14 DAY TRIAL // The owner of a company that sold and installed point-of-sale (POS) devices has admitted hacking into the POS systems at Subway restaurants in an effort to add value to gift cards.
According to federal authorities in Massachusetts, 46-year-old Shahin Abdollahi, also known as Sean Holdt, of Lake Elsinore, California, pleaded guilty to one count of conspiracy to commit computer intrusion and wire fraud, and one count of wire fraud.
Between 2005 and 2008, Abdollahi operated Subway franchises in Southern California. Later, he launched POS Doctor, a company that sold and installed POS systems at Subway restaurants all over the United States.
In 2011, Abdollahi and a co-conspirator, 37-year-old Jeffrey Wilkinson, started hacking into the POS systems they had installed at Subway restaurants and added at least $40,000 (€29,100) in value to gift cards.
Some of the fraudulent gift cards were used to make purchases at Subway, but Abdollahi and Wilkinson also sold cards to others on Craigslist and eBay. The fraudsters are said to have hacked into the POS systems of at least 13 Subway restaurants.
Court documents obtained by IDG News Service reveal the fact that Abdollahi and Wilkinson used a remote desktop application called LogMeIn to gain access to the POS systems. In 2009 and 2010, the two shipped POS systems to several Subway franchises with the remote access software installed on them.
Among the restaurants targeted by the fraudsters, investigators have mentioned the ones in Franklin, Massachusetts; Sundance, Wyoming; and Lakewood, California.
Prosecutors are confident that they would have had enough evidence against Abdollahi had the case gone to trial. Abdollahi will be sentenced on August 6, 2014. Wilkinson, who pleaded guilty on February 27, 2014, will be sentenced on May 28, 2014.
This isn’t the first time Subway restaurants are targeted by cybercriminals. In the past couple of years, several Romanian nationals were charged and convicted for hacking into the POS systems at hundreds of US merchants, including Subway.
The fraudsters made millions of dollars by installing keyloggers on POS systems in an effort to steal payment card information. They reportedly managed to steal data for more than 100,000 cards.
Over the past period, cybercriminals have increasingly targeted POS systems because they’ve realized that they can make a lot of money through such attacks. A perfect example is the data breach suffered by the retailer Target, in which the attackers made off with 40 million cards.