17
Dec 15

Banks: Card Breach at Landry’s Restaurants

Fraud analysts in the banking industry tell KrebsOnSecurity that the latest hospitality firm to suffer a credit card breach is likely Landry’s Inc., a company that manages a nationwide stable of well-known restaurants — including Bubba Gump, Claim Jumper, McCormick & Schmick’s, and Morton’s. 

Update, 2:57 p.m. ET: Landry’s has acknowledged an investigation. Their press release is available here (PDF).

landrys

Original story:

Houston-based Landry’s Inc. owns and operates more than 500 properties, such as Landry’s Seafood, Chart House and Rainforest Cafe. Last week, I began hearing from banking industry sources who said fraud patterns on cards they’d issued to customers strongly suggested a breach at the restaurateur. Industry sources told this author that the problem appears to have started in May 2015 and may still be impacting some Landry’s locations.

It remains unclear how many of Landry’s 500 properties may be affected. The company says it is investigating reports of unauthorized charges on certain payment cards after the cards were used legitimately at some of its restaurants. An online FAQ about the incident posted to Landry’s site says the company does not yet know the extent of the breach.

Restaurants are a prime target for credit card thieves, mainly because they traditionally have not placed a huge emphasis on securing their payment systems. The attackers typically exploit security vulnerabilities or weaknesses in point-of-sale devices to install malicious software that steals credit and debit card data.

Thieves can encode the stolen data onto new plastic and use the counterfeit cards at big box retailers like Best Buy and Target. Indeed, multiple sources in the banking industry say they are now seeing fraudulent purchases at big box stores on cards that all were used at apparently compromised Landry’s locations.

Tags: , , , ,

37 comments

  1. Lets get real – in regards to ANY merchant. If you can use your card there, it’s probably breached!!!

  2. I recently switched to using a Discover card at restaurants and gas stations because you can freeze your account from being used. I downloaded their app to my iphone, log in to the phone using my fingerprint and login to the Discover app also with my fingerprint. About 3 clicks later I can unfreeze my account seconds before putting it in the pump, get my receipt and then freeze it again from use before getting in the car. I do the same at the restaurant. My card is almost always frozen from use except for those few seconds I do the transaction. I’m not trying to do an advertisement for Discover, but no other credit card offers this. It doesn’t stop someone from stealing my number but unless they use it at the exact same time as I am paying for gas then it won’t work. I think every credit card company should be doing this.

    • I work for a regional community bank, and we offer a on/off switch for our debit cards as well. That feature is being used by many banks across the country.

    • https://www.discover.com/credit-cards/help-center/faqs/freeze-account.html

      Thanks for mentioning this. I’d never heard of it. Sounds great.

    • Steve, how do you handle transactions that don’t occur at an exact? Such as Amazon.com or Netflix, or even an offline transaction from a smaller merchant..

      • I haven’t tried using it for internet purchases yet because of the uncertainty of when exactly my card will be charged. It would probably get changed immediately in most cases, but I haven’t tested that yet. I really don’t want to give my card number to any internet site, so have been using only PayPal which I deem to be a little bit more secure since they don’t provide my card number to the vendor.

      • For me, that’s where a system such as ‘Virtual Account Numbers’ comes in – via app or desktop, I can get a Visa/MC 16-digit number and CVC code, specify the expiration date (up to a year), and a ceiling amount, which will only work for a single (online) merchant. The charges go against my physical Citi card, but without having to supply the number on the card itself.

        • This is not necessarily 100% accurate. I had thieves reuse my “one-time” generated number. Not quite the one-time use that I thought.

    • My bank offers this service through my mobile banking, and it is a small community bank. They also offer a service called SMS Guardian which will alert you through text message each time your card is used. Question your bank to see what kind of fraud protection they offer….it will be worth your time.

    • Naaaaaaaaaaaaah…

      that makes WAY too much sense!

      OTOH, most people wouldn’t do it, ’cause it’s SO time consuming! :(

      • Henry Winokur: any security “solution” has to take into account the point of view from all three constituencies (consumer, merchant, provider).

        Each has values reflected in their priorities. These include, not necessarily in this order and not limited to:

        Consumers value ease of use, speed, and oh yeah, security.

        Merchants value speed, reliability, and oh yeah, security.

        Providers value speed, reliability and security.

        EMV (chip-&-sig type) isn’t easy to use for non-present transactions (the growing channel of commerce), isn’t fast (shoving [a reciprocal motion] is slower than swiping [a continuous motion] and response/approval time is greater) and expensive ($100M for Target alone). For some merchants the cost of the new terminals exceed their losses. Is it secure? Well, UK total card fraud (as a percent of total card use) is up http://nc3.mobi/references/uk/ for the past three years. Remote purchase fraud (part of total) is also up for the past three years. Last: a very clever social hacker built a device called MagSpoof http://nc3.mobi/references/2015-unknown/#20151124 which convinces EMV terminals that they don’t need to use EMV at all.

        So, is there a solution that breaks the inverse relationship between increased security and easy to use? (see relationship image at http://nc3.mobi/about-us/ ) Is there one that does not impose huge costs on one constituent? More secure, easier to use, inexpensive: a solution with those attributes may be embraced by billions of consumers, millions of merchants and hundreds of providers. (and hated by how many ever crooks there are!)

        Jonathan @NC3mobi

  3. Det. Sgt Aaron Randall

    Do you know the time frame of the breach or a guess. I have other officers that used their cards at one or more of the Laundry’s restaurants.

    • Detective, that information is in the story:

      “Industry sources told this author that the problem appears to have started in May 2015 and may still be impacting some Landry’s locations.”

  4. It seems Android Pay using tokenization would protect you against this. Unfortunately my bank is not supporting it yet.

  5. The thought that came unbidden to my fore brain was HERE WE GO AGAIN! 300 properties … a few compromised? All of them?? oh GAK!

    There is a small difference from the past. The companies are going public a lot faster. What looks like about two weeks delay here which might be at the request of law enforcement to provide a window for observation.

    There are hundreds of providers. There are millions of merchants. There are billions of consumers. If you were a crook which would you attack? The hundreds with large IT staffs? The weakly protected single consumer? Or, the middle group? Millions of merchants with IT staffs from none to many, from neophyte to expert, with modern and legacy systems?

    Who is THE WEAKEST LINK?

    Jonathan @NC3mobi

    https://www.youtube.com/watch?v=b_KYjfYjk0Q

  6. Yes! More free credit monitoring is on its way!

  7. This is a bunch of BS. All because trying to save money. Put a chip or what every needs to be done.

  8. Let’s get real. The ONLY reason they came public with this information this year is that Krebs dropped the hammer. It might have been months longer otherwise.

  9. Apparently food service establishments are going down left and right.

    I heard the other day that the Elephant Bar chain was also recently compromised.

    http://www.elephantbar.com/incident/

    Sadly this is going to keep happening until people in the Food Service industry do something major to isolate or increase the protection surrounding their financial and credit card data.

  10. I contend all US plastic Cardholders owe a big thank you to 1) the 1974 & 1978 US Congress, and 2) the very hard-working Carders/Thieves picking up the low hanging fruit from the plastic card industry.

    (Congress passed the: Fair Credit Billing Act, 1974 [$50 maximum Cardholder liability on fraudulent credit card charges during first 60 days]; Electronic Funds Transfer Act, 1978 [$50 maximum Cardholder debit card liability during first 48 hours].
    Within these limits, Congress made Cardholders merely the spectators to the unfolding plastic crime scene.)

    By extracting $ millions from both Issuers and Merchants on a monthly basis, Carders/Thieves are the only entity getting the Brands, Issuers, Acquiring Banks, and Merchants to slowly change their business/profit model, and causing them to actually nibble on the bullet of plastic card security, from A-Z.

    Nothing like the incessant pain of losses to get full attention, particularly now that the ROE on credit cards has dropped from that 28% in its halcyon days before 2010.

    Slowly change?
    In 1992, France invented and developed the EMV-PKI chip for other reasons, but soon expanded it for plastic card security, and it spread. That is what US Issuers quarter-heartedly introduced in Oct. 2015 to the Card Present transaction.

    But with no requirement from the Brands that the Merchants and their Acquiring Banks also introduce the matching EMV-PKI readers.
    So we get PR about “Chip & signature”. (When was the last signature ever checked on a credit card?) But maybe in 10-15 years you might see the real “Chip & PIN”…
    As for EMV-PKI intro and the Card Not Present problem, fahgedaboudit…

    What I commend is that the Carders/Thieves are stealing millions $ from Issuers and Merchants, and they never use a gun.
    No Glock 9’s or Streetsweeper’s needed. That will favorably impress a US jury.

    For those who think the smart phone is the answer, I caution that just because you’ve loaded Apple Pay or another wallet on your phone, doesn’t mean the roughly 25 million Visa/MC Merchants have the matching readers; see EMV-PKI reader intro schedule above…

    And much good luck using it in Europe, Asia, South America. Plus whopper roaming charges.
    But as a spectator, enjoy the rich, continuing show.

    • Blanche: When you make a serious comment on crooks and crime you might want to pick a nom-de-post other than a character who was thrown out of her home town for being of “loose morals”.

      Good points all. One amplification.

      You wrote:
      > Congress made Cardholders merely
      > the spectators to the unfolding
      > plastic crime scene.

      We may be spectators, but we are paying a hefty ticket price. The cost of crime is built into fees providers charge merchants and by merchants into the prices they charge us. In the end consumers pay all the bills.

      Most “solutions” come from a point of view of one the three constituents to the process. The solution may be beneficial to that one constituent, but generally at the expense of one, or both, of the others.

      There is a better way.

      Jonathan @NC3mobi

  11. The Golden Nugget is on the info placard. There’s been a rash of casino breaches as of late. Wonder if they all had the same antiquated PoS systems.

  12. Hello, the https version of your site is not working properly, because it’s trying to load images from http and modern browsers block that (within https page).

  13. Here’s my take. It must not be illegal to hack your credit/debit card. Otherwise, the guys in white hats would be all over it. After all, they are paid to protect us, or did I not get that memo?
    I still believe the fraud laws, theft laws are set too high. They should place a hold on the card till each sales transaction is verified by photo/fingerprint or signature. But the place to start would be to make customer data private, and illegal to misuse. Acharge card number, is assigned to a cardholder, they are a victium also. But their leakage isn’t part of the crime, why?
    And phones as a secure device, don’t get me started, they all fell in line. Even BlackBerry, way back when Saudis started using them. After all. The backdoors, and the apps security.

  14. When dealing with establishments like these, your personal information is only as secure as the waiter/waitress that walks away from the table holding your credit card in their hand. At that point, hey have the card number, your name, the expiration date and the security code. Sooner or later, banks will require restaurants to use a portable machine that swipes the card at the table or have a cash register at the door.

    • Offline transactions (such as with a handheld terminal) are precisely the use case which distinguishes between Chip-and-PIN and Chip-and-Signature. Oh, wait …

  15. Serious lack of information on the Landry’s website as noted by Mr Krebs. Being that I am a “select member”, I did find out I was last there in March. As long as their databases were not breached, I “should” be okay. Time will tell.
    Thank you, Mr Krebs for the site and the great book

  16. I have recently found a security problem on a restaurant gift card website (Houlihan’s owned) and attempted to contact various parties involved in securing the website but nobody seems to understand or care about the problem!

    • VinceT: This is the Ostrich Response. If they don’t hear about it then it isn’t happening. Denial – not just a big river that flows through Tanzania, Uganda, Rwanda, Burundi, Kinshasa (formerly the Congo), Kenya, Ethiopia, Eritrea, South Sudan, Sudan and Egypt.

      In a more serious vein – this an example of object permanence a fundamental concept in developmental psychology, part of understanding growth in the social and mental capacities of very young humans.

      Object permanence is the understanding that objects continue to exist even when they cannot be observed directly (seen, heard etc) or perceived by some indirect inference (mommy said it was there). WHEN this concept is embodied is not yet clear. For some earlier than later.

      For some companies (companies are people too, see CitizensUnited) it is later, much later, even when concerned consumers try to tell them the problem is there.

      Jonathan @NC3mobi

      PS: Take your evidence to a local journalist and ask THEM to call on the restaurant for a COMMENT on the story Restaurant Ignores Hacking Warning from Concerned Citizen.

      • (Dang – no preview mode and my aged eyes missed a closing slant mark. Here is the cleaner version. Sorry about that.)

        VinceT: This is the Ostrich Response. If they don’t hear about it then it isn’t happening. Denial – not just a big river that flows through Tanzania, Uganda, Rwanda, Burundi, Kinshasa (formerly the Congo), Kenya, Ethiopia, Eritrea, South Sudan, Sudan and Egypt.

        In a more serious vein – this an example of object permanence a fundamental concept in developmental psychology, part of understanding growth in the social and mental capacities of very young humans.

        Object permanence is the understanding that objects continue to exist even when they cannot be observed directly (seen, heard etc) or perceived by some indirect inference (mommy said it was there). WHEN this concept is embodied is not yet clear. For some earlier than later.

        For some companies (companies are people too, see CitizensUnited) it is later, much later, even when concerned consumers try to tell them the problem is there.

        Jonathan @NC3mobi

        PS: Take your evidence to a local journalist and ask THEM to call on the restaurant for a COMMENT on the story Restaurant Ignores Hacking Warning from Concerned Citizen.

  17. From Wired:
    The CIA Secret to Cybersecurity That No One Seems to Get

    http://www.wired.com/2015/12/the-cia-secret-to-cybersecurity-that-no-one-seems-to-get/

    ——————————————————–

    Everyone is searching for an answer as to what TO do. No one seems interested in what NOT to do.

  18. Tokenization with P2Pe is the only way to secure point-of-sale card payment data. This is true regardless of whether or not the specific tech used is PCI compliant or not.
    The PCI council is an impediment to security and is not business-friendly. In fact, a retailer can be fully PCI-certified by an external independent 3rd party QSA and STILL be utterly and completely unsecured due to scoping.

    • Jobo:

      Re PCI

      Q: How did Target pass its Payment Cards Industry Data Security Standard (PCI-DSS) certification examination? Quoting Target Chairman, President, and Chief Executive Officer Gregg Steinhafel “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.”

      http://nc3.mobi/references/20131218-target/#20150921

      Re Point-to-point-encryption:

      Consumers are pushing back against EMV and merchants are spending $12B (per NRF). Those constituents and the providers are unlikely to bankroll another major shift.

      Why not put security in the message and not the transmission medium? That way how it gets to the provider means nothing. If the underlying charge card credentials are not in the message what good is it to crooks?

      There is a better way.

      Jonathan @NC3mobi

      • The only way they could by taking entire systems out of scope such as their HVAC.

        Tokenized authorizations with P2PE does what you want by encrypting everything between the card reader and the payment processor. The POS system has no visibility of the transaction no even in RAM.

      • Why not separate vendor login from the POS system (physically)? Why not run a POS that can’t by so easily accessed by the open internet?

  19. Retailers are in a real bind. They can either have secure systems or they can be PCI-certified. There is currently no cost effective path to both.

    There have been P2PE solutions available on the market for several years. The last time I look (2013) the only one the PCI council had certified was made of unobtanium unless your in Europe.