Dave & Buster's store #32 in Islandia, New York—a restaurant and electronic funhouse for adults—seemed an unlikely target for an international credit card theft ring. Certainly no patron drinking beer and shooting miniature basketballs into a miniature hoop expected their credit card data to end up inside an encrypted Latvian server, waiting to be sold off to international criminals who would ring up more than $600,000 in charges on the cards. But that was because no patron knew anything about the Estonian hacker Aleksandr "JonnyHell" Suvorov.
On May 18, 2007, Suvorov electronically entered the point of sale (POS) server at store #32. Every Dave & Buster's has a POS server, which vacuums up all the credit card data collected by each store's credit card swipe terminals and relays it upstream to a payment processor for verification and approval of the transaction. With full access to the server, Suvorov had no trouble installing a customized bit of code called a packet sniffer, and the program promptly turned its digital nose upon all traffic flowing into and out of the server. The sniffer used this privileged position to find and extract from the data stream the key "track 2" data—numbers and expiration dates, but not names—from every credit card used in store #32, saving it to a local file creatively named "log" for later retrieval.
Suvorov didn't hack his way in, exactly—he actually had the proper credentials for the POS server. He had obtained them by hacking a bit further up the credit card food chain and breaking into servers run by Micros, maker of the POS system used at Dave & Buster's. Inside the Micros system, Suvorov had found a file which he hoped would make him rich: it contained access information for POS systems deployed at Micros client locations, including Dave & Buster's.
Read 56 remaining paragraphs | Comments
Article by Nate Anderson (c) Ars Technica - Read full story here.