How Hackers Took Subway Customers for Millions of Dollars Due to Franchisees' Incompetence

By Veronique Greenwood | December 21, 2011 2:22 pm

At some Subways, the sandwiches aren’t the only thing that’s
poorly constructed.

Security in the networked world of today isn’t always the easiest to understand, we’ll admit. But business owners, who are in a position of trust when it comes to customers’ debit and credit card transactions, should really be up on basic internet security. When they’re not, they literally give away their customers’ information to hackers. Case in point: about 150 Subway franchises, which, along with at least 50 other small retailers, caused 80,000 customers to lose a total of $3 million after they set up debit card scanners without proper security and encryption.

Here’s what happened: Though Subway distributes lists of security requirements to franchisees, some neglected to follow them. According to a Justice Department statement, in addition to disregarding encryption requirements, they installed cheap remote desktop software, the kind that lets a computer be accessed from another location. All hackers had to do was guess or otherwise determine the password for access, which, as all too many people have found out, isn’t very hard when your password is “password” or “12345.” Once they had that, the hackers were like kids in a candy store, and it took quite some time for anyone to notice what was going on.

It’s enough to make you take a good, hard look at your lunch joint’s manager, and, if he looks like he doesn’t know a trojan from a man in a toga, walk right back out that door.

Read more at Ars Technica.

Image courtesy of Brixton / flickr

  • The Sanity Inspector

    Or you could always just pay cash.

  • John Kwok

    Just paying in cash isn’t a meaningful response especially when most sales are now via credit or debit cards. Writers like Bruce Sterling and Neal Stephenson have been warning about potential problems such as this in their fiction and nonfiction for two decades, if not more. It should have been Subway’s responsibility to have better internet security, especially since it was promoting the usage of debit cards by offering its own for customers’ convenience.

  • scribbler

    Prepay debits or as I do, use an account that never has more than $100.00 in it…

  • benjdm

    Link doesn’t work.

  • Cathy

    Happened to me at an Office Max once. Hackers had gained control of their debit machines and read off thousands of debit cards over the course of a few weeks before they got caught. The card numbers and pins were sold to criminals overseas, who went to ATMs that took names and pins without physical cards ti dispense cash. $1300 gone from my account in one weekend. Fortunately, the fraud department of Wachovia was cool with refunding the purchases since they were in Ul Grojeka and Ukraine. I was without any money for about two weeks, though. These days, I have a separate unlinked savings account with another bank in case any screwups like that happen…

  • Bob F.

    Twice this year, my bank called me to say that my debit card info had been compromised and they were sending me a new one. The card never left my wallet, and I use only American Express and PayPal for online transactions. That means some other retail merchant(s) did what Subway did. Fortunately, I didn’t lose anything.

  • Bob F.

    Twice this year, my bank called me to say that my debit card info had been compromised and they were sending me a new one. The card never left my wallet, and I use only American Express and PayPal for online transactions. That means some other retail merchant(s) did what Subway did. Fortunately, I didn’t lose anything.

  • http://80beats Susan

    Even lower tech: I was in a Racetrack paying for gas when one of the employees took a cell phone camera shot of a credit card (of the woman in front of me), turned it over and shot the back. the woman couldn’t see him as it was blocked by the cash register. I was on the line to the left and could see quite clearly. I told the woman and she didn’t believe me, but the cashier on my line did and called the manager.

  • John

    In the Washington Mutual days I received a phone call from their fraud division asking about unusual activity on my card. They were correct and advised they were sending me a replacement card. (By the way, they did not ask me for personal info, but being distrustful I told them I would call them back…using the phone number on my billing.) About a week later they called to ask if I had received the new card, which I had not. They said they assumed I had not but what they caught on to was that my replacement card was already being used before I had a chance to use it. Hmmmm. So I was told to destroy the replacement card I would first receive…then when I received another card to phone their customer service listed on my billing and ask for their fraud division. They were on the ball!

  • candy

    thank you. i rarely use debit card but know not to trust subway now.

  • yogi-one

    Small businesses and even some big corporations are hardwired not to do anything about security until AFTER a breach.

    First, it involves expenditures that don’t immediately translate into profit, therefore spending on security is an unjustifiable expense.

    Second, that’s right, most managers don’t know jack about computer security, and frankly, don’t care about it. This goes double if they are over 40 years of age and became adults before computers were ubiquitous. And they don’t want to admit they don’t know. Younger employees don’t press them on it because they don’t want to piss off the boss by appearing smarter than the boss. So small non-tech enterprises don’t talk about it.

    Third, they figure if it becomes a problem, they’ll fix it. A great strategy for a milkshake machine, but a FAIL strategy for computer security.

    Result: they end up getting hacked by junior high schoolers and then they REALLY look stupid.

    You wonder when business owners are going to get the memo, but they just don’t. How can you feel sorry for someone who simply refuses to educate themselves and get up to speed on this critical issue?

  • Bob Hall

    Why not list all 150 franchises? That would be helpful!

  • Klaus

    One thing I like about using a PayPal card is that it generates an email with every transaction. I’ve been able to stop fraud 3 times. No loses.

  • Minnie

    I got an email from Capitol One a few weeks ago saying “Congratulations, your credit card balance of $4,796 from your Discover Card has been approved!”. I don’t have a Discover card.
    After phone calls and some time the result is that although Capital One told me the Discover card number, they didn’t even know the name on the Discover Card. Discover card refused to tell me the name, I can’t blame them.

    Credit was given back to me, the card was cancelled, but I can’t get any more info. I’d like to at least know the name of the person, TO SEE IF IT’S SOMEONE I KNOW. But nothing. You’d think it would be in everyone’s interest to provide me with more to help uncover this attempted crime.

    The credit card world is indeed dangerous.


Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!


80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.

See More

Collapse bottom bar