Four Romanian hackers have been charged with breaking into the card processing systems of 150 Subway sandwich bars and 50 other unnamed retailers.

Wired said that hackers nicked the credit-card data of more than 80,000 customers and used the data to make millions of dollars of unauthorised purchases between 2008 until May 2011. The hackers broke into 200 point-of-sale (POS) systems in order to install a keystroke logger and other sniffing software that would steal customer credit, debit and gift-card numbers. They also placed backdoors on the systems to provide ongoing access.

They found the vulnerable POS systems by scanning on the internet for devices with remote desktop software installed on them. They then used the software to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs. Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cezar Iulian Butu, 26, and Florin Radu, 23, were charged in the District of New Hampshire with four counts, including conspiracy to commit computer fraud, wire fraud and access device fraud.

Oprea was arrested last week in Romania and is in custody there. Dolan and Butu were arrested upon entering the U.S. last August. Coppers have not found Radu yet. Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant's Aloha POS system.

Apparently Computer World's technicians installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. However they forgot to secure the program or update it. The default login was "administrator" and the
password was "computer."

More here.