And an attacker will always try and maximise their advantage as covertly as required, thus certainly at low frequencies "door frame" loop antennas etc will be put to use to extend the range out from inches to feet.

Thus you would then have to start asking other questions about the security of the RFID system on the assumption of both "eavesdropping" and "active relay / replay".

Because of the multi-layer aproach you have to take in designing such a secure system and the very distinct lack of engineers with all the required skills the chances are any such RFID system will have exploitable weaknesses and it's now most definatly worth the time and effort of exploiters to find and utilise any deficiency in such as system.

Which tends to make a successfull attack a question of time and resource utilisation, that is from an attackers point of view as long as other "lower hanging fruit" are available the system probably won't get attacked except by researchers. However if other systems toughen up so as to make this RFID system an easier target then the resources will be utilised in it's direction...

[1] One practical demonstration of "wooden table tops" issues is to set up an ordinary oscilloscope with a x10 probe with just the pointed tip exposed to the air. Set the scope vertical gain to AC maximum, and you normaly see 50mV or so of "mains hum" and other noise displayed. Then stick the prob tip actually into the wood and you will see upwards of 100mV and sometimes in excess of a volt or two of mains hum and noise displayed.

[2] You can now by "dieletric antennas" for microwave frequencies, these can consist of stacked up plates of disimilar plastics such as expanded polystyren and other plastics, the dieletric effect causes then to act like either lenses or "TV" style yagi array antennas providing directivity and gain.

nDecember 29, 2011 1:11 PM

Clive, it may be possible to make a longer-range blink reader, but that is not the issue. Blink uses smart cards - signed transactions. One could not copy the credit card numbers and sell them on a black market. It defeats this attack.

Clive RobinsonDecember 29, 2011 2:53 PM

@ n,

"Blink uses smart cards - signed transactions. One could no copy the credit card numbers and sell them on a black market. It defeats this attack."

There are a couple of problems I have with Blink over and above the issue of using an RFID style communications system (ie contactless near field).

The first problem is it does not exist in isolation, the second is it is designed for "customer benifit" to work in an "off line" mode as a "fallback".

A third problem is a current lack of public information about how it's been implemented.

If you believe some accounts the backend network is the same as that for "chip-n-pin" and the front end technology is the same as the EMV near field system.

But first off a glaring security hole that is supposadly for "customer ease of use"... Basicaly anyone who has the card needs no other method of authentication to use it for smallish transactions... Now the question is how small is small. The value in the more well known EVM systems varies from 15GBP upto 300AUD per transaction as far as I can tell with differing numbers of transactions befor a PIN needs to be entered.

But lets look at the network, Chip-n-Pin is known to have a number of security faults, likewise it appears the EVM contactless technology...

So without the extra currently unavailable or difficult to find technical details (and no I don't call the marketing blurb anything other than BumFodder) I'm tarring it with the same brushes of the other systems failings.

I might be wrong, but lets be honest, EVM have never yet fielded a secure card payment system, and I don't think it likley for political reasons they will.

RobertTJanuary 1, 2012 2:35 AM

@n
All NFC systems are inherently less secure than contact systems. They are susceptible to all the same MITM style attacks that can be used against with contact cards. Additionally they can be potentially attacked by RF means from even greater distances.

The NFC cards all contain a loop of wire that basically acts as a secondary to an air-core transformer. This is the INTENDED mode of operation, however it is not the only way to couple RF energy into the device. At much higher frequencies the loop still acts as an antenna so GHz carriers can also be coupled to the smart card. For the attack system, it is easier to control directionality and antenna gain at higher frequencies so significant localized RF field strengths can be created at the NFC target location.

Once you can power-up the card remotely, you can communicate with it and even instigate the transfer of signed "tokens" (i.e. virtual cash). I'm not going to go into details on the exact methods. Additionally the need, for the Cards, to operated at Very low power consumption, reduces the complexity of the authentication protocols that can be attempted, this further weakens the system security.

About all that can be said, is that at the moment there are no effective attacks that can be bundled in a manner suitable for "script kiddies" but you should not confuse that with inherent security.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..