July 31, 2014

Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.

jjohnsMultiple financial institutions tell KrebsOnSecurity that they are seeing fraud on cards that have all recently been used at Jimmy John’s locations.

Champaign, Ill.-based Jimmy John’s initially did not return calls seeking comment for two days. Today, however, a spokesperson for the company said in a short emailed statement that “Jimmy John’s is currently working with the proper authorities and investigating the situation. We will provide an update as soon as we have additional information.”

The unauthorized card activity witnessed by various financial institutions contacted by this author is tied to so-called “card-present” fraud, where the fraudsters are able to create counterfeit copies of stolen credit cards.

Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software. This was the case with mass compromises at previous nationwide retailers including Target, Neiman Marcus, Michaels, White LodgingP.F. Chang’s, Sally Beauty and Goodwill Industries (all breaches first reported on this blog).

According to the company’s Wikipedia page, there are more than 1,900 Jimmy John’s stores in at least 43 states. Nearly all Jimmy John’s locations (~98 percent) are franchisee-owned, meaning they are independently operated and may not depend on common information technology infrastructure.

However, multiple stores contacted by this author said they ran point-of-sale systems made by Signature Systems Inc. The company’s PDQ QSR point-of-sale product is apparently recommended as the standard payment solution for new Jimmy John’s franchise owners nationwide. Signature Systems did not immediately return calls for comment.

Reports of a possible card compromise at Jimmy John’s comes amid news that the Delaware Restaurant Association is warning its members about a new remote-access breach that appears to have been the result of compromised point-of-sale software.

Update: An earlier version of this story incorrectly stated that Jimmy John’s was based in Charleston, Ill.; rather, it was founded there. The copy above has been corrected.


86 thoughts on “Sandwich Chain Jimmy John’s Investigating Breach Claims

  1. Merchant

    I know a lot of bankers – from execs to risk management – read this blog. Come on guys, give us end to end encryption. Screw EMV, just do it right out of the gate. It’s not too late to right this wrong. Sure Citi is going to be ticked at you – with their costly early bird approach to EMV card replacements, but they’ll get over it.

    VISA, MasterCard ARE YOU LISTENING? If you aren’t, get ready to get disrupted.

    1. wtf

      Wtf are you talking about. …encryption does not prevent data breeches.

      1. Peter

        Indeed, and EMV actually does in most cases as there is no usefull data to copy/store and hence breach.

        With EMV you’d actually have to place yourselve as a MITM in the transaction. Sure crooks will find out how to do it, but a simple RAM-scraper won’t cut it.

        Many of the reported breaches of the last months would not have been possible with EMV. So be it far from perfect, it will help us.

        1. Merchant

          Dead wrong. The PAN is read in an EMV transaction. While most online transactions need the printed CVV, not all do. So a breach at a merchant who is accepting ALL cards with EMV (Not likely any time soon) will still produce the PAN for the bad guy with memory scraping malware. As well, since most US issuers and merchants won’t have EMV infrastructure fully in place (new cards, card readers, etc) for at least two more years, a lot longer for gas pumps, parking garages, and other niche installs, the entire country is going to accept a mag stripe read for a long time to come. So I can breach a merchant where you use your EMV card as EMV, get your PAN, and go encode it to a mag stripe card and use it anywhere. EMV solves nothing.

          1. Peter

            Without the code in the back and other relevant data you can only shop in obscure small webshops. Brick and mortar and the big shops like Amazon, are off limits.

            Not perfect, but like I said it is a big help. Still surprised people deny this proven (outside US) fact …

            1. Merchant

              Its not secure until the mag stripe infrastructure is gone in the US. As I said that is still a long time coming. Estimated current cost to upgrade every gas pump in the US: $10 Billion dollars. That is more than the sum total of the US convenience store industry profits for the last two years combined.

              You are making it sounds so nice, clean, and simple. It’s anything but.

              1. Eric

                I beg to differ. What will happen next year is that the liability will shift. Merchants who sell things that are popular with the criminals (i.e. BestBuy, Apple Store, etc), will ultimately be the first to upgrade to EMV readers – a failure to do so means that they would have to eat the costs of the fraud.

                Other merchants (auto repair, dentist, veterinarian, etc) are much less likely to be used by criminals. And online transactions essentially require the merchandise be shipped to an address, which complicates matters for the criminals.

                1. Kathy B

                  My local Apple store has upgraded to EMV readers with the mag stripe reader on the back . Much like what I saw when I was in Europe recently. The business services guy at Apple showed the device to me recently and stated they had only recently been upgraded due to the merchant liability shift. I’m assuming if they haven’t rolled out to all the Apple store, they are at in the process of doing so.

            2. km

              Yep, despite the US being about the only place left that does not use EMV, and **EVERY** major card breach is now from US POS systems, for some reason the US still wants to stick it’s head in sand and deny what is going on.

              OK, so EMV is not an absolute perfect solution, but then NOTHING is, but it is a hell of a lot better than what is done now.

              I take it those that deny EMV don’t bother with doing silly pointless things like locking their house when they leave. After all, locks are not perfect and people can still get past them, so what’s the point of using them at all…

              Waiting for the one absolute perfect solution will never happen. But, refusing to move from the worst, crappiest systems in existance is just plain stupidity and nothing else.

              1. Merchant

                You’re missing my point – but you’re also kind of nailing it. If we’re going to spend billions upgrading the infrastructure why not do it right? Agreed – anything is better than what we have now – but why go with anything just because it’s better. Let’s finish it once and for all.

                Better yet – layer tokenization in the stack and now we have a secure solution for mobile/etc payments too. And we’re done.

                1. KM

                  Want to quote what ‘icknay’ has put in a comment further down the page, why EMV will help despite refusal to believe that from some folks.

                  —Start Quote—

                  It seems like EMV will gets pretty close to what Merchant wants. There’s a secret within the chip that is used to create an encrypted token, and that’s what’s sent to the terminal. The secret never leaves the chip, so that part of the info is encrypted the whole way along, just as Merchant wants.

                  Unfortunately, EMV also sends unencrypted CC#, but crucially, not the CVV1 or CVV2, so the CC# sent is 99% useless for bad-guy purposes. This is why you don’t read any articles about millions of EMV cards being cloned. No matter how compromised the terminal is, the secret stays on the chip.

                  Here’s the funny bit: in a few years, when our infrastructure if fully non-magstripe (i.e. payment only works EMV/phone style, with a non-revealed secret), then the CC# is closer to 100% useless to the bad guy; it’s just functioning as an account number which doesn’t especially need to be kept secret. Then you have end-to-end encryption. Ugh, that’s going to take a few years. The bad guys crowding in to abuse the few remaining magstripe places should help speed up the conversion at the end.

                  —End Quote—

                  The bad guys already are crowding in to abuse the few remaining magstripe places, the problem is that place is quite big, it’s called the US…

                  Hiding behind the argument that moving to EMV will cost customers money is just rubbish. The rest of the world managed it, but somehow the US can’t? The refusal to move to EMV is costing customers money now, and that’s going to keep getting worse as time goes on – who do you think is ultimately paying the price for these repeated breaches.

                2. FARO

                  This chip thing got me interested so I looked it up on Wikipedia. Here is what they have to say.

                  In June 2012 the major credit card companies announced their EMV migration plans for the US. In spite of these announcements, doubts remain over the willingness of merchants to develop the capability to support EMV. Since the announcement, multiple banks and card issuers have announced cards with EMV chip-and-signature technology, including American Express, Bank of America, Citibank, Wells Fargo, JPMorgan Chase, U.S. Bank, and several credit unions. JPMorgan was the first major bank to introduce a card with EMV technology, namely its Palladium card, in mid-2012.

                  American Express implemented a liability shift for point of sale terminals in October, 2015. For pay at the pump, at gas stations, the liability shift is October, 2017. Discover implemented a liability shift on 1 October 2015. For pay at the pump at gas stations, the liability shift is 1 October 2017. Maestro implemented a liability shift of 19 April 2013, for international cards used in the United States. MasterCard is implementing a liability shift for point of sale terminals in October, 2015. For pay at the pump, at gas stations, the liability shift is October, 2017. For ATMs, the liability shift date is in October 2016. Visa is implementing a liability shift for point of sale terminals on 1 October 2015. For pay at the pump, at gas stations, the liability shift is 1 October 2017. For ATMs, the liability shift date is 1 October 2017. In May 2010, a press release from Gemalto (a global EMV card producer) indicated that United Nations Federal Credit Union in New York would become the first EMV card issuer in the US, offering an EMV Visa credit card to its customers.

      2. anon

        How does encryption not prevent this type of issue?
        It is certainly superior to EMV in certain aspects.

      3. Merchant

        Going to bite and respond to an obvious troll. End to end encryption – using a card reader injected with a key the merchant has zero knowledge of all the way through to the processor IS THE ANSWER. IT SOLVES EVERYTHING. An order of magnitude more secure than EMV AND REQUIRES THE SAME INVESTMENT ON THE PART OF THE MERCHANT, no more, no less. Simply install an encrypting card reader and you are done – same cost as installing an EMV card reader.

        Your debit card PIN number is presently encrypted and handled in exactly this same way, whether at the ATM, or at the stores pinpad. I have never heard of a merchant data breach (other than physical pinpad attacks) where the POS has been compromised and the encrypted PIN blocks have been useful for fraud.

        That’s what’s so crazy about VISA/MC’s asinine decision to force EMV upon us when they could have just solved the entire problem almost overnight with industry standards based end to end encryption.

        1. Christoph

          And how exactly does an encrypted magstripe reader prevent a skimmer in front of the reader (and before encryption kicks in)?

          What we need to do is get of the old magstripe and render data unuseable to use for fraud. Who cars if EMV data is in clear, as long as the data can´t be replayed because the transaction cryptogramms are dynamic?

          1. Merchant

            I have no issue with EMV + encryption as you are correct, that negates the value in skimming. It’s EMV alone that I have issue with – spending billions to put in place a solution that is only halfway there.

          2. JCitizen

            If it is replay that needs to be stopped why not use MagnePrint? Everywhere we’ve tried to tear it down in forum discussions, it comes up looking golden. The only change to the POS reader besides your suggestions is a higher resolution on the magnetic rails. They are already selling these POS on the market, and have been doing so for several years now.

            No two swipes can be replayed because of the algorithm and the geometry of the magnetic strip nano-particles. Yet authentication is still guaranteed.

            Hey! If were going to have another system that fails – let it be a cheaper one – I guarantee you Cowchip-N-Pin will fall also for a lot more FAIL in costs! The North American Economy is several orders magnitude larger that the EU – and that kind of fail is too big and too expensive! We can’t take another “Too big to fail” scheme!

          3. Bill

            It’s not an encrypted reader such as what is used on a POS. It’s a separate device. Think TransArmor. What people are asking for exists – but its not free.

        2. george

          Merchant,
          What makes you believe that once EMV is deployed in the US it cannot be upgraded to transmit the CC# encrypted to the payment processor.
          After all, an investment is now necessary, to provide capabilities to red the chip, but the exact implementation can be further improved in the future with firmware upgrades and without having to redo the investment in the readers. Yes there were a hanful of cases when EMV was poorly implemented and Brian reported on them, but this is something it can be fixed. MagStripe is fundamentally broken, there is no way to fix it. With all respect to Jcitizen, that includes the MagnePrint. If it might seem more secure at the moment, I’m pretty sure it will be a nightmare on reliability.

        3. JohnD

          Sorry, @merchant, but E2E on current mag stripes solves very little. The problem with mag stripes is they are static devices that hold both your identity (PAN) and authorization (CVV) in one easy-to-copy package. A skimmer, a rogue terminal, a stolen wallet, anything that can copy the data produces a perfectly reusable instrument of theft. E2E protects against none of those common scenarios.

          E2E relies on the merchant’s device to keep the data secret. With 6 million merchants, there will always be holes, so there will always be thefts.

          Many PIN pads are as vulnerable to hacking as your registers. The reason they’re not as hacked now is that the registers are simply easier to hack. E2E would help kick the can down the road, but only for a little while.

          EMV does solve the problem completely (eventually). It moves the encryption process from the merchant’s device (6 million merchants can’t be right) to inside the chip (where the customer’s bank is now responsible for the security of their money.)

          EMV encrypts only the customer’s authorization, not their identity. But remember, it’s only the authorization code that lets money leave your bank account. Your identity alone won’t be enough, especially following the liability shift.

          I understand that EMV doesn’t encrypt PAN. It doesn’t have to. Once mag stripes are gone, (and the final phase of EMV is to eliminate mag stripes,) the PAN will become useless because it won’t include your authorization. That’s the critical step that will protect us from data thieves.

          1. jlindema

            @JohnD

            Re: “The problem with mag stripes is they are static devices…”

            Mag stripes don’t _have_ to be static. Check out the link later in my (recycled) post.

            –begin recycled post–
            “chipped” cards will secure in-person transactions thoroughly, but they can’t help with card-not-present online transactions. Electronic cards -that display and encode (on the mag-stripe) a
            one-time-use/one-merchant-use number… work to secure BOTH in-person and online transactions.

            Let’s address the “replay attack” or “static payment-card number” problem. EMV solutions work well for one transaction method, but ignore other real-world use cases & transaction methods.

            All U.S. payment cards suffer from an inherent problem- it’s known as the “replay attack”. Issuing banks should focus on technologies such as dynamically created or ‘changing’ card numbers that are only valid for one merchant at a time (however, that merchant CAN use the number multiple times -including processing returns!)

            Would merchants need to incur the costs of changing their Point-of-Sale (POS) systems significantly?
            Not necessarily.
            A company named Dynamics Inc. based in Pennsylvania has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card.
            This enables standard, existing POS card readers to work seamlessly with the newer [card] technology.
            See Dynamics Inc.’s webpage here: http://bit.ly/19fbXKb
            (last archived by archive.org on Oct. 1st, 2013).

            A card presenting a number on its mag-stripe that is only good for one transaction at a time, cannot be [re-]sold by criminals. Whether or not card data is stored, scrapped from, and/or encrypted end-to-end -at the POS terminal is irrelevant if the data itself (the card number) changes with every transaction.

            Hold the Payment Card Industry (including issuing banks)responsible for not embracing (years ago) technology that could all but eliminate skimming/re-use fraud.

            1. JCitizen

              MagnePrint cannot be replayed, but I don’t know what solution they may have for encryption if any. Authentication can be done by one other method I know of that may not even need encryption, and it takes it completely away from electronic data surveillance. Perhaps it doesn’t need a mag stripe at all. That would be Pass-Window.

      4. somed0ood0

        Just another virtual currency nuts operating under the delusion that using *coin makes you immune to theft. He has come to tell you to “buy buttcoin now!” so you don’t get left behind! At least with a credit card you have some recourse to recover your money.

    2. John B.

      I am not sure you know what you are talking about. Also as a consumer I don’t want to see any money spent on this technology because the costs will be passed on to me, the consumer. I am not liable for any of the fraud so doesn’t matter.

      1. Neej

        So you think the costs of new equipment (and development?) are passed on to you but the costs of fraud are not?

        Granted: whether either cost is actually passed on to you or eaten by the enterprise is not assured since the end cost to consumers is often divorced from the cost of providing whatever the consumer pays for speaking (read: as much profit is made as possible, consumers are sensitive to price increases and so on) but it seems rather odd to me to conclude that costs won’t be passed on for a particular activity and not another.

      2. Merchant

        Consumer – speaking on behalf of merchant’s nationwide, you as our customer – we have a duty to let you know – you are certainly already paying for far more than any equipment upgrades would cost by way of indirect costs of fraud being passed on to you.

        The banks (Chase, Citi, BofA, Wells, etc) and the cartel (VISA, MC, AMEX, DISCOVER) have done a poor job of informing you on just how much you are paying. We the merchants try – but the banks like to play games with interchange fees, etc and obfuscate those costs. It’s in their best interest for you to stay in the dark.

      3. Jeff

        ALL costs are eventually passed on to the consumer. It doesn’t matter where the costs occur — consumers pay it all.

    3. icknay

      It seems like EMV will gets pretty close to what Merchant wants. There’s a secret within the chip that is used to create an encrypted token, and that’s what’s sent to the terminal. The secret never leaves the chip, so that part of the info is encrypted the whole way along, just as Merchant wants.

      Unfortunately, EMV also sends unencrypted CC#, but crucially, not the CVV1 or CVV2, so the CC# sent is 99% useless for bad-guy purposes. This is why you don’t read any articles about millions of EMV cards being cloned. No matter how compromised the terminal is, the secret stays on the chip.

      Here’s the funny bit: in a few years, when our infrastructure if fully non-magstripe (i.e. payment only works EMV/phone style, with a non-revealed secret), then the CC# is closer to 100% useless to the bad guy; it’s just functioning as an account number which doesn’t especially need to be kept secret. Then you have end-to-end encryption. Ugh, that’s going to take a few years. The bad guys crowding in to abuse the few remaining magstripe places should help speed up the conversion at the end.

      1. JCitizen

        Cowchip – N- Pen – another big EXPENSIVE FAIL!!

        February 2008
        http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf
        February 2010
        http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html
        ” ”
        http://news.bbc.co.uk/2/hi/science/nature/8511710.stm
        September 2012
        http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

        Video summary of above report
        http://www.bbc.co.uk/news/technology-19559124

        (Source http://nc3.mobi/references/emv/) Posted by Jonathan E. Jaffe

        Also Cow-chip-n-pen

        http://www.theregister.co.uk/2014/05/19/chip_and_skim/

        1. icknay

          You can think of that attack as sort of “transaction tampering”. The bad guy gets enough information out the card to make one forged transaction. It’s a real issue, and it’s great that the Cambridge lab is relentless in finding these things (as are the bad guys!).

          But it does not clone the card, and it does not work in bulk. Basically, the bad guys do the up front tampering with the terminal, and then it works for, say, 24 hours, until the bank notices that 50% of the transactions from that terminal are bad. I suspect the cost/benefit just doesn’t work out for the bad guys. Witness that you have not read on Krebs articles about millions of EMV cards being abused by this attack, and that research is from 2012.

          EMV has some corner-case flaws like this, but it’s drastically more secure than magstripe.

          1. JCitizen

            If cloning is the concern, I can think of lot cheaper ways to do it, like MagnePrint. If authentication is a concern, I should think PassWindow would solve that nicely. I’m not even sure PassWindow would have to be encrypted because of the way it works. The information is just not available to the bad guy physically or electronically, because he cannot see the whole picture in the process. Camera shots would only work for the immediate transaction, and that would be more difficult that shots of entering a PIN, for instance.

  2. IA Eng

    I am Sooooo surprised that these devices don’t have a whitelist, or the PoS systems aren’t booted by a DVD daily.

    What about a weekly, biweekly automated reimaging of the devices during the evening hours?

    For the servers, a hard-lined whitelist to the corporate servers, and a few others for patching the server and thats it. Don’t utilize the same passwords on every segment of the network, you’re asking for trouble if you do so.

    I haven’t been to this establishment, but know people who have been. I will inform them of this story.

  3. Jason

    Jimmy John’s was founded in Charleston, IL but is now headquartered in Champaign, IL.

  4. E.M.H.

    Yay… just had them deliver my lunch. :-/

    Oh well… time to monitor my account even more closely than normal. Heck, that level IS the new normal now.

  5. JJ'sRules

    “Don’t Worry. Don’t Hurry. And Don’t Forget to Stop & Replace Your Debit Card”

    “Breached So Fast You’ll Freak”

    “No Shirt, No Shoes, No Card, No Worries, We’ve Already Got It”

    “Freaky Fast Account Takeover”

  6. wtf

    Why did you hide a link to Gary Slivka’s resume in the article?
    The words apparently and recommended go to different URLs.

    1. ThursdaysGeek

      Yeah, that’s weird. Did your site get hacked or is that just the result of some sort of strange typo?

      1. BrianKrebs Post author

        What are you guys smoking? Did you happen to read the item that’s linked to? It’s there for a reason, not because the site got hacked.

        To wit:

        “Signature Systems Inc. is a Point of Sales solutions company. They provide custom software and systems for pizzeria’s and Jimmy Johns Sandwich shops nationwide.”

        1. James Beatty

          The words “apparently” and “recommended” are two two separate embedded links. Brian, I’m guessing you didn’t intend that… one’s a resume, the other is the .pdf file containing info about Signature Systems’ typical JJ setup.

          1. BrianKrebs Post author

            Why would you guess that? They both show a pretty strong relationship between JJ’s and Signature.

            What’s more, when I called Signature’s tech support line and asked to speak with the management, they asked whether I wanted to speak with Jimmy Johns or Signature.

            The point is, there is a strong relationship between these two companies.

              1. FARO

                I have not the slightest clue of these link commonalities.

                Geek, Excuse my ignorance but what is the similarity with http://www.jobing.com/free-resume-builder that one goes to on the “apparently” link and Signature and JJ?

                You know…”Merchant” really has a point. Why on earth are merchants being held responsible for upgrading to Chip and Pin mandated upgrades?

  7. Rick

    Did you mean to link Gary Slivka at Signature under the “apparently” link in the article? Seems odd.

  8. CMJ

    Peter and WTF,

    Thanks for the push on EMV. While you are correct that EMV will reduce fraud from card duplication and the use in card present environments, it will not solve the problem for data theft. EMV data is still passed in the clear, meaning your sensitive card data is still accessible to malicious malware. Studies do show that card not present environments (eCommerce) do increase with fraud when EMV is implemented.

    P2PE does help eliminate data theft because the malicious software does not have access to the CC data. Again, this only solves half the problem.

    Unfortunately, we are looking to adopt 20 year old technology that does not meet the demands of how consumers and merchants expect to accept payments.

    Simply put, EMV or P2PE alone will not solve this problem.

  9. Neej

    Anyone ever thought about going back to cash where possible?

    Although you lose the convenience of using a card you gain added security of not creating an attack surface with electronic payment along with the psychological pain of loss that comes with being closer so to speak to the transaction. By this I simply mean you experience handing over your hard earned money and are therefore prone to spending less.

    And if your reading this thinking well that’s pretty irrational welcome to being a human being: we do not behave rationally in many situations. Retailers love electronic payments partly because people as a group we spend more when the loss is not experienced directly as cash leaving our wallets.

    1. Merchant

      I get where you are coming from, it’s tempting to think of taking the nuclear approach as a consumer and just bypassing the whole problem.

      Problem is it’s becoming a cardless world. You can’t pay for a drink on an airplane with cash, rent a car with cash, etc period. If you’re an active person, especially a traveler you are going to be constantly frustrated by your decision to go cardless. Paying for a hotel room with cash is ridiculously difficult. The list goes on.

      As well, so long as the cartel (VISA, MC, AmEx, Discover) keep looting the merchants with insanely high interchange (processing) fees that have little basis in their cost of doing business, you might as well use a good rewards credit card for your everyday purchases and take some of the money back.

    2. RobertM

      Yes, that is exactly what I’ve done. Cash where possible until the CC industry starts using EMV+encryption. And yes, I tend to spend less. I only use my card(s)(always have a backup) to pay for Amazon and groceries (where I get cash back).

      1. Sasparilla

        Doing this as well.

        Makes it much easier to look for “unusual” charges in the credit card record for the month as well.

        The fact less is going to the Visa/Mastercard cartel is an added bonus. JMHO…

    3. rw

      Certainly. I almost never pay for anything with plastic cards anymore. Cash for everything face-to-face. Electronic payments only for occasional online purchases.

      Apparently it’s easier to use cash face-to-face in some countries than in the US?

    4. Try Cash Only

      yes, best to only use CASH in brick & mortar stores, shops, restaurants, etc. and only use plastic at a few trusted online stores and online bill paying. that doesn’t avoid all threats, but there are too many unsecure places out there in real life physical places where it is best to only trust in cash-only transactions.

      oh just got a new visa card where my current visa is due to expire in a month. perhaps not surprising, the visa card has a new number because apparently brian’s wonderful site here would indicate my old visa card number was most likely scooped up with other card numbers etc. during at least one (if not more) of the many criminal heists that have happened in the last year or so. but fortunately my bank has apparently stopped bad things from happening. now, have a virgin visa card number that hopefully won’t be raped in any of the yet to reported credit card heists.

  10. TheOreganoRouter.onion.it

    The website “Bankinforsecurity.com” reported today that a bunch of restaurants in Delaware had their P.O.S. devices infected with malwareware which may have leaked credit card information.

    Is this related?

    1. Mike

      That should be “bank info security.com” not “bank infor security.com” which is something else entirely.

  11. TheTruthWithEMV

    It is sad, just use any E2E hardware devices that almost every major credit card processors provide and this as well as every other breach in the last year would have been prevented.

    Sure, use EMV too, it will help protect credit cards from being recreated and prevent the shift of liability for charge backs to the Merchants.

    But let’s be very clear, EMV would not have prevented this situation nor prevented the Target breach.

    E2E > EMV

  12. JimH

    Just as an FYI.. from the SSI FAQ page :: http://www.pdqqsr.com/faq.html

    Q: Can my employees surf the Internet on all my PC’s?
    A: No, this function is locked out in order to prevent the introduction of spyware and viruses on your POS.

    Q: Can my employees play games and load other software on my PC?
    A: No, this function is locked out as well.

    Would also be interesting (to me anyway) to know what OS was being run at the time.

    Brian.. once again sir, great job.

    onward..

    1. TJ

      Not sure if this is still the case, but in Gary Slivka’s resume — linked in the article — it states the following:

      “- Systems include touch screen terminals loaded with Windows XP for point of sales embedded (wepos), POS 1U server- wepos server 2009, SQL configuration, network install and configuration, router security configuration and DSL bridging.”

  13. Paul Jacobsen

    Long story.

    My daughter has been in a perpetual phone/email exchange with PayPal trying to get her account cleared for a transfer. They locked her account claiming that someone from “out of the country” had logged into her account. They’re refusing any transfers from that account. She has spent 2 weeks trying to get this cleared up. She has a MacBook Pro running 10.9.4, Sophos AV, and all the security settings I can figure out (firewall, clearing her cache, cookies, etc.). They claim that her machine has a virus. I ran the full Sophos scan with no hits (everything is up to date). Today, she sat down with me and we reset her PayPal account with them on the phone on MY MacBook Pro (Sophos scan also done, everything is up to date), reset her password, successfully logged into her account, transferred money into her new account (no foreign attempt to get into that account) after several tries, and finally were successful with them on the phone. Three hours later, they reversed all of the transfers and told her AGAIN that someone out-of-the country successfully accessed her account with the new password that we just created on MY machine. I realize that this is all possible with a man in the middle or evil twin attempt on wi fi, or a key logger on MY machine (not sure if there’s a Mavericks tool), but we’re in the middle of Eastern Oregon on vacation. I’m not sure that anyone would have a reason to use those types of tools to intercept her credentials for the limited amount of money in the account. Has PayPal been hacked?

    Just sayin

    1. Sasparilla

      They (PayPal) along with Amazon are the Mt. Olympus of targets, so I suppose it could be a possibility.

      I’d stay away of storing cash in PayPal though, too many stories of money being held at PayPal’s discretion as they are not a bank.

    2. PC Cobbler

      Run a scan using another vendor’s anti-virus. Bitdefender and F-Secure have good ones, with those companies being highly rated by AV-Test. And download the free Malwarebytes scanner and run that.

      Use a Live-CD for banking transactions; Puppy Linux and Porteus are good lightweight ones. If you make your first (preferably only) transaction during that session your banking one, Live-CDs cannot be beat.

      I dumped PayPal after they held my money for the umpteenth time even when it was their fault.

      1. Bruce Hobbs

        The more unnecessary anti-virus software you install on your Mac, they more likely you are to become infected. Apple actively destroys all viruses on the Mac. You can become infected if you download and install software you think is good but in fact is not.

        1. Bruce Hobbs

          I can recommend installing Rapport Trusteer (now owned by IBM) from your favorite bank or possibly even PayPal. This software encrypts all of your keystrokes from the keyboard through the web site to the server, making a key logger useless (as the key logger will only see the encrypted data).

          I can’t tell if PayPal has installed the server components for this or not.

  14. Brian L

    Privacy Atlas has approximately 850 Jimmy John’s stores rated as non-compliant with the PCI Data Security Standards as well as Data Privacy Standards. Little consolation now that the horse is out of the barn. Of the 15 POS vendors we have analyzed, those most commonly used by the hotel and food service industry, all appear to be all non-compliant out of the box or during implementation. We have identified 4 systems that store CC data in clear text allowing the restaurant operator to recall the consumers info (clear text) for repeat billing. In the franchised hotel space we estimate that 82% of the POS systems are run by or sit on top of Windows XP OS that have not been patched in over 18 months on average. 99% of the companies we identify as non-compliant do not have a basic security training and awareness program in place for employees. Trust your merchant but Verify their compliance first! To date Privacy Atlas reports compliance standings of over 85,000 merchants.

    1. JimH

      @BrianL .. thx for the info .. kinda figured that was a possible situation (the XP thing).. and during my “quickie” research also found that many POS’ using a Windows-based system have the software programmed to use Visual Basic..
      With the possibility existing that multiple systems haven’t been patched/updated/upgraded, it presents the idea there’s a VERY good chance this will continue for quite a while..

  15. Sergey

    @Merchant – “Come on guys, give us end to end encryption” –
    It is not that they (banks, Visa/MasterCard, etc) don’t want more and reliable security, they simply can’t allow to depend to much on this. Encryption will stop the loss of data, as recent ebay case proved, but this can make you a slave of encryption and related personnel. Nobody can allow this to happen in his/her financial institution.

  16. jim

    I think I’m starting to smell some of the mice colluding with the rats. Anyone see techdirt this morn? Some French security firm with holding info for three years/ on ie, and the stuff that won’t run on xp. So why would they have opened that can of worms?

  17. Eric

    I am sure the investigation will be done “freaky fast”.

  18. steve

    Or…..or…….you could prevent the memory scraper from installing in the FIRST PLACE by using a deny-all policy from something like Bit9…If its not approved, it does NOT install PERIOD! This would have saved Targets @ss…too late now.

  19. Brian L

    We can talk about EMV and we can talk about P2PE and we can talk about controls and best practices….BUT…..our practice deals almost exclusively in the franchise space. Franchisee’s will not budge or spend on security in fact they don’t even have the capabilities to service what little technology they have. They have not been forced to become compliant and chances are won’t be in the near future. The Franchisor has distanced themselves from the individually owned and operated franchise despite direct connectivity into core corporate systems.

    The reality is payment acquirers are the fox guarding the hen house. They want their clients to operate securely BUT they can’t push too hard because the merchant will switch processors.

    A recent article in Consumer Reports highlights the Franchisee / Franchisor conflict using Super 8 hotels (all franchise brands) and the Franchisor Wyndham to bring this issue to light.

    Until there is enforcement there will be data leakage.

  20. JJ

    Noooo!!! Is nothing sacred anymore! Don’t take away the Gargantuan – I don’t know what lunch will be like if I can’t indulge in such fashion. Just end it now, put the gun to my head and pull the trigger.

  21. TC

    Brian, great job as always!

    Everyone knows we will see a lot more of these compromises before EMV (Oct 2015).

    Latest Federal Law Enforcement warning …
    Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft’s Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMEIn Join.Me…

    CSO article
    In the past month, we have seen nearly 600 businesses, mainly in the retail industry, infected by the Backoff malware

  22. jim

    Okay, so the mice are helping the rats. The French firm didn’t say about VPN, but the products above listed all rely on VPN. Interestingly, some of the p2p are VPN, server owned? Now where?

  23. Teri

    Don’t know if this has anything to do with jimmy johns, but my bank had no record – as of this morning – that our checking account ever existed, except to look at our savings account and see that we transferred money from a checking acct into savings yesterday. I did use my debit card on jimmy johns website several times in the last few months – last time July 21. My BillGuard app alerted me about the jj data breach this morning – I’ve heard nothing from JJ’s about a breach, no emails, nothing. The two may not be related, though, unless a breach is now reaching into financial institutions and able to delete their records?? Our savings account wasn’t touched. If someone used the data to make a fake card, and our accounts are tied together in case of an overdraft, seems like it would also clean out our savings. But as of today, our checking account had “disappeared” from our bank – not account-closed or anything. “We’ve never seen this before.” Since it’s Sunday, there’s not much they can investigate today. I’m goin first thing in the morning an taking my savings out of the bank in case some kind of bank breach makes it “disappear,” too. This all makes no sense, but it’s scary.

  24. joanne

    I have a$49.95 charge pending from 888-364-8394.com on 8/3/14, similar to eetsac.com charges earlier for $9.84. My credit card company deleted the contested $9.84 charge and issued me a new card. Now I have to wait 5 days until the charge is posted to contest it and ask for a new card. so beware and check your credit card for $49.95 charges from this site.

    1. sharon

      I just found a $64.95 charge on my card for 7/23 the very same day as a jimmy John purchase. Guess I’ll be calling the bank in the morning.

  25. Kevin Detro

    I have seen PDQ POS in action at Jimmy Johns and task managed out of the software to see what OS it runs on, and can attest they use Windows XP as their base operating system. I called around to other stores and found they all use the same exact same system and have for quite a few years.

    In essence, every point of sale machine Signature Systems sells to Jimmy John’s franchises runs an unsupported operating system, which is a HUGE security breach. Total stores with PDQ POS is around 200o stores with 6 to 10 machines in each location, every one of them running XP, and every one of them a security breach of the Payment Card Industry Digital Security Standards (PCI-DSS) section that states that any part of a system or subsystem of the point-of-sale becomes unsupported by it’s original creator (which for XP was April 8, 2014), then it needs to be upgraded to a newer supported version or supported by a 3rd party.

    Furthermore, I found the article is only partially correct in that the system is not only suggested by Jimmy Johns corporate office for all new franchisees, but mandated. Imagine being told that you have to pay $30k for a POS and find it isn’t even complaint with the most basic of security standards, and is a giant lawsuit waiting to happen when breaches occur?

    1. JCitizen

      Are you sure that isn’t XP Embedded? That will still be supported for another year, I believe. Not that it makes a difference, what with XP not really being a secure operating system in the 1st place, but embedded devices can some times be made or configured as read only.

      1. Kevin Detro

        Not sure if it was embedded XP. I still have access to the systems in one of the stores so I can find out and I will update then. Either way I was able kill the software, cruise the unfettered internet, and install programs without so much as a password. I can hardly believe this is PCI-DSS compliant in any way, shape, or form.

  26. Dave D

    Here is the continued hypocrisy of PCI Compliance and the complete and utter failure of enforcement. Here is the compliance information on Signature Systems, creators of PDQPOS which is used by a vast majority of restaurants including Jimmy John’s. Validated against the PA-DSS 1.2 and expired in 2013 there is no reason these chains should have been allowed to use this system by their acquiring banks.

    Version #: 2.0.0.0
    App Type: POS Face-to-Face/POI
    Target Market: Quick service sub shop
    Reference #: 11-08.00296.001
    Tested Platforms/Operating Systems:
    Windows XP, Windows Server 2003, Windows Server 2008
    Service Pack/Build/Version:
    Windows XP SP3, WEPOS SP3, POS Ready 2009 SP3, Windows Server 2003 SP2, Windows Server 2008 SP2 Validated According to PA-DSS
    (PA-DSS v1.2) Acceptable only for Pre-Existing Deployments

    SOURCE IS PCI SECURITY COUNCIL SITE

  27. Lindsay

    Brian,

    One of my Visa-CAMs from yesterday seems to have a lot of sandwich eaters on there… Am I right or is my mind simply clouded by cravings for a J.J. BLT?

  28. cheap Bills jerseys from china

    Shop for wholesale Predators jerseys and get our ultra fast 7-day shipping standard and 365 day returns on any size order only at our wholesale Predators jerseys online shop.

Comments are closed.