Hackers never look this cool.

Romanians Iulian Dolan and Cezar Iulian Butu have confessed in the U.S. District Court in New Hampshire to multiple counts related to credit card fraud via hacking.

Under the leadership of another Romanian, Adrian-Tiberiu Opera, the men trawled the Internet for vulnerable point-of-sale programs, which apparently included applications linked to credit card payments at 150 Subway restaurants. The scam lasted two years and vacuumed up more than $10 million in profits. Citing court documents, Ars Technica reports on how the hacks worked:

Dolan admitted he helped alleged ring leader Adrian-Tiberiu Opera scan the Internet for point-of-sale systems. "These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary," Monday's plea agreement, which was signed by the defendant, stated. "Next, once he cracked the password and gained administrative access, Dolan remotely installed software programs called 'keystroke loggers' (or 'sniffers') onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants' POS systems, including customers' payment card data."

The hackers didn't confine their efforts to Subway. Mr. Dolan admitted he wormed his way into "several hundred" American payment systems, downloading financial information for 6,000 people. He has received a seven-year prison sentence for his trouble. His countryman Mr. Butu will spend nearly two years in prison.

Adrian-Tiberiu Opera is awaiting trial.

And from now on we are paying cash at Subways.

He will crack you. (Image by Devdsp on Flickr)

We don't want to scare anyone, but Dan Goodin's Ars Technica article published late Monday illustrates at length why everyone who uses the Internet for anything at all should consider changing their passwords. Actions that once required supercomputing can be done from desktops now and when it comes to security, that's spooky stuff:

Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.

The warning notes only sound more ominous as Mr. Goodin uses high profile hacks from the last few years to illustrate just how far the dark art of breaking into your online life has come.

For example, the epic hack of 32 million passwords from RockYou.com in 2009 was a watershed moment in cracking. Thanks to a SQL injection attack that allowed hackers to publish them online, Mr. Goodin writes that "almost overnight, the unprecedented corpus of real-world credentials changed the way whitehat and blackhat hackers alike cracked passwords."

The RockYou attack basically made old dictionary-style password cracking, in which cracking programs rotate through giant lists of words in attempt to establish a key, obsolete. Using patterns culled from RockYou and other sources as well as profiling possible password selection, crackers have made huge leaps in breaking both weak encryption and in taking advantage of Internet users' lazy thinking.

Per Thorsheim, one of the security experts consulted by Goodin, says a basic, long-standing piece of advice about protecting passcodes remains golden: use a new password for every site.

Crackers can probably break anything involving your childhood pet, street address and grandma's birthday, but at least the damage might be contained to one site if they do. Which is fine, unless we're talking about your bank account.