“Simply put, Roman Seleznev has harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court...This prosecution is unprecedented.”
Those were the words of federal prosecutors’ sentencing memo at the conclusion of the trial of one of the most prolific and notorious credit card data hackers of this century, Roman Seleznev.
The scope of Roman’s crimes is nothing short of staggering. Roman had made tens of millions of dollars for himself by defrauding more than 3,400 financial institutions of nearly $170 million, selling millions upon millions of credit card dumps on the black market to criminal groups.
The businesses that he hacked to steal those credit cards were forced to spend tens of thousands of dollars to fix their security. Many were also hit with fines of $5,000 to $30,000 for not complying with PCI standards for safeguarding credit card data. On top of that was the PR fallout. Customers left these businesses in droves when they learned that their credit card data had been unwittingly exposed, and at least one of those businesses had to declare bankruptcy.
How was Roman Seleznev able to inflict such extreme damage, and how does this affect how you should think about your Salesforce security?
How he did it: The story of Roman Seleznev
Roman Seleznev managed this unprecedented feat from his home country of Russia by exploiting easy opportunities to get into unsecured computer systems. Such opportunities can actually be quite easy to find. Why? Because many businesses simply don’t have the knowledge to take proper precautions.
Seleznev targeted lucrative and poorly-protected victims—businesses where credit cards were being swiped constantly. He found restaurants to be the perfect target.
Using a rented server in a Virginia data center and some freely available scanning software, Seleznev scoured the internet for restaurant point-of-sale systems running Windows that had their network port 3389 exposed. This is the port many businesses leave open to give their IT service providers easy access to their computers via Remote Desktop. Unfortunately, this also gave Roman easy access to the credit card systems of unsuspecting restaurants.
Then, Seleznev would remote in himself and try to log in. He figured that if these restaurants were lax about port access, they were probably also using simple passwords that would be easy to crack. And he was right. (It didn’t help that IT providers were, unbelievably, using the same password to access multiple clients’ computers, a real security no-no.)
So Seleznev ran dumb, brute-force attacks—using a password cheat sheet and guessing the password over and over until a match was found—to access these restaurants’ computers as if he were sitting right in front of them. If they were running credit card software, Roman would install malware to scrape their credit card data and send it back to Russia.
Seleznev moved quickly. Typically, the cards he stole were sold and used for fraudulent purchases within two days of being scraped from his victims.
In a short time, Seleznev was able to steal and sell millions of credit cards. He kept doing it because, well, it was as easy as stealing the proverbial candy from the proverbial baby. He was able to fund quite a lavish lifestyle with his exploits, including fancy homes, flashy cars, and luxury vacations around the world.
But Seleznev’s hacking escapades were not to last. He was leaving a trail—and that trail would eventually lead to his capture.
That trail got hot in 2010, when a Schlotzsky's Deli location in Idaho reported a credit card breach, and the Secret Service was brought in to investigate. They discovered that two point-of-sale registers at that location, running Microsoft Windows, had been infected with malware that was stealing data from swiped credit cards and sending it to a server in Russia. At first, it looked like the malware had been downloaded and installed manually by someone physically at the restaurant (it was later confirmed to be Roman installing it remotely).
Soon after, a call came in from the Boeing Employees Credit Union in Seattle, reporting a slew of fraudulent charges with a common purchase point: the Broadway Grill in Capitol Hill, Seattle. The Secret Service investigated and found that just as with Schlotzsky's, the Broadway Grill’s computers had been infected with credit card-stealing malware.
This malware would copy huge tranches of swiped credit card data to clear text files and send them to the exact same server in Russia as the malware at Schlotzsky's. And just like before, the malware seemed to have been installed manually on-premise.
Around that same time, an Ohio man was arrested and his laptop seized. The Secret Service found a cache of stolen credit cards on it. Where had these cards been used before? You guessed it—that same Idaho Schlotzsky's deli location. A pattern was emerging.
The Ohio man had been communicating with a seller named “Track2” using ICQ chat software. Posing as a buyer, the Secret Service made contact with Track2 and learned that he used two websites to sell his stolen cards. Both sites were registered using Yahoo email accounts.
An investigation of these accounts revealed purchase transactions and a PayPal account, leading the Secret Service straight to Track2, a.k.a. Roman Seleznev.
It took some time, but U.S. investigators were able to catch up with Seleznev while he was vacationing in the Maldives and, thanks to a special agreement with that country, were able to extradite Roman to the U.S. for trial. His laptop had 1.7 million stolen credit cards on it when they arrested him.
Because of the vast scale of his crimes and his unwillingness to cooperate, Roman received an unprecedented 27 years of jail time for his cyber crimes.
What’s the lesson here for us? Had these restaurants employed simple best practices—using complex and unique passwords, not leaving their Remote Desktop port open, and making sure to be PCI compliant (meeting standards required for accepting and storing credit card data)—then they would not have been Roman’s, or anyone’s victim. But, they made it easy to get hacked, attracting the attention of Roman.
That’s how a hacker thinks. Find the easy prey—the ones who don’t know better.
What Roman Seleznev can teach us about securing Salesforce
Hackers are constantly looking for easy ways to get into your software platforms. Let’s see what Roman’s story can teach us, and the actions you can take to stop hackers from getting access to your Salesforce platform.
Salesforce security is everyone’s responsibility.
No system or IT team can fully safeguard your organization against the accidental mistakes users commonly commit which can leave you exposed to hacking. That’s why you must build it into your culture that security is the responsibility of everyone in the organization, not just the IT folks. At the same time, IT professionals have to realize that they are also IS professionals—that is, Information Security professionals. They have an extra burden of care to protect the data of their clients.
When everyone in your organization has a security-first mindset, you’ll easily prevent the common vulnerabilities hackers will try to exploit to get into your Salesforce platform.
Aligning your Salesforce to your security strategy
Salesforce provides a secure platform out of the box, and Salesforce Shield goes a step further. Still, security is not a “set it and forget it” exercise. Human error, new software integrations, and custom code development without security in mind can open you up to vulnerabilities that go unnoticed until a breach happens. These are constant threats.
As Salesforce experts and custom developers themselves, Own has seen it all. You can take the free Guided Risk Assessment for Salesforce, which identifies risk and closes gaps to maintain alignment with your corporate security posture. As a company whose core function is to safeguard your Salesforce security, Own is relentless about uncovering and solving potential platform vulnerabilities that can occur in any organization.
The takeaway
To keep your Salesforce platform secure, start thinking like a hacker. Identify all the easy holes hackers can exploit, and plug them with the simple best practices outlined above. That alone can stop the Roman Seleznevs of the world.
But don’t stop there. No PaaS (Platform as a Service)—Salesforce included—is completely safe without diligent risk assessment and mitigation. Bad actors are watching all the time, waiting for us to get just a little too complacent, and then they strike. Don’t let them. Continuously reevaluate your configurations and ensure your Salesforce stays aligned to your Security posture.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.