27
Jan 16

Wendy’s Probes Reports of Credit Card Breach

Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations.

wen2Bob Bertini, spokesperson for the Dublin, Ohio-based restauranteur, said the company began receiving reports earlier this month from its payment industry contacts about a potential breach and that Wendy’s has hired a security firm to investigate the claims.

“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” Bertini said. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

Bertini said it was too soon to say whether the incident is contained, how long it may have persisted, or how many stores may be affected.

“We began investigating immediately, and the period of time we’re looking at the incidents is late last year,” he said. “We know it’s [affecting] some restaurants but it’s not appropriate just yet to speculate on anything in terms of scope.”

When KrebsOnSecurity initially began hearing from banking industry sources about a possible breach at Wendy’s, the reports were coming mainly from financial institutions in the midwest. However, this author has since heard similar reports from banks on the east coast on the United States.

The Wendy’s system includes approximately 6,500 franchise and company-operated restaurants in the United States and 28 countries and U.S. territories worldwide. Bertini said most of the U.S.-operated stores are franchises.

Tags: ,

122 comments

  1. Would you like your data breach small, medium or large?

  2. I guess my kids won’t be getting Baconator fries for a while.

  3. Brian,

    Of course this is another case where EMV (chip cards) would mitigate, but only if they become mandatory. How far are we from that? Can you maybe do a status report on EMV mandates?

    • Incorrect, if it’s like any of the other POS breaches, data was captured on the POS somewhere. The data could still be stolen and used for e-commerce fraud. EMV would only prevent card duplication. E2E encryption and/or tokenization would be more effective in this scenario.

      • Correct EMV chip cards would not have helped Target at all…we’ll have to wait and see here (my guess is the bad guys own their POS systems and it won’t help here either) – but it seems like Wendy’s was still using swiping only tech when I visited them a couple of weeks ago.

        • Good points. This is another good reason to implement security at every layer possible: application, network, database, etc. Also, encrypt the data as soon as possible before it is stored.

      • I’m pretty sure this is wrong. EMV prevents card data from being stolen at the POS. If I’m wrong please correct me though!

        • That’s not correct, Sam. Your EMV card protects against card duplication, which mag strips are extremely vulnerable to. Many merchants are moving toward using End-to-End (E2E) encryption, which encrypts your card information at the MSR rather than the POS terminal. Since many of the devices capable of E2E are the same devices used for EMV transactions, there is some understandable confusion among consumers about how these technologies work and why the transition to EMV is even happening.

          • So when using EMV it’s not encrypted at the POS? Isn’t that the point of EMV?

            • I believe EMV is a positive in that the card verification value on EMV transactions is dynamic (changes every transaction). On mag, its static, so stealing the CVV, PAN and ex date mean you can clone the card and use it. But you can’t do that for EMV (both because the you don’t know how the iCVV should change, and because the chips are hard to make). But you CAN still capture the PAN and Ex, which are transmitted in the clear. As another poster said, I think you can use the PAN and Ex to then commit CNP fraud (if the merchant doesn’t ask for a CVV2 or other anti-fraud measure).

        • The chip on the EMV card contains some key pairs which are used to cryptographically sign a one time authentication code for the transaction. It has a quick expiration and is valid only for that transaction. EMV is all about verification that the card is not counterfeit, and if used with PIN, provides good authentication that it belongs to the card holder at the point of sale. But the card holder data that is transmitted at the POS is not presently being encrypted. It could still be intercepted by a skimmer and used for card not present transactions.

          • On reflection my use of “counterfeit” might be confusing. Before EMV was rolled out in Europe and Japan legitimate card data could have been stolen and used to make cards with the traditional magnetic stripe. But in a 100% EMV world those cards are useless at the POS because they would not be accepted. And the chip cards have remained impervious to counterfeiting since their introduction. This should be the end result when adoption in the U.S. is complete.

          • The EMV design is flawed… but more secure than mag. stripe. Google the Cambridge 2012 video of a guy putting ANY PIN in an EMV card and it works. You have to retain physical access to the card (as you normally do with most chip transactions) …the card was wired up his sleeve to his laptop in his backpack.

            There was hope that the flaw would have been fixed before the US adopted Chip & PIN but they believe the risk was not worth the expense of updating the standard, then all the terminals.

      • How can the info be used for ecommerce fraud? The CVV code in not on the magnetic strip nor is the cardholder’s billing address (AVS).

        • As I posted below a lot of places don’t actually check those. Amazon for instance doesn’t ask for CVV2 (but I think they check the billing address, which one could easily find from public records or data dumps from hacked websites).

      • In theory the data skimmed from an EMV chip shouldn’t be usable for Internet purchases since there’s no way to get CVV2 (the three digit code on the back) from it. Unfortunately, a lot of online stores don’t check that or the billing/shipping address. I imagine that will change very quickly once EMV becomes more common though.

      • How about a shift away from the POS performing the encryption of the data and having the eftpos terminal actually perform the encryption of sensitive data prior to passing the data to the POS. Thus removing malware as point of compromise.

        It seems like this type of attack would be completely mitigated if implemented.

    • I sort of did that the other day when I wrote about the Hyatt breach, only most people probably didn’t read the rant part.

      http://krebsonsecurity.com/2016/01/hyatt-card-breach-hit-250-hotels-in-50-nations/

      • I see. One thing you didn’t mention and which I’ve heard is that merchants are very concerned about the extra time it takes to dip rather than swipe, and based on personal experience there is a difference. It might be just a second or two, but if you’re Wal-mart it’s still a problem. But I guess if everyone has to do it then it’s not a competitive problem.
        Also I noticed that my Target card still doesn’t have a chip. They started sending out the chip cards last August and expect to be finished in Spring. I wonder if the chip cards even have a magstripe.

        • My Target REDcard credit card is a new one with the chip, and is the only card that I have that requires a PIN number to be entered at purchase. It also has no mag stripe at all.

        • The “dipping” process typically doubles the transaction processing time and the failure of most USA card issuers to include the contactless feature (mandatory for UK banks) almost guarantees many small ticket merchants will not implement EMV because of the lengthy transaction times and their negative impact on number of customers served during a busy period.

          • Not including it was probably the best choice, unfortunately. Americans are VERY anti-contactless thanks to the disaster that was Visa/MC’s attempted rollout a decade ago. There’s a good possibility that if major banks included it in the physical cards during the EMV rollout, people would stop using cards altogether. It’s only even being talked about now thanks to Apple and Android Pay.

        • My bank card (with chip) absolutely does have a mag stripe. This is because so few merchants have the new tech up and running to process the new cards. Target cards can do away with the mag strip because they do have the tech up and running. Presently, they are the only merchant I shop with that does have the ability to handle the chip cards. Everyone else in my area have the new machines, but they are not operational.

  4. My debit card has a pin, but everywhere I have used it, they report they cannot take the pin card for debits, then I have to swipe it. Anyone else have the same issue?

    • Kirstie, yes, I’ve had the same issue – it’s only at retailers who force use of the EMV chip (like Walmart.) For some reason, several retailers have not fully set up their systems to use a PIN with EMV. My credit union told me that they’ve been having nothing but issues with those retailers.

      • I just had my credit union debit card replaced last weekend because it split in two pieces. I was pleased to be able to get an immediate replacement, but disappointed it didn’t have the EMV chip.

        • I recently had to go to the California DMV for DL renewal, and they are telling everybody that the can not accept debit cards with chip. They only take chipless cards (or checks)…

    • Never use debit cards, they are tied directly to your bank account. You have zero liability with most all credit cards and they pay you to use them. There is zero benefit to using a debit card for swipe transactions.

      • There is a safe way to use debit cards. The 5dollar throwaway. Go to anyplace that you want. For the use, you have to deposit money to the card. Then if someone has the gumption to relieve you of your earnings, you just lose that amount, throw away that card, get another. But it isn’t tied to anything valuable of yours. You can use online, n the meanest of areas and know how much you should be able to spend.

        • Credit cards are less hassle than debit cards when there is fraud. But it’s important to remember that you have no liability as long as you report any fraudulent transactions.

          I don’t believe steering people to prepaid cards is the answer. These cards come with all kinds of hidden fees (maintenance, withdrawal, deposit, etc.).

          • BrianKrebs: you wrote re debit cards
            >that you have no liability as long as you
            >report any fraudulent transactions.

            what is missing is “in a timely manner”

            For consumers loss is limited to $50 if institution is notified within two business days. Loss could be up to $500 if institution is notified between 3 and 59 days If loss is not reported within 60 business days customer risks unlimited loss on transfers made after the 60 day period – could lose all money in account plus maximum over draft if any. The problem is that few consumers check their accounts every two days.

            links to sources at
            http://nc3.mobi/references/debit_vs_credit/
            under “Rules & Regulations” near the bottom of the page

            Jonathan @NC3mobi

            • In Mass the $50-$500 liability is thrown out the window. State law trumps Federal as State is the more Consumer Friendly so we have to pay everything….Card stolen, PIN written on the back (NOTE: NEVER DO THAT PLEASE!!), Customer reports, there is no liability, not even $50!

          • Just had my Google Wallet Card compromised. They only got the $29.31 I had on it. Which is exactly why I use the Google card. I scrolled down the list of transactions and the Wendy’s visit On 11/8/2015 jumped out at me. Since the current transaction from the copied card is still pending, I can’t dispute it yet, but google tells me I will get my money back as soon as I dispute it tomorrow once it settles. Anyone know what the date range is yet for these Wendy’s transactions?

  5. I too would appreciate an update on EMV mandates. Thanks for suggesting, Larry.

  6. Cash people, cash!

  7. I am back to cash.

    • Every time you swipe your card, the bank takes about 2-3%. Another reason to use cash. It is a hidden tax the banks take on everything you buy. The retailer has to raise their prices to cover the cost. Cash is also real property and free and clear ownership. Credit is purely a derivative with higher counterparty risk.

      • Scott in Aztlan

        > Every time you swipe your card, the bank takes about
        > 2-3%. Another reason to use cash. It is a hidden tax
        > the banks take on everything you buy. The retailer has
        > to raise their prices to cover the cost.

        Actually, that’s a solid reason to use credit cards whenever possible: unless the retailer offers a 3% discount for cash, the fees for using a credit card are already bundled into the price. If you use cash you are only subsidizing the rest of us. 🙂

      • The fees have been long baked into the price. Unless you negotiate that reduction at every transaction, you are paying just as much but earning none of the benefits that come with loyalty programs.

  8. And how are you going to obtain that cash? From an ATM? Using a card? Because, heaven knows, you can’t do things with a bank teller anymore.

    And the Circle of Life continues.

    • Cash in my wallet and more at home just incase I can’t get to the bank for a week or two.
      If – I lived in an area with muggings I might not, but I don’t.
      I’ve experienced CC fraud once, never been mugged. For me, cash works all non-major purchases in person. My CC is for very specific purchases only.

  9. So THIS is what happened to me back in December. I’m in the Midwest and went to a Wendy’s location near my house on Dec. 21st. Shortly after, on Dec. 30th, I was called by my CC company because they flagged some fraudulent charges on my card (to the tune of almost $400+) in Illinois. This happened while I was in Virginia visiting my relatives. I was wondering how that happened since I was carrying my card and I’m very careful with it.

  10. Just before Christmas my card was used online for a purchase of over $1000. I happen to get Wendy’s for lunch once a week, so very interesting seeing this now. Passing this on to the Detective pursuing the fraud. Guess I’ll start using cash now for lunch.

  11. Caveat emptor (or eater).

    I had my info jacked at a Five Guys. The corporate office was very interested, especially since I mentioned the young lady had to run my debit card twice. I was told that isn’t normal practice. When I went there to confront the young woman, I was told she had abruptly quit.

    Fortunately, my bank was very alert and notified me that my card had been used in a location 50 miles from me and thought it was suspicious, so my account was frozen. I was refunded the 10 dollars the a****** obtained.

  12. “We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

    To use an inappropriate analogy, the horse has already left the barn. I.e., hiring a cybersecurity firm should have been done long ago.

  13. …I can personally verify that this theft is continuing. Late morning on Wednesday January 20th, 2016, my Fiancé used her Chase Freedom Visa card at a Wendy’s in Elk Grove, CA. About half an hour later a fraudulent charge was attempted with that card. I discovered this when attempting to use the card early in the afternoon that same day, and the charge was declined, at which point I called Chase (thanks Chase for notifying me, NOT!)

    I’m thinking Wendy’s might want to expand their investigation a bit beyond December 2015 as the theft is still occurring.

    • Turnaround is rarely that fast, though your area is chock full of card fraudsters so it may be possible.

    • It would be nearly impossible for the skimmed card to have been remade that quickly. They have to skim it, download it, magnetize it and sell it. For most people the card isn’t used again until 5-6 months if not longer after it was skimmed. If it was used within a day or so of going to a Wendy’s more than likely that’s a coincidence, it was probably skimmed elsewhere months ago.

    • Suspect this happened to me in the same area as well.

      Went to Wendy’s in Sacramento (on Northgate) on December 22 and used my EMV debit card. On Jan 1, Simple reached out to me and asked if I’d attempted a purchase at “Beach Club” in Noatak, AK.

      Definitely didn’t, had to get a new card sent out.

  14. Kurami is exactly right and it is important that everyone know this. EMV was a tool that the card industry used to shift liability to merchants, period. Does it help, yes, but for many technical reasons, it simply does not secure the transaction. Point to point encryption with unbroken tunnel from consumer to transactor and tokenization is the answer but that is VERY hard to explain to the average consumer. Until merchants achieve this level of security, the transaction will be at risk. Also keep in mind that the card industry used this outdated mag-strip technology for year without investing in anything better (reaping profits the whole time) and then shifted the liability to merchants to ‘fix’ the issue, who by the way, has to bear all the cost of re-tooling their equipment to meet these requirements.

  15. I purchased a large chocolate frosty there yesterday with my favorite credit card! It was delicious. I regret nothing.

  16. My debit card information was stolen December 2015 after I had just received a new card on Monday, and by that Friday, the only other place I had gone to out of my normal schedule was Wendy’s. That night, after ordering from Wendy’s, my debit card number was stolen and charged over $100 at a local Wal-Mart.

    Wonder if it’s related. That’s in Linthicum, Maryland.

  17. Matthew P Clements

    Anyone know what Point of Sale software Wendy’s uses?

    • Wendy’s uses NCR point of sale in most locations.

    • All of the corporate stores and most of the franchisees use NCR Aloha. 20% or so use WAND or other POS vendors. Nearly all Wendy’s locations use Vantiv as their processor.

  18. I love it when I’m reading an article on a newspaper site and see this in the text “The investigation was first reported by the website KrebsOnSecurity on Wednesday.”

  19. Matthew P Clements

    Looks like WAND – which I have never heard of – but they have a nice client base based on their video prompt on their page… DQ, McAllisters, Boston Market, Moes, etc. If someone made a package to scrape the numbers from memory and got it into the POS, card bonanza!

  20. Someone Stole over $100 to purchase Amazon Prime from my daughter debit card she used at wendys. My daughter works at the wendys in louisville kentucky. She got paid in december 2015 on a Friday that morning. At 1am in the morning saturday morning someone bought Amazon Prime from her card. She said yo days later now im broke. I said already how can that be. looked online at her purchase history and noticed it was a purchase from her card the day after she got paid that someone bought Amazon Prime package that was worth over $100. They bought the expensive package at that. She had to call and get a new card and get that payment reversed.

    • Amazon prime is not something you buy as an item it is charged after a 30 day trial where you get free shipping after buying something from Amazon everyone keeps blaming Amazon but when you say send my item free shipping 30 days later you get signed up for prime all you have to do is cancel it and they refund you

  21. There more I see of these, the more I am coming to believe that the problem is most companies are trying to do everything ‘on the cheap’ as is”
    – Ignore that report from a trusted company you contracted with, that you have a severe problem (TARGET!!)
    – Set it and forget it mentality. Sure, I put protection in when I installed!
    – Failure to do penetration testing on a REGULAR basis by a trusted 3rd party.
    – Doing things “on the cheap”….old POS systems….old software… etc etc.

  22. My Capital One card was one of the affected cards. This happened in NJ and the fraudulent activity happened in Miami Fla. 3rd week in January 2016. There must be some IT people making my burgers.

  23. Got a new credit card on 30 Nov 2015. Used it for a couple of weeks, including at least 2 trips to a Wendy’s in the western suburbs of Chicago, then got a fraud alert on 20 Dec 2015 for a $100 charge somewhere in New Jersey.

    So, less than 3 weeks of (relatively) careful use, with very limited options for who it could have been. I’ve been checking Krebs almost daily since then, knowing that eventually there would be a “eureka” post. And here it is.

  24. Happened to me in WA state. Used a new EMV Marriott card at a Wendy’s and a few days later it was used online for a purchase online. The credit company flagged it and contacted me right away to make sure it was legitimate and I cancelled it right away. It wasn’t a huge purchase, so I wonder how the credit card company knew it was fraud.

  25. Wendy’s provider of point of sale (POS) systems is WAND who in August launched an improved POS solution to add a “new dimension of security to protect against credit card fraud” and “dramatically decrease the likelihood of hackers obtaining credit card information.”

    https://www.wandcorp.com/wand-adds-new-payment-software-and-emv-terminals-to-popular-restaurant-point-of-sale-system/

    • NewPOSFailedAtWAND

      Well, i guess some [criminal type] bodies wanted to test wands newest member to the POS security family. And obviously we now have the results of their probe. and the ‘Universal POS Failure Award’ goes to ‘WAND’ in MN. who runs their security and sales depts. these days Sven and Olaf?

      • NewPOSFailedAtWAND

        Hey, I’m Swedish, so it’s a right of mine to bag on my peeps. ok
        now that that’s out of the way.

        Hey thar, Are you from Minnesota?

        i like their tagline on the home page:

        About WAND Corporation
        WAND Corporation is the global technology leader for the restaurant industry partnered with the most well-known and world-class brands in the business. Delivering on our mission to be the greatest restaurant management and technology partner in the world, WAND delivers Digital Menu Board, Point of Sale and Back Office through the next generation cloud-based Total Restaurant Management (TRM) platform.

        it’s longer than my email sig.

        I wonder if this was their cloud being vaporized moment?

        Hey thar, Are you from Minnesota?

      • oley olsen?

  26. Wendy’s hitched their wagon to the wrong star: they should have accepted Apple/Android Pay instead of being locked into CurrentC

  27. Some credit cards, at least the ones I use, allow for usage notifications via SMS and/or email. You can set dollar limits, time windows, etc. I have configured mine to message me for every transaction no matter the dollar amount. Swipe the card and a gas pump, usually get a text before I start pumping. This eases the burden of having to check the accounts often, but will prompt you to investigate immediately if there is a charge you don’t recognize.

  28. they got me ! I live in Wisconsin and stopped at a wendys in OAK Creek wi, on 12/3/2015 . and this month my account was hit for 2 …. $200 transactions in Huston tx. Walmart and another place in ohio just before … I called my card company and that said I have to prove It was not me …….. Who do I call from wendys ?

    • Not true! Look at federal laws, it’s the bank’s job to prove it wasn’t fraudulent. If it’s credit card, you are liable for at most $50, but most banks have zero liability policies. You can probably also check the bank’s web page to see their fraud rules.
      You may need to mail them a form to get protection though.
      You do NOT have to pay the charges while it’s being investigated.
      Here’s a summary from the gov
      https://www.consumer.ftc.gov/articles/0219-disputing-credit-card-charges

    • FWIW, Wisconsin doesn’t seem to be a strong state in this area:

      https://www.wdfi.org/ymm/brochures/credit/check_cards.htm
      «State of Wisconsin Department of Financial Institutions»

      «Liability for Lost or Stolen Cards

      When either a debit card or credit card is lost or stolen it is important that the cardholder notify the card issuer of the problem as soon as possible. Any delay can put the cardholder at risk. However, it is important to understand that CONSUMERS HAVE LESS PROTECTION WITH DEBIT CARDS THAN THEY DO WITH CREDIT CARDS.
      Credit Cards

      If you report your credit card lost or stolen before the thief uses the card, you cannot be held responsible for any fraudulent charges. If fraudulent purchases or cash advances are made before you report the credit card missing, your liability is limited to $50 per card.
      Debit Cards

      The process is different for debit cards. If you report your debit card lost or stolen before the card is fraudulently used to make purchases or cash advances; the card issuer cannot hold you responsible for the fraudulent use. If the card is used by the thief before you report it missing, but you reported the card missing within two days of discovering the card missing, your liability is limited to the amount of the fraudulent withdrawals or $50, whichever is less. If you do not report the card missing within two days, your liability rises to the amount of the fraudulent withdrawals or $500, whichever is less. If you don’t report the card missing within 60 days of receiving your first account statement that showed a fraudulent withdrawal, you can be liable for all withdrawals. That means you could lose everything in your account in addition to the unused portion of any line of credit that was established to cover overdrafts. Regardless of when you report the card lost or stolen, you cannot be held liable for any unauthorized withdrawals made after you reported the card missing.

      To encourage the use of debit cards some financial institutions may have policies that provide more protection against unauthorized use than what is required by law. For instance, an organization may extend the length of time the customer has to report a stolen card or may state it will not hold customers liable for any unauthorized withdrawals. It is important to fully understand these policies because they may not be as good as they first appear. For instance, an organization may have a “no liability policy,” however; the policy may only apply if the thief uses the card with that organization’s network.
      Errors

      If an error or problem appears on your monthly account statement you should notify the financial institution immediately. After being notified of an error, the institution has 10 days to investigate. If more time is needed, the institution may take up to 45 days for the investigation but only if they credit the customer’s account in the amount of the error. If the error involves a point-of-sale transaction the 10 and 45 day limits increase to 20 and 90 days, respectively. After the investigation the financial institution will correct the error or explain why they believe there is no error. If you fail to notify the institution of any error within 60 days after receiving the monthly statement that first reported the error, you will have little recourse. The institution is not obligated to investigate any error if you miss the 60-day deadline. So, to protect yourself be sure to review your monthly statements in a timely manner.

      Debit Card Problems can be Worse than Credit Card Problems

      When an improper charge appears on your credit card you are not automatically out the money and you simply need to work with your credit card issuer to have the charge removed from your bill. When an improper charge occurs with a debit card, however, the funds are automatically taken from your account and you are burdened with attempting to get your own money back. Meanwhile, you may experience cash flow problems and your legitimate checks could bounce.»

  29. I heard about this story on national radio news last night. I was thinking, wait a minute, this sounds like can it be… a Krebs story. And sure enough, they mentioned Brian Krebs!

  30. Probably would’ve been less likely to occur if they used chip enabled readers. Since they don’t have them I guess the liability will fall onto Wendy’s? Probably the first big case since the liability shift..

    • The Banks, or CC Companies, who issue the card actually take the hit for the Fraud. It’s a protection under Federal and State Regulation E Law. Until there is a full investigation into the incident, and then a TON of hoops for the card issuers to jump through, a class action lawsuit is usually filed. Either way the consumer is fully protected against fraudulent transactions, which is the main concern.

      Cheers!

    • The liability will now fall on the merchants where the fraudulent data is used. So if the breached data is used to make fraudulent cards, the merchants who accept those cards and do not have chip terminals will be liable. Wendy’s won’t be liable for anything -unless they get sued like Target.

      • The brands liability shift applies only if the compromised card was a chip card, and the merchant that accepts the counterfeit card is not enabled to read the chip. In this case, if the magnetic stripe data was compromised by a breach of Wendy’s systems and is later used to produce a counterfeit card, the liability for a fraudulent transaction performed with the counterfeit card will fall on the merchant that accepts the counterfeit card, not on Wendy’s.