August 26, 2014

Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.

Update, Aug. 28, 12:08 p.m. ET: A spokesman for Dairy Queen has confirmed that the company recently heard from the U.S. Secret Service about “suspicious activity” related to a strain of card-stealing malware found in hundreds of other retail intrusions. Dairy Queen says it is still investigating and working with authorities, and does not yet know how many stores may be impacted.

Original story:

dqI first began hearing reports of a possible card breach at Dairy Queen at least two weeks ago, but could find no corroborating signs of it — either by lurking in shadowy online “card shops” or from talking with sources in the banking industry. Over the past few days, however, I’ve heard from multiple financial institutions that say they’re dealing with a pattern of fraud on cards that were all recently used at various Dairy Queen locations in several states. There are also indications that these same cards are being sold in the cybercrime underground.

The latest report in the trenches came from a credit union in the Midwestern United States. The person in charge of fraud prevention at this credit union reached out wanting to know if I’d heard of a breach at Dairy Queen, stating that the financial institution had detected fraud on cards that had all been recently used at a half-dozen Dairy Queen locations in and around its home state.

According to the credit union, more than 50 customers had been victimized by a blizzard of card fraud just in the past few days alone after using their credit and debit cards at Dairy Queen locations — some as far away as Florida — and the pattern of fraud suggests the DQ stores were compromised at least as far back as early June 2014.

“We’re getting slammed today,” the fraud manager said Tuesday morning of fraud activity tracing back to member cards used at various Dairy Queen locations in the past three weeks. “We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores.”

Other financial institutions contacted by this reporter have seen recent fraud on cards that were all used at Dairy Queen locations in Florida and several other states, including Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas.

On Friday, Aug. 22, KrebsOnSecurity spoke with Dean Peters, director of communications for the Minneapolis-based fast food chain. Peters said the company had heard no reports of card fraud at individual DQ locations, but he stressed that nearly all of Dairy Queen stores were independently owned and operated. When asked whether DQ had any sort of requirement that its franchisees notify the company in the event of a security breach or problem with their card processing systems, Peters said no.

“At this time, there is no such policy,” Peters said. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees that they have had any kind of breach.”

Julie Conroy, research director at the advisory firm Aite Group, said nationwide companies like Dairy Queen should absolutely have breach notification policies in place for franchisees, if for no other reason than to protect the integrity of the company’s brand and public image.

“Without question this is a brand protection issue,” Conroy said. “This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”

DEJA VU ALL OVER AGAIN?

The situation apparently developing with Dairy Queen is reminiscent of similar reports last month from multiple banks about card fraud traced back to dozens of locations of Jimmy John’s, a nationwide sandwich shop chain that also is almost entirely franchisee-owned. Jimmy John’s has said it is investigating the breach claims, but so far it has not confirmed reports of card breaches at any of its 1,900+ stores nationwide.

The DHS/Secret Service advisory.

The DHS/Secret Service advisory.

Rumblings of a card breach involving at least some fraction of Dairy Queen’s 4,500 domestic, independently-run stores come amid increasingly vocal warnings from the U.S. Department of Homeland Security and the Secret Service, which last week said that more than 1,000 American businesses had been hit by malicious software designed to steal credit card data from cash register systems.

In that alert, the agencies warned that hackers have been scanning networks for point-of-sale systems with remote access capabilities (think LogMeIn and pcAnywhere), and then installing malware on POS devices protected by weak and easily guessed passwords.  The alert noted that at least seven point-of-sale vendors/providers confirmed they have had multiple clients affected.

Around the time that the Secret Service alert went out, UPS Stores, a subsidiary of the United Parcel Service, said that it scanned its systems for signs of the malware described in the alert and found security breaches that may have led to the theft of customer credit and debit data at 51 UPS franchises across the United States (about 1 percent of its 4,470 franchised center locations throughout the United States). Incidentally, the way UPS handled that breach disclosure — clearly calling out the individual stores affected — should stand as a model for other companies struggling with similar breaches.

In June, I wrote about a rash of card breaches involving car washes around the nation. The investigators I spoke with in reporting that story said all of the breached locations had one thing in common: They were all relying on point-of-sale systems that had remote access with weak passwords enabled.

My guess is that some Dairy Queen locations owned and operated by a particular franchisee group that runs multiple stores has experienced a breach, and that this incident is limited to a fraction of the total Dairy Queen locations nationwide. Unfortunately, without better and more timely reporting from individual franchises to the DQ HQ, it may be a while yet before we find out the whole story. In the meantime, DQ franchises that haven’t experienced a card breach may see their sales suffer as a result.

CARD BLIZZARD BREWING?

geodumpsLast week, this publication received a tip that a well-established fraud shop in the cybercrime underground had begun offering a new batch of stolen cards that was indexed for sale by U.S. state. The type of card data primarily sold by this shop — known as “dumps” — allows buyers to create counterfeit copies of the cards so that they can be used to buy goods (gift cards and other easily-resold merchandise) from big box retailers, dollar stores and grocers.

Increasingly, fraudsters who purchase stolen card data are demanding that cards for sale be “geolocated” or geographically indexed according to the U.S. state in which the compromised business is located. Many banks will block suspicious out-of-state card-present transactions (especially if this is unusual activity for the cardholder in question). As a result, fraudsters tend to prefer purchasing cards that were stolen from people who live near them.

This was an innovation made popular by the core group of cybercrooks responsible for selling cards stolen in the Dec. 2013 breach at Target Corp, which involved some 40 million compromised credit and debit cards. The same fraudsters would repeat and refine that innovation in selling tens of thousands of cards stolen in February 2014 from nationwide beauty products chain Sally Beauty.

This particular dumps shop pictured to the right appears to be run by a completely separate fraud group than the gang that hit Target and Sally Beauty. Nevertheless, just this month it added its first new batch of cards that is searchable by U.S. state. Two different financial institutions contacted by KrebsOnSecurity said the cards they acquired from this shop under this new “geo” batch name all had been used recently at different Dairy Queen locations.

The first batch of state-searchable cards at this particular card shop appears to have first gone on sale on Aug. 11, and included slightly more than 1,000 cards. The second batch debuted a week later and introduced more than twice as many stolen cards. A third bunch of more than 5,000 cards from this batch went up for sale early this morning.

An ad in the shop pimping a new batch of geo-located cards apparently stolen from Dairy Queen locations.

An ad in the shop pimping a new batch of geo-located cards apparently stolen from Dairy Queen locations.


83 thoughts on “DQ Breach? HQ Says No, But Would it Know?

  1. Alex Alten

    1st, all this back end/wholesale credit card fraud could be reduced significantly by requiring two factor authentication; PIN + card (mag or EMV). The ATM industry (despite some high profile incidents) has successfully done this. However, this requires some careful security design on the back end communications/databases (in particular the PIN cannot be stored anywhere independently in the clear or as a cryptographic 1-way hash).

    2nd this is also a “Trusted Path” problem; the PIN entered at the terminal needs to be protected physically & electronically until it can get inside a tamper proof box where it can be processed. All the EMV or mag strip does fundamentally is to provide an ID, which can be publicly known, the PIN proves that whomever presents the ID is the valid owner/user of the associated account. If this is done properly then the front end retail theft at the POS terminal is reduced as well.

    Adding a PIN requirement to current mag strip POS terminals should be fairly easy to do and may not require wholesale upgrades of them. They may not be very good at providing a “Trusted Path” but at least wholesale theft out of back end data bases would be less fruitful. Ideally these back end data bases should also be encrypted, with decryption only occurring on demand per card account–but then this gets into more serious security system design involving cryptographic key management, etc.

    The technical & security solutions to all these credit card thefts are well understood, it is primarily a political & legal problem to solve it.

  2. Katrina L.

    It’s always amazing (and somewhat funny) to hear that a company has to be TOLD that their customer data has been comprised. How can you run a major corporation if you can’t even keep track of something as important as that? These companies won’t be satisfied until every franchise is hit across the globe.

    1. SeymourB

      Once the hackers get into a system, they often remove all traces that they gained access to the system. Intrusion detection systems are often the first targets after hackers gain access, and thanks to standardization in large companies (e.g. same credentials lets you access multiple systems) that’s usually the easy part. Plus IDS are in pretty crummy states in general, every one I’ve seen is a kludge, or at least standardized to the point that if you broke one installation of product X then you can break most installations of product X. This is why people suggest that once a system is compromised, you need to wipe it all out and start over to remove all traces of the compromise. You can’t just remove the traces you can find and hope that’s all that was there, because they could have just hidden their tracks well enough to still be lurking.

      What’s really surprising to me is the sheer number of home users whose systems are compromised and they’re blissfully unaware. You would think their ISPs would like to step in and alert them to the massive amount of fraud being committed (not to mention bandwidth being used) on their connection, but apparently that’s too much work for the Comcasts of the world. They’d rather just turn a blind eye and raise everyone’s rates.

    2. Nunos

      How would a corporation know that the data was being used at other retailers? The credit card processors are the ones that typically find out if the credit cards are being used elsewhere so they notify the appropriate folks.

  3. David in Toronto

    PCI has a lot of boundary conditions and special cases that can make things untidy.

    Having said that, there are breach disclosure responsibilities and there are responsibilities for outsourcing and contracting. And the new version of the standard has clarified a lot of ‘scope’ concerns.

    While it is possible it may be all the fault of the franchisees, it will depend on a lot of things like if HQ sees any of the card data, if they can affect the security of that data or systems in the franchise, if they have part in any of the contracts with the bank/processor and who holds contracts with whom.

    Even if DQ HQ is itself somehow compliant and it’s all a franchisee problem, they have egg on their face.

  4. Emerakul

    I can confirm that there is POS malware on many of the Dairy Queen terminals.

    For sake of my own security, I will not say how, but I know that it is there.

  5. JCitizen

    Always the same oh! Shop gets pwned and denies early results – Oh! Dairy Queen is probably a mishmash of POS systems – I forgot! Oh well – whats the difference – brick and mortar ain’t safe no more!

  6. Betan testravosky

    What I’d like to know is why every news media outlet and 3 Cent Security Self-Proclaimed Guru is continually hammering on the already known “wrong” assumption that JP Morgan Chase’s website had a zero-day that was exploited. Wrong. Wrong. Wrong. When Chase, Bank of America, PNC, UPS (and about “25” other banks) were breached simultaneously … they were breached through unpatched *known* exploits in the same ROUTER hardware all the victims used. (It wouldn’t surprise me if they were using Linksys … LOL … but my guess would be Juniper) The common denominator for all the breaches. Not a website penetration. Those breaches were state sponsored by our favorite country that still bans importation of Visine because it gets the red out. I wish the mainstream writers would really check the dark nets before posting their articles. And another thing Brian – When are you and Dave Kennedy going to do a Cooking and Security PodCast?

Comments are closed.