Three men were indicted on charges of hacking into computer systems at 11 Dave & Buster's restaurants and stealing credit and debit card numbers.
The 27-count federal indictment unsealed Monday in New York charges Maksym Yastremskiy of Kharkov, Ukraine, and Aleksandr Suvorov of Estonia with wire fraud, computer fraud, aggravated identity theft, and other crimes in connection with the scam, which occurred last year. Turkish officials arrested Yastremskiy last July and German authorities arrested Suvorov in March. The third suspect, Albert Gonzalez of Miami, was arrested this month on one count of wire fraud conspiracy.
The indictment alleges that the trio schemed to break into cash register terminals at various locations of the Dallas-based restaurant chain between April 30 and Sept. 22, 2007. They are accused of stealing credit and debit card Track 2 magnetic stripe data and selling it to others who used it to make fraudulent purchases. Track 2 data includes the customer's account number, expiration data and security code.
Yastremskiy and Suvorov, also known as "Maksik" and "JonnyHell" respectively, allegedly gained unauthorized access to the point-of-sale servers at each restaurant and installed a packet sniffer designed to capture Track 2 data as it moved from the POS servers to the computer system at the restaurant's headquarters and a data processor's network. According to the indictment, the pair falsely represented themselves as being authorized to gain access to the systems.
At each restaurant, the packet sniffer created a file to store the Track 2 data until the suspects collected the information. A defect in the malware shut down the sniffer whenever the compromised POS server rebooted, which forced the men to regularly reactivate the malware, the complaint said.
At a Dave & Buster's restaurant in Islandia, N.Y., the packet sniffer captured data for approximately 5,000 credit and debit cards, which the men sold to others who used the information to make purchases online and at various retail locations, according to the indictment. The theft eventually caused losses of nearly $600,000.
The case highlights the importance of securing POS systems, said Diana Kelley, partner at consulting firm Security Curve.
"It shows that point of sales matter as much as our servers and the rest of the network," she said. "It's important to look at what we do at the point of sales and how we protect them."
The Payment Application Data Security Standard (PA-DSS), released last month by the Payment Card Industry Security Standards Council, aims to ensure that payment application vendors follow a set of security requirements, she said.
"POS systems can the weakest and most vulnerable link in the payment network system," said Rosen Sharma, chief technology officer at change control software vendor Solidcore Systems. "Looking at the situation from a traditional risk assessment viewpoint, these devices have had little attention because the risk and exposure of a single breach on an individual POS would only give access to only a small percent of card holder transactions."
Sharma said that nuggets of cardholder data was obtained at several sites and could motivate other prospectors to mine these readily accessible access points to the payment network.
"Locking down these access points will be the only means to stop the rush of identify theft and fraud," Sharma said.
The indictment isn't specific about how the alleged fraudsters perpetrated social engineering to access the POS servers, but Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting, said they might have pretended to represent the POS vendor needing to do remote maintenance. Many merchants have their POS systems remotely maintained by the POS vendor, he said.
The packet sniffer used in the scheme makes the case similar to the breach of Hannaford Bros. Co. supermarket chain, in which thieves stole 4.2 million payment card numbers, he said. Hannaford has said an attacker sneaked malware onto servers at all of its nearly 300 grocery stores, and that the malware apparently snatched card data from customers as they swiped their cards through the checkout counter machines and transferred the data overseas.
"There's nothing new here," Nebel said. "Dave & Buster's was deficient in its security."
But he added that the PCI Data Security Standard needs to be updated to require encryption of internal traffic. Under the PCI DSS, encryption is only required for data that is stored or transmitted over a public network like the Internet.
Dave & Buster's issued a statement saying it was alerted to the breach late last August and immediately contacted the U.S. Secret Service. The company said it never stored the stolen data, which it described as illegally accessed from its computer systems during the card verification and transmission process.
The company also said it has implemented additional security measures to prevent similar incidents from occurring in the future.