Subway hacked by their point of sale supplier

In 2012 It was revealed that US Subway chains had been hacked by Romanian hackers who stole $10 million. Then earlier in 2013 news broke that they had been hacked again, but this time by their Point of Sale provider.

Venturebeat reported that Shahin Abdollahi ran an entire point of sale system business and sold many of them to Subway. However, what he didn’t inform Subway was that he had installed a back door program onto the point of sale systems. This allowed Abdollahi and his associate, Jeffrey Thomas Wilkinson, to access the Subway point of sale systems and electronically load Subway gift cards for use or sale.

“…the reason you see a lot of retail establishments being targeted is because 1) they don’t tend to have as strong security measures in place and 2) they have a lot of credit card numbers. And so it’s a good combination if you’re a hacker.” Nathan McNeill, co-founder and chief strategy officer for Bomgar.

What does this mean for your business’ point of sale system?

If you have a Point of Sale system currently installed at your business then don’t worry. As with most things in this world a few spoil it for the rest. Point of sale companies are upstanding, trust worthy and simply want to provide the best EPoS system so you can run your business more effectively. Point of Sale is a relational business which means if you’re successful and expand then your supplier will be successful and expand.

Having said that, there are a number of ways you can ensure you pick a trustworthy point of sale supplier. And, it all starts with good research.

When you’re sourcing a new point of sale supplier find out the answers to these questions before you buy anything:

How long have they been trading for?

This is perhaps one of the biggest benchmarks you can look to. While the age of the company has little to do with their honour, security or how trust worthy they are but what it does do is allow you to judge their standards over a long period if they’ve been trading for a while.

For example, if a company has been trading for 25 years and they’re still going strong, winning business and have many of their original customers that’s a strong signal they’re a company worth working with.

However, if they’ve only been trading for a couple of years then there is less information that you can make a judgement on. Note: It took 2 years to discover the Romanian Hackers who stole $10 million from Subway.

Who are the directors and board members?

You can request information from Companies House about any registered company in the UK, including a list of their directors and board members.

With this information you can perform simple background checks on these people. Searching for their names on Google is a good place to start, especially if they have unique names. It’s most likely this will not bring anything up but it’s always worth a look.

Also you can search for them on Social media as that might provide a valuable insight into their personalities and what they are like to work with.

Do they have a good reputation?

Or another way to look at this question: “What do their current customers say about them? Are they happy with the product and level of support?”

If you don’t know who the customers of a point of sale supplier are then ask them for references that you can talk to.

Do they promote PCI compliance?

A company providing point of sale solutions that take credit and debit card payments must be promoting full PCI compliance as a minimum. PCI compliance is a requirement and can result in large fines if not upheld.

Bottom line: If a point of sale supplier isn’t promoting PCI compliance what other security corners are they cutting?

———-

Retail Computer Solutions have been a preferred supplier of total EPoS solutions for 25 years. They started in 1989 and continue to provide quality, trusting and secure retail services to their customers. If you’d like to learn more about EPoS solutions or suppliers then feel free to leave a comment below.

Leave a Comment