The tools used in the Subway card skimming operation are widely available on the internet for anyone willing to take the risks.
According to Dave Marcus, director of security research and communications at McAfee Labs, in an interview with Ars Technica, small businesses' generally poor security practices and their reliance on common, inexpensive software packages to run their operations makes them easy pickings for such large-scale scams.
According to the article, an indictment unsealed in the US District Court of New Hampshire on 8 December alleged that hackers gathered the credit and debit card data from more than 80,000 victims. A previous report by the Register said that four Romanian nationals remotely accessed point-of-sale systems of 150 Subway sandwich shops and 50 unnamed retailers.
The men are alleged to have scanned the internet to identify point-of-sale terminals that used certain remote desktop software applications, and then gained unauthorised access to them by guessing or 'brute forcing' passwords.
However, the indictment claimed that the methods used by the attackers were hardly sophisticated, as the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them.
The software provided a ready-made back door for the hackers to gain entry to the point-of-sale systems; the applications used by these retailers clearly did not have two-factor authentication.
The Justice Department alleged that the hackers gained access to the remote desktop software by guessing or cracking the passwords they were configured with. Once they were in, the hackers deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems, such as credit card scans. They also installed the xp.exe Trojan onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware and prevent any security software updates.
The hackers are also alleged to have periodically rounded up the dumped transaction data and moved it to file transfer site sendspace.com, which said that it co-operated with the FBI in the investigation of the hack.
Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines, while the rest of the stolen data was sold in blocks to other criminals from the Sendspace server.
Subway corporate press relations manager Kevin Kane told Ars that "the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it".
He declined to discuss the measures taken as "we don't want to give away the blueprint" to other potential attackers, and said Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.