January 27, 2016

Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations.

wen2Bob Bertini, spokesperson for the Dublin, Ohio-based restauranteur, said the company began receiving reports earlier this month from its payment industry contacts about a potential breach and that Wendy’s has hired a security firm to investigate the claims.

“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” Bertini said. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

Bertini said it was too soon to say whether the incident is contained, how long it may have persisted, or how many stores may be affected.

“We began investigating immediately, and the period of time we’re looking at the incidents is late last year,” he said. “We know it’s [affecting] some restaurants but it’s not appropriate just yet to speculate on anything in terms of scope.”

When KrebsOnSecurity initially began hearing from banking industry sources about a possible breach at Wendy’s, the reports were coming mainly from financial institutions in the midwest. However, this author has since heard similar reports from banks on the east coast on the United States.

The Wendy’s system includes approximately 6,500 franchise and company-operated restaurants in the United States and 28 countries and U.S. territories worldwide. Bertini said most of the U.S.-operated stores are franchises.


122 thoughts on “Wendy’s Probes Reports of Credit Card Breach

    1. Paul

      Geez, 2 spammy comments in the space of what, the first 3 threaded?

      Seconding NotMe, pay Brian for ad space on the right.

  1. Robert.Walter

    Of course Wendy’s is part of the Walmart-led CurrentC gang that is blocking the use of secure payment methods like Apple Pay even where chip readers are installed.

    If Wendy’s had NFC readers and allowed Apple Pay, this would be a non-issue for their Apple Pay-using customers.

    1. Justin Smith

      Or you can use Samsung Pay and get the security without the merchant needing to do anything.

      1. Robert.Walter

        The NFC side of Samsung Pay is tokenized, but is that true for the Loop Pay based non-NFC side? If not, then there is no security advantage over swiping a card.

  2. Jim

    Maybe it’s time for states to change their laws and the card networks to allow merchants the “right” to verify any and all card users they want to with the presentment of a state-issued photo ID. Since laws now make the liability for loss shift from banks to businesses, I know if I were a merchant possibly taking the financial “hit” for fraudulent transactions from lost, stolen, or counterfeit cards, I would want the “right” to see an identical match of face and photo and the names on both the payment card and the photo I.D. After all, you don’t see the states or card networks offering to take the liability for loss off the shoulders of businesses. Like the saying goes: “In God we trust. All others pay cash”.

    1. Jason

      Jim, that would be a great idea, but these thieves use fake IDs to make the fake names on the card.

    2. me

      or maybe they should stop hiring felons and using Wendy’s is a work release program for prisons

  3. Steve

    So we should all have to pay yet another service because someone hasn’t taken as much care with other people’s things as they would with their own?

  4. NotMe

    Geez, At least give Brian some cash and you can run an ad on the site over to the left. ====>

  5. DannyKSRQ

    Just go with the new chip or phone payment systems and stop allowing mag cards.

  6. Heidi

    I saw someone use the headline “Where’s the Breach” today. Why didn’t you think of that one, Brian?

  7. Guy

    Unfortunately pretty much all ID cards have less security than the new EMV/Chip cards. There is no single solution for payment security. The attackers have more sophisticated tools, EMV stops counterfeit at brick and mortar and reduces the value of stolen data. Account number tokenization, End-to-End Encryption, biometrics all play a role. The next two years merchants and issuer need to invest in and implement proven security levels for today and plan for what they will need in the future. It is a never ending cat and mouse game between the good guys and the fraudsters. New technology is a tool for both sides. It is equivalent to an arms race. A new technology comes along and all sides race to leverage that technology to achieve their objectives. Unfortunately the fraudster’s objectives are not in alignment with consumer security

  8. Jim

    Regarding the new EMV (Chip) Cards, I hear they can already be compromised by some type of a Near-Field scanning device near your wallet, or an app on a Samsung smartphone within 15 feet of your unshielded card.

    1. Fred

      Absolutely not, Jim. The card chips emit no signal; they can only be read by physical contact.

      1. Robert.Walter

        I think he has confused chip with the separate RF chip embedded in contactless credit cards.

    2. Vog Bedrog

      Sounds like you’re thinking of the payWave/PayPass contactless chips. If implemented correctly both of these standards encrypt too much information for what is readable from the card to be of any use to fraudsters, with exchange of cryptograms and transaction counters during transactions as a backup. Yes we’ve all seen videos of someone walking around with readily-available components asking people ‘is this your card?’ – the media love a good scare-story like that – but the actual information revealed should be minimal (of course there have been some issues due to poor implementation, but FIs are learning).

  9. Peter

    I agree with Fred, the crim has to physically bump in to you. But that does happen a lot in crowds! But you don’t need to shield your EMV card , just have 2 chip cards together in your wallet and neither can be read successfully. Who doesn’t have at least 2 cards these days.

  10. me

    Too many criminals work at Wendy’s as well as drug addicts

  11. Matthew Williams

    Welp, that explains how my card got popped. It happened right at the end of December in the Raleigh/Durham area.

  12. Terri

    I was at Wendy’s 1/27/16. If I see activity on account, I will report to bank. However. Should I report to Wednesday location as well?

    Thank you

  13. Dave Thomas

    Brian Krebs, here is some eye opening news for ya. Wendy’s is a Fortinet shop. Connect the dots to the breach.

  14. rdmallory

    Could be a simple as someone copying the cards at the drive-through. P2PE will not stop someone from collecting card numbers.

  15. Blanche Dubois

    Brian, the Brands’ much PR’d but deliberately weak/partial US introduction of EMV/PKI on 1Oct2015, ensures you will have many similar mass CC compromises to report to us for years to come.

    For the relatively few US Merchants who have actually installed the EMV reader for Card Present transactions, there’s a far lesser number (or his Acquiring Bank), that has actually engaged/connected the PIN part of its secure transaction.

    Of course, is there yet a single US Issuer that has suspended his CCs’ magnetic strip capability?

    (When the ApplePays & ilk have induced just 3 million US Merchants each, to buy their readers, that’ll be a story…
    Based on the Merchants’ “tough slog” drag approach to EMV/PKI for the much broader, cheaper, more convenient CC & the masses, good luck Apple.)

    What would be a now interesting further sub-piece to these future CC breaches in light of 1Oct15, would be reporting:

    1) the % of the CCs breached that are EMV/PKI vs. non-EMV equipped;

    2) for the breached Merchant, what % of his POS readers are EMV capable, vs. what % of his EMV readers are actually connected and make the PIN entry a choice for the Cardholder.

    I would expect your bank sources (Issuers) would know #1, as the Issuers now have a husky fraud/loss claim against that breached Merchant by the 1Oc15 rules.
    The Merchant and his Acquiring Bank (any sources?) know #2 exactly, but embarrassed to reveal until the Issuers’ loss claim/lawsuit arrives.

    I believe a number of your sources are motivated to (confidentially, of course) share data with you because of the levels of criminality involved.

    Given our non-functional gov’t, investigative reporters are nearly the only force that may influence/embarrass either the FedRes and/or the Brands, to “copy & paste” by a date certain, the EMV protocol that other advanced, rich, democratic countries have already field tested and implemented 15 years ago to stop the Card Present CC fraud, and get to work on the CNP problem. The US is the leak in the bucket.

    Until then, given the Brands’ slo-mo intro of US EMV, CC breaches are now a Cardholder spectator sport. Let the games proceed…

    For the Carders/thieves who are loyal readers, the US gold vein is deep and rich for 5-10 more years. Who said crime doesn’t pay? And they do it without a gun…

  16. Intuit Security

    One of the shocking aspects about Intuit in the whole tax fraud space is the company’s selection of a CISO. Indu Kodukula is a first time CISO (prior stint as a COO for a small shop), with NO security experience. You’d assume a company that is tasked with protecting the PII of roughy half the nation would pick a seasoned expert to head the Infosec function for the company.

    As a former employee, I can attest to how the company truly approaches security from a strategic perspective:

    1. Invest in lobbyists to influence the IRS about what’s “prudent” from a security industry perspective. The lobbyists are aggressively convincing the IRS and States that SIRF (how most consumers are victimized).
    2. Place unproven security leadership in place to lead the security department. Examples – Indu Kodukula (no security experience), Shannon Lietz (at the held of PSN and primarily culpable for their breach).
    3. Choose to focus on ATO (account take over), which is responsible for ~10% of the tax fraud and convince the IRS that SIRF (Stolen Identity Refund Fraud) is an industry problem. SIRF is responsible for the the vast majority of tax fraud losses.

  17. Mike

    Does the card reader software require or use Java? Is Java what these things are programmed with? Is there any link between all the card reader breaches and Adobe products?

  18. Blanche Dubois

    Brian, the CC Brands’ much PR’d but deliberately weak/partial US introduction of EMV/PKI on 1Oct2015, ensures you will have many similar mass CC compromises to report to us for years to come.

    For the relatively few US Merchants who have actually installed the EMV reader for Card Present (CP) transactions, there’s a far lesser number that has actually engaged/connected the PIN part of its secure transaction (normally done by his Acquiring Bank).

    Of course, is there yet a single US Issuer that has suspended his CCs’ magnetic strip capability?

    (When the ApplePays & ilk have induced just 3 million US Merchants each, to buy their readers, that’ll be a milestone…
    But based on the Merchants’ “tough slog” drag approach to EMV/PKI for the much broader, cheaper, more convenient CC & the masses, good luck Apple.)

    What would be a now interesting further sub-piece to these future CC breaches in light of 1Oct15, would be reporting:

    1) the % of the CCs breached that are EMV/PKI vs. non-EMV equipped;

    2) for the breached Merchant, what % of his POS readers are EMV capable, vs. what % of his EMV readers are actually connected and make the PIN entry a choice for the Cardholder.

    I would expect your bank sources (Issuers) will know #1, as the Issuers now have a husky fraud/loss claim against that breached Merchant by the 1Oc15 rules.
    The Merchant and his Acquiring Bank know #2 exactly, but embarrassed to reveal until the Issuers’ loss claim/lawsuit arrives.

    Given our non-functional Congress, investigative reporters are nearly the only force that may influence either the FedRes or the Brands, to “copy & paste” by a date certain, the EMV protocol that other advanced, rich, democratic countries have already field tested and implemented 15 years ago to stop the Card Present CC fraud, and get to work on the CNP problem. The US is the leak in the bucket.

    Until then, given the Brands’ slo-mo intro of US EMV, CC breaches are now a Cardholder spectator sport. Let the games proceed…

    For the Carders/thieves who are loyal readers, the US gold vein is deep and rich for 5-10 more years. Who said crime doesn’t pay? And they do it without a gun…

    1. tmiw

      If PIN is the major security-enhancing component, why not just require PIN on magstripe? Retailers could have done that right now for debit without enabling EMV, yet they didn’t.

      Why would any bank remove magstripe when in your own words, barely anyone’s rolled out EMV? Doing so would make their cards unusable in the US.

      Frankly, retailers don’t really care about security. It took Target’s breach before they implemented P2PE and EMV, so I wouldn’t be surprised if some retailers put it off until they get hit with a breach as well.

      BTW, some banks have already implemented Verified by Visa/MasterCard SecureCode–it’s just that very few online retailers are using it. That will likely change quickly once EMV becomes more common, especially since liability goes to the issuers if it’s used.

      1. Blanche Dubois

        My post did NOT call for removing the magnetic stripe from either EMV credit or debit US cards.
        That would prevent the EMV/PIN card’s use in non-EMV, backward countries: Haiti, US, Moldova, Brazil, Thailand, etc.
        As a prior Dutch blogger pointed out, his Dutch Issuer SUSPENDS his card’s magstripe use inside the EU. All Dutch Merchants can risk running a magstripe card, since those cards are used by visiting backward foreigners (or Euro thieves using US cards).

        When the Dutch Cardholder goes to backward magstripe-only countries (Serbia, US, Colombia, etc.) he must inform his Issuer of the exact dates, & Issuer then activates the magstripe feature for those dates, and only those countries. That sharply limits the theft and resale fraud opportunity for the Thieves, in favor of stealing those lucrative magstripe US cards.
        Because all Dutch Merchants had to have a connected, EMV reader by a date certain, the Issuer was in a position to better protect himself & his Cardholder.

        For the CNP fraud opportunities provided by “Verified by Visa/MasterCard SecureCode” suggest you google that term, and read in light of keyboard malware, higher Merchant expenses, let alone reduced sales.
        It’s value is in being a good first draft on CNP security (as a “4 sided wheel” gives hope that someone will make it an octagon, on its way to a circle, sooner rather than later).

  19. Surfer100

    I have several credit cards. Each one is set to send me alerts of EACH transaction on that card in real time. Also, I don’t use my one debit card, except infrequently at an ATM, for all the known risks. And of course my checking account is sent to send me an alert of EACH transaction. These steps don’t stop the crime, but they might help with knowing about it in real time.

  20. Nick B.

    I ate at Wendy’s in Wapakoneta recently. Their chilli is excellent. No suspect transactions on my card. There was a fire last at the Anna restaurant which is closed for refurb, could this have been somebody overheating the grill?

  21. Gigi S

    Has any dates been established for the Wendy’s data breach? We have a list of compromised cards given a date range of 5/4/14 to 12/31/15. Was wondering if this could possibly be from this breach.

  22. David Thomas

    Solutions are only as good as the team implementing the secured network solution. We have the team + over 40 years experience. check us out we will make you PCI Compliant with no upfront costs and affordable monthly payments. http://marstechnology.tech/

    1. Paul Sands

      I’m actually surprised cyber criminals went after Wendy’s unless their point of sale solution was so outdated it was extremely easy.

      The trend with cyber criminals is to go after small and medium sized businesses. They can stay under the FBI’s out manned and out gunned radar and collect as much card data from 10 medium sized businesses as one big one and it’s a lot easier.

      I still see Windows XP systems all over the place and unsupported payment gateways with expired security credentials. Most card processors and POS dealers don’t care because they have no skin in the game so the merchant thinks all is good, they won’t head warnings when confronted with facts and yet as a merchant they’re 100% responsible for their customers card data security. Average cost of breach $5.85MM

      To this day very few point of sale solution companies are up and running with EMV even though they had plenty of notice of the EMV liability shift. The best solution is to move payments out-of- scope when they’re making the upgrade so no card data has access to servers and the EMV card readers should have end-to-end encryption and tokenization. That’s as good as it gets. All those readers are EMV, Android Pay and ApplePay capable.

      If the merchant can’t afford an upgrade they can use an unused “other” button on their POS, get a stand alone EMV terminal with NFC for ApplePay and Android Pay with end-to-end encryption and tokenization and deal with the duplication of key strokes until they choose to upgrade. It’s not as bad as most merchants think. Those new terminals run extremely fast on IP and only cost $200. If they want to make NFC more accessible because of their terminal’s location an NFC pin pad costs $130.

      Whoever said you can’t grab card data with an NFC hacking device is wrong. That was proven in a mall in Atlanta about six months ago. The bad guys figured out how to excite the chips in cards from quite a distance when EMV came to the largest economy in the world. The cards aren’t worth re-producing-so that’s what ill prepared e-commerce merchants will get to deal with.

Comments are closed.