December 30, 2014

Sources at several U.S. financial institutions say they have traced a pattern of credit card fraud back to accounts that all were used at different Chick-fil-A fast food restaurants around the country. Chick-fil-A told KrebsOnSecurity that it has received similar reports and is working with IT security firms and law enforcement in an ongoing investigation.

Photo: Robert Du Bois

Photo: Robert Du Bois

KrebsOnSecurity first began hearing from banks about possible compromised payment systems at Chick-fil-A establishments in November, but the reports were spotty at best. Then, just before Christmas, one of the major credit card associations issued an alert to several financial institutions about a breach at an unnamed retailer that lasted between Dec. 2, 2013 and Sept. 30, 2014.

One financial institution that received that alert said the bank had nearly 9,000 customer cards listed in that alert, and that the only common point-of-purchase were Chick-fil-A locations.

“It’s crazy because 9,000 customer cards is more than the total number of cards we had impacted in the Target breach,” the banking source said, speaking on condition of anonymity.

The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.

Reached for comment about the findings, Chick-fil-A issued the following statement:

“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants.  We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”

“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so.  If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card.  If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”

My suspicion is that — if confirmed — this breach will be found to have impacted only a subset of Chick-fil-A’s 1,850 locations in 41 states and the District of Columbia. In that respect, it would be much like the breaches first reported in this blog earlier this year at other fast food chains —  Dairy Queen and Jimmy Johns. In both of those breaches, the stores impacted were franchises that outsourced the management of their point-of-sale systems to specific third party companies.

In September, KrebsOnSecurity reported that a different hacked point-of-sale provider was the driver behind a breach that impacted more than 330 Goodwill locations nationwide. That breach, which targeted payment vendor C&K Systems Inc., persisted for 18 months, and involved two other as-yet unnamed C&K customers.

In all of these incidents, the intruders managed to install malicious software on point-of-sale systems at the affected merchants. Point-of-sale malware, like the malware that hit C&K as well as Target, Home Depot, Neiman Marcus and other retailers this past year, is designed to steal the data encoded onto the magnetic stripe on the backs of debit and credit cards. This data can be used to create counterfeit cards, which are then typically used to purchase physical goods at big-box retailers.

Point-of-sale compromises have come to define 2014. Earlier this year, the U.S. Secret Service issued an advisory that a point-of-sale malware strain known as “Backoff” had struck more than 1,000 U.S. companies since Oct. 2013.

Companies that suffer credit card breaches offer credit monitoring services as a means of placating nervous customers, but bear in mind that credit monitoring services do nothing to prevent fraud on existing accounts (such as credit cards you may have in your wallet). There is no substitute for monitoring your monthly bank and credit card statements for unauthorized or suspicious transactions.

If, on the other hand, you’re looking for more information on credit monitoring services, or for tips about how to protect yourself and loved ones from identity thieves, please check out this article.


52 thoughts on “Banks: Card Breach at Some Chick-fil-A’s

  1. Icon0clast

    Good thing my credit card was replaced due to the Home Depot breach already!…. Right?

  2. Moike

    Chick-fil-A, Chick-fil-A! You should have accepted Apple Pay!

    1. John

      Did you look at the dates of the breach? Apple Pay has only been around for 66 days. How exactly would have that saved this from happening? Just curious…

    2. Am0s

      New cards issued by other vendors, including Home Depot and Apple Pay would still have had a similar problem. It the POS accepted the payment, that information was captured and could have been used to create another ‘card’ or other transactions.

      The only way to fight this is to stop using debit or credit, private cheques (or bitcoin) and start using cold hard cash or traveler’s cheques for in person transactions. A general, refillable prepaid card like those issued by GreenDot may also be a partial solution, but you may be liable for fraud on the little bit of cash you stash on the card at any point in time and the transactional cost to put it there.

    3. TJ

      I was at Macy’s in Bellevue, Washington, (a pretty wealthy community) on Christmas Eve. I noticed that Macy’s POS accepted Apple Pay, so I asked the sales clerk if a lot of customers were utilizing Apple Pay. The clerk laughed and said that throughout the entire Christmas season he had experienced perhaps 10 people using Apple Pay. And given the massive crowd that night at the Apple Store in the same mall, there are no doubt many, many iPhone 6 owners in the community.

  3. BGC

    Maybe it’s time somebody starting looking at the POS system vendors. Well, for that matter, let’s include all the third party service vendors (HVAC, etc.) that have systems connected to the hacker’s targets.

  4. PHJ

    Vendors are treated as hostile agents here since a vendor used a thumb drive for an update and gave us Confiker. We should all treat 3rd party vendors as untrusted agents.

  5. jim

    Don’t be so sure fired up about apple pay. It’s only a matter of time till someone comes out with a pocket sized reader that utilizes nfc. After that, Katie bar the door. Remember its new yet. New don’t mean better. Just new. Untested in the real world.

    1. Moike

      >pocket sized reader that utilizes nfc.

      So they capture a single fraudulent payment by timing a read with the victim unlocking their phone with a fingerprint. The victim immediately knows they’ve been had.

      They call their CC company and the CC Company shuts down the thief’s merchant account. Not a great haul for the thief.

    2. peter

      That works for standard NFC/RFID cards that support PayPass/payWave. They can be “skimmed” by a reader device nearby. And a transaction could also be captured.

      But Apple Pay uses tokens rather than the card number, and there’s a cryptographic signature that accompanies the transaction. Although the interaction can be copied, that won’t do a thief any good.

  6. JLK

    Chick-Fil-A does not do real franchises. They own the land, store, and equipment and lease it back to you for 65% of the profits. So as the “operator” you don’t get to pick the POS equipment or vendors. This means the breach to some degree has to be Chick-Fil-A’s or at least one of their corporate POS vendor/ operators.

    1. Redacted

      I had no clue that was the case, makes this a lot more interesting then.

  7. Snooki

    Yet another breach where the company or third party card processor fixes their security breach , after the damage has been done.

  8. JCitizen

    There is another meaning for the acronym POS, and about now I’m thinking a lot about it lately! >:(

    1. Columbus_viaLA

      Poor JCitizen! If I may venture a good deed your way: There is a simple procedure available to relocate your eyes to where they belong. I can recommend a good pixel surgeon. :>)

      1. JCitizen

        Thanks! I could use a good pixelation! HA! HAPPY NEW YEAR! 😀

  9. Sir Shartsalot

    Only religious kooks were affected by this breach.

    1. Matt

      i hope you realize how narrow minded that sounds.
      people (except you apparently) have forgotten about whatever that was two years ago.
      i know plenty of agnostics and borderline atheists that go there routinely…and not ironically.

      1. Wrong

        Wrong. Plenty of normal, centrist (and straight, fwiw) people choose not to overlook their political duplicitousness. They were actively funneling money to pseudo-Christian hate groups until they got caught, so they lost my business forever.

        Hope they get hacked to bits, like their integrity.

  10. Michael

    To be fair… some of these stores, are independently owned (in fact, they could all be, for what I know).. and some of the owners (atleast where I am..) donate & support gay pride. So.. it’s not all bad apples out there, and reasonably, I wouldn’t ding someone else, for someone else’s actions.

    With that aside. I can’t say I’m not surprised. Almost every POS Terminal, runs on Windows Embedded, Windows CE, or XP. And very few have any sort of antivirus installed or security tools set to scan for anything. They just do what there programmed to do and nothing else.

    I don’t blame the machines, as much as I blame the poor decisions made by merchants. These people are running hundreds of thousands, of credit card & account numbers through there machines, and they could care less about the customers information.. as long as there not effected. There a BUSINESS, and there business is turning profit… not data security.

    PCI Standards, aren’t even really standards. Their “suggestions” a merchant should look into and NOTHING more. Plain & Simple. There not enforced, and quite frankly, I think there considered more of a joke by payment processors & merchants than anything else.

    These networks are setup, with very little pre-planning, and I know in some cases, thrown together overnight, by a few computer technicians.

    The Goal isn’t security, it’s a afterthought. It’s about making a system do what it needs to, the easiest, and most, efficient way possible. Security isn’t implemented until much later, and most of the time, only as a “as-needed” basis.

    I think, personally there should be more regulation in the payment card processing industry. And companies themselves, should be finding ways, to wean themselves off, obsolete, 1998 technology.

    Big Stores should have there own home-grown setups. Not software that anyone can purchase, and setup in 5 minutes. More emphasis should be placed on Linux, or other resource efficient operating systems, not Windows.

    Of Course. We won’t, probably ever see any of this happen. Because at the end of the day, companies care more about profit, than actual customers. We’re an afterthought, and nothing more

    1. TErickson

      >>I don’t blame the machines, as much as I blame the poor decisions made by merchants.

      I actually feel for the merchants a bit, and do blame the machines (or the makers of said) merchants aren’t in the business of cyber security, they want to sell goods and services and many don’t have the in house talent to protect themselves. They turn to other sources for processing options and clearly those options are not being fully supported / protected, they are sold equipment and often times left to figure it out and support it on their own, again not their area of expertise.

      1. Anthony

        Well.. it’s generally the machines, but the system integrators/installers who choose what to put on them, and decide where and how they’re placed both in a physical and network sense.

        It seems clear that any networked payment-enabled devices need security on them and in the parts of the chain leading up to them and from them.

        Strict firewall rules – both access and egress, covering both source and destination

        Strict network segregation – systems shouldn’t be on the same network segments as other, less strictly controlled devices. If data needs to be available to other systems, then it should be stripped of payment information, and pushed from the secured systems, not pulled

        Strict use rules – a payment system shouldn’t also be used for general web browsing, reading emails etc.

        Strict integrity checking – in large enough installs, payment terminals should probably be diskless, pulling an approved image from a secured server with similar restrictions. This is probably one of the cases where “Secure Boot” tech would be appropriate.

        Secure payment devices – at least in all the chip and pin installs I see in Australia, generally the PIN pad is leased out by the bank, and the POS terminal doesn’t see the full card details because the PIN pad itself opens an encrypted channel direct to the merchant’s bank, supplying back only a partial card number and that the transaction has been approved etc. Is there a need, really, for the POS terminal to see the full card number? No.. It only needs to know that the payment was approved by the merchant’s bank.

        Strict remote management functionality. Secure passwords that aren’t common to the entire fleet as well as two factor – such as a certificate that can be revoked or a token.

        Often, from what I can see, it’s expediency that wins out in a business scenario…
        Replace all our PIN pads?
        What, you mean I can’t browse on my cash register?
        Can’t we just plug in an NFC reader and leave it at that?
        What… My basic ADSL router won’t cut it for the network?
        I’m secure – McAfee/Norton/whatever came pre-installed when I bought the system 5 years ago.
        We couldn’t possibly use different passwords on all the systems we manage – so we’ll use the same password country wide.

    2. Brian

      The Payment Card Industry Data Security Standard (PCI DSS) is actually enforced. It’s enforced through pecuniary penalties imposed upon non-compliant retailers by the card companies (i.e., Visa et al.), and the penalties can be quite onerous.

      Per the PCI website, possible negative consequences can include “payment card issuer fines”:

      https://www.pcisecuritystandards.org/security_standards/why_comply.php

      1. EasyChild

        Penalties for you and me. But for major pushers that transfer billions through these wires.. no penalties. So no need for major expenses on security which is now showing by all of these card hacks that have been affecting these corporations.

  11. Jim C.

    I may be completely wrong about this but I am more reluctant to use a credit card or debit card at a major retail store as opposed to local businesses in my hometown. Do small businesses use banks for processing transactions as opposed to larger retailers who use third-party companies that are more susceptible to hacking? I always try to use my debit card as a credit card so as not to have a pin on file with a business.

    1. Joe

      Jim,
      I do the same with my debit card. I’m thinking maybe I should go back to using cash!

    2. TErickson

      >>I always try to use my debit card as a credit card

      Wont change a thing, granted they may not lift your PIN, but they don’t need your PIN to empty your bank account.

    3. Boardman

      Jim, typically small merchant are using stand alone card readers that are not attached to a larger POS system. In those instances, the ability for a fraudster to gather card data is a bit tougher because they have no POS system to exploit, and assuming the terminal is newer, there are advanced physical security mechanisms that make the devices difficult to penetrate. Add to this the fact that the risk/reward for a fraudster to hack a single mom pop retailer is just not very attractive.

      1. Will

        Mom and pop retailers are the most vulnerable. They rely on VARs to buy and install POS systems/terminals. VARs are notorious about putting in insecure back doors for support like; PCAnywhere, VNC and Remote Desktop directly accessible on the Internet. VARs are not required to be PCI complaint, the Merchant is the only one held to those requirements. So do you think an entrepreneur opening who’s only location is going to sift through logs on a daily basis, or for that matter even have the proper loggin put in place? I have dealt with more than one reseller that uses the same usernames, passwords, IP schemes and all accounts are with admin privileges. All of that is why BlackPOS is so wide spread and easy to use…especially from foreign countries.

    4. peter

      The legal protections on debit card fraud are considerably less than those for credit cards.

      I never EVER use my debit/ATM card other than at a bank ATM. Never.

      1. JT

        That’ll surely save you.
        You did see the sidebar w/the ATM skimmers, no?
        Monitor your accounts / transactions and you’ll be fine. Its the end of the world as we know it (for over 20 years now). Relax ppl.

  12. JT

    This is why I no longer use a debit card for food purchases at all. If it is under $20, why not just pay cash?

    I have found this also makes my bank statements so much less cluttered after the fact. For any fans of Dave Ramsey, this is the only way to go.

  13. Ray Kroc

    That’s some good chicken right there. And the waffle fries! Not many tech security articles elicit hunger pains, this one certainly does.

  14. Albert

    Hm so after all of these breaches I would always go on rescator to check if my card had been compromised, but now they say they have no cards for sale, only bulk. However, they now have a “checker” option. Thing is, you have to put in your full card number and exp date. I’m just wondering, can they do anything with this info without your name? Of course I would pay the $0.50 it costs with bitcoins and not give them my name, and they also wouldn’t have my security code.

  15. Threalis Maradona

    The is actually easy to fix if your pin pad providers support encryption at swipe such as Verafone’s Verishield solution. Plus most payment authorizers support end to end encryption so from swipe to your authorizing bank no PCI data is in the clear and your environment never sees a real credit card. This is all done within the PINpad so you can have an infected pos system hackers not going to get the info from your The problem is most retailers do not like to spend money on security even after a breach. If you need pattern matched for loss provention most solutions in this space support format preserving encryption so you still can data mine. The biggest cost is the pin pad which most companies if they have not done it already will need to replace their old ones with new ones that support chip and pin. The only down side is added fee per transaction but I can tell you from experience that is a hell of alot cheaper then trying to maintain PCI compliance in a large retail environment. The only draw back is you are still susceptible to skimming but there are a number of ways to combat that.

      1. NewsJunkieEd

        Sure. And carry that cash in a saddlebag on your horse, because why advance a technology that works. If it ain’t broke don’t fix it, right? 😉

    1. Am0s

      Virtually all POS Systems verify the credit card number, expiration date using software routines developed for that purpose, before connecting to validating the purchase (via ip often through a server onsite that usually queues and manages the requests). If the data is encrypted, it would have to be accepted as cash and handled outside of the POS system. This would also mean a dedicated land (POTS) line and swipe terminal at more than one location, or a line to use the card scanner at one or more locations in the business.

      Altering the process would require a significant and prohibitive cost factor, per cash register, or point of payment. This would need to start at the POS Vendors, and filter through their merchants, many may have purchased second hand, and don’t subscribe for maintenance updates, and equipment updates are rarely budgeted for.

      This quickly becomes a chicken-egg issue that will not be resolved anytime soon. I would suspect that the easiest avenue might be for POS vendors to look more closely at their product and issue appropriate forms of malware/virus protection and regular updates, that are not currently part of their program.

  16. Mike Bonner

    I live in South Florida and was contacted last week by Capital One indicating that my card information was part of a data breach from an unnamed retailer. They wouldn’t disclose the name of the retailer, which I thought was inappropriate because it’s my card information, and I feel I have a right to know. That having been said, I’m wondering if Chick-fil-A is the unnamed retailer, which means the issue may extend into Florida as well.

  17. Will

    This is a very complicated issue. Cash doesn’t solve teft, it mearly transfers it to the merchant, armor service or bank. There is a cost associated with handling cash. I read a study that it cost a retailer $0.25 to handle a paper bill in the course of business. It has to be counted several times and protected.

    Banks are still handing out technology invented in the 1960’s to their customers, really a 16 digit static number is never going to be secure. EVER! The card brands set an October 2015 deadline for EMV and pin for the merchants and banks, but the 2 new cards I recieved in the past 2 months aren’t even EMV, and don’t expire for a few years. On top of that they aren’t even going to require Chip&Online-PIN transactions, they are going to still allow CHIP&Stignature transactions. Yes the chip makes it harder to duplicate a card but with signature being accepted there will still be fraud. The next time you go to a sit down restaurant try and imagine having to get up and go to a POS terminal to pay your bill. It isn’t likely the average customer would return. I can assure you there aren’t any pay at the table solutions that provide EtEE.

    So some acquirers/processors are just now starting to offer end to end encryption for certain POS systems. They are also taking it as a way to increase fees and revenues from merchants, so some retailers are resistant to embrace this technology. “What do you mean I have to pay more to secure a flawed system”‘ especially when merchants aren’t hit with the fraud charges now. EtEE is something new and merchants are still trying to figure out a mobile pay solution. CurentC, Apple Pay, PayPal, and Google. There have to be consensus in the market to make this change. Or maybe the Brands could allow for a credit card fee to be passed to the consumer, which they won’t even allow to be entertained. Also EtEE precluded merchants from being able to write there own POS, because they still need to go through the expense of PCI PA-DSS and PCI-DSS audits on the POS system. There will not be any savings there.

    What I do think is working well are the fraud tracking systems put in place by the banks. It is great when I get a call from my bank wanting to notify me of some out of town purchases, or something else fishy going on. I had one of my utilities tied to one of the previous cars replaced due to fraud. The bank still allowed a transaction to go through on the old account number because they had built in that behavior as a legitimate transaction.

    Sorry for the long post, but these are issues that people need to think about and hopefully we can all come to a consensus on a solution.

  18. Will

    It looks like they use 3rd parties to manage connectivity and perimeter security.

    Via LinkedIn they used SAVVIS (part of Centurylink centurylinktechnology.com) for a perimeter security solution last year…oops 2013 🙂 and Contingent Network Services (www.contingent.net) for managed connectivity (no dates)

    Sources:
    https://www.linkedin.com/pub/howard-mitchell/22/b51/2a1

    http://designertoday.com/News/6662/Chick.Fil.A.s.Outsourced.Networking.Company.Contingent.Network.Services.LLC.Doesn.t.Pay.Their.Bills.aspx

  19. Lucas

    There are three themes in this thread I’d like to address.

    1) Is it safe to use a credit card and where? I always pay with my credit card even if it’s through PayPal, Google Wallet, etc. By federal law, I have zero liability if it’s stolen, I have lots of consumer protection benefits from it, and I use cash back rewards cards. If you are still concerned about your card being stolen, only use it on encrypting card readers or at standalone terminals that aren’t attached to a POS. If you think using it at small merchants is safe, think again. Most breaches are at small merchants. More on this in my next point.

    2) Who’s to blame? My answer is that all parties have shared guilt. Magstripe, keyed in card numbers, and even EMV chips all expose sensitive cardholder data to the POS system. Design fail. Merchants don’t usually install and maintain their systems. Instead, they have a relationship and contract with the POS VAR in their neighborhood. Some have direct relationships with the POS developer who also does setup and maintenance, bypassing the reseller channel. Support almost always includes remote desktop access to minimize POS downtime when there’s a problem. VARs screw up security setting that up which is the root cause of most POS breaches. Don’t believe me? Take a look at the Verizon DBIR for verification. Their data set is largely comprised of payment card breaches. Merchants aren’t blameless either. Often times they won’t pay for needed upgrades even when scary letters spelling out the consequences are sent for them to sign acknowledgement on by the VAR. Many won’t upgrade until they or someone they know goes through a nasty breach or their processor starts fining for non-compliance to some mandate put out by the card brands.

    3) We should get away from insecure credit cards! Yes, I agree. It’s a difficult challenge though due to the insanely large and complex infrastructure already in place. Most other countries either switched to electronic payments as EMV rolled out or they have highly regulated financial sectors with only a few banks calling all the shots. Their citizens will talk your ear off with vulgar language if you ask them their opinion on their own banks. Regardless, the slow move to EMV in the US for chip payments helps although the account number and expiration date are still passed in the clear to the POS. Point to point encryption peripherals used to encrypt EMV, magstripe, and manually keyed in card data is the quick fix for all that. As far as Apple Pay, Google wallet, etc, there’s a ton of confusion. Google Wallet and most other mobile wallet solutions use the existing card emulation mode NFC “Tap & go” system which is better than magstripe by using a dynamic CVV in the track equivalent data, but like EMV it still exposes the card number and expiration date to the POS. Google Wallet goes a step further by using a proxy MasterCard credit card issued by Bancorp which allows them an opportunity to watch for signs of fraud along side the card brands and issuers. They’re probably finding ways to monetize off the useful transaction information though. It’s not like Bancorp is doing them a solid for free. Do no evil, right? Apple Pay on the other hand implements the EMV specifications for both contactless and tokenization. I really wish they would advertise that instead of pretending to be proprietary magic. From all my reading, their implementation sounds highly secure to the point of utilizing dedicated hardware communication lanes. I imagine other wallets will go in the same EMV standards direction which would be great. At least we’d have one standard. My concern is that Apple Pay doesn’t offer enough incentive to consumers to change their behavior. Any article I read that touts Apple Pay success involves someone with a special interest who goes through great lengths to manipulate the data. MCX CurrentC on the other hand is a coalition of retailers banding together to bypass the credit card ecosystem in yet another money grab by recovering processing fees. Your payment options with CurrentC are ACH wire transfers, gift/loyalty cards, and credit cards issued by the merchants themselves so they recover most of the interchange. No federal laws guaranteeing consumer protection? No thank you.

    End rant.

  20. Replacement Windows

    For them, wasting valuable time and money by putting off needed home improvements was simply no longer an option. After connecting the SATA drive, boot using a drive cloning CD and
    copy the drive image using the original IDE drive as the
    source and the new SATA drive as the destination. Replacing old windows makes sense,
    and cents and dollars.

Comments are closed.