19
May 16

Noodles & Company Probes Breach Claims

Noodles & Company [NASDAQ: NDLS]a fast-casual restaurant chain with more than 500 stores in 35 U.S. states, says it has hired outside investigators to probe reports of a credit card breach at some locations.

noodlesOver the past weekend, KrebsOnSecurity began hearing from sources at multiple financial institutions who said they’d detected a pattern of fraudulent charges on customer cards that were used at various Noodles & Company locations between January 2016 and the present.

Asked to comment on the reports, Broomfield, Colo.-based Noodles & Company issued the following statement:

“We are currently investigating some unusual activity reported to us Tuesday, May 16, 2016 by our credit card processor. Once we received this report, we alerted law enforcement officials and we are working with third party forensic experts. Our investigation is ongoing and we will continue to share information.”

The investigation comes amid a fairly constant drip of card breaches at main street retailers, restaurant chains and hospitality firms. Wendy’s reported last week that a credit card breach that began in the autumn of 2015 impacted 300 of its 5,500 locations.

Cyber thieves responsible for these attacks use security weaknesses or social engineering to remotely install malicious software on retail point-of-sale systems. This allows the crooks to read account data off a credit or debit card’s magnetic stripe in real time as customers are swiping them at the register.

U.S. banks have been transitioning to providing customers more secure chip-based credit and debit cards, and a greater number of retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.

However, most of these chip cards will still hold customer data in plain text on the card’s magnetic stripe, and U.S. merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.

While a great many U.S. retail establishments have already deployed chip-card readers at their checkout lines, relatively few have enabled those readers, and are still asking customers to swipe the stripe. For its part, Noodles & Company says it’s in the process of testing and implementing chip-based readers.

“The ongoing program we have in place to aggressively test and implement chip-based systems across our network is moving forward,” the company said in a statement. “We are actively working with our key business partners to deploy this system as soon as they are ready.”

Tags: ,

43 comments

  1. First!

  2. It is not the chip on the card that encrypts the card data, it is the payment terminal (a.k.a. pin pad). The readers on the device (entry mode option – insert, swipe, tap, or keyboard) all need to provide encryption to be truly secure. And all other readers (keyboard swipes) need to be disabled.

    How far the encryption reaches depends on the implementation. Ideally it reaches all the way to the acquirer, but this is sometimes problematic for very large retailers where multiple financial card acquirers may be used.

    • No. You are talking about 2 different things here. EMV, aka chip, does do a form of encryption to the card data. Essentially, every time you use your card (with the chip, not the magstripe) a different card number is sent from the card, essentially an encrypted card number, that only the acquirer / payment network can “convert” to your actual account. So long as the acquirer / payment network is correctly configured, you can never use that number again, making theft of that number worthless.

      P2P and E2E encryption are something completely different, and can be done at the PIN pad, or less commonly, at the POS. There are certainly many ways to implement this, from just going PIN pad to retailer data center encrypted, to PIN pad to acquirer encrypted, and many permutation in-between. There are plenty of rather easy solutions for accepting multiple card brands and still using encryption. The biggest issue with this encryption isn’t the complication of multiple card brands, it is the cost to do the encryption. In most cases, a retailer will, at a minimum, have to replace or reload every PIN pad device that they have. On top of those costs (hardware and / or labor), if the encryption goes past the retailer, ie encrypted from PIN to acquirer / payment network, the retailer has to pay an additional charge for the transaction. That charge varies from 1 to 5 cents per transaction. For most retailers, that is a HUGE cost, one that can be hard to pass on to the consumer, thus adding E2E encryption provides more security, but at direct impact to the bottom line profits for the business. When you consider most retailers are in the 7.5-15% bottom line profit margin, taking 1-5% off every dollar made, can completely change the profitability of the business. Why the banks and processors feel the need to gouge retailers in this way, I have yet to understand, other than the fact that they have traded customer security for additional revenue, because all of the costs get passed back to the consumer anyway when fraud occurs.

      • CJD,

        With all due respect, Chip/EMV transactions today still present the full PAN to the POS system. If merchants implement and accept EMV (Chip) authentication, this is solely to validate that the card is an authentic card. Couple that with PIN and the PIN validates that the person presenting the card is likely the cardholder. For the POS systems and payment processing to continue to occur, full PAN is still exchanged. This is the misunderstanding that continues to leave merchants vulnerable to data breaches. End to End or Point to Point encryption couple with Tokenization is the only way that these type of data collecting malware attacks and breaches will stop. If the card is encrypted upon swipe, key, dip or tap at a payment terminal and sent encrypted to the processor where they decrypt and tokenize, no card data can be collected from the merchant and the pool of monetizable credit cards available for theft drops dramatically.

        I continue to be concerned that “experts” are saying that EMV will stop this. It has now been confirmed that EMV has been defeated in a simple, non technical way aided by the card brand rules of “fallback”. The regulations tell the merchant that if they are presented with a card that is a “Chip” card as indicated in the encoding of the MSR, they should “Dip” the card (EMV). If the chip cannot be read (3-5 attempts), the merchant MUST “Fallback” to swiping the card. The criminals know the regulations and are now creating cards that look like they have a chip (stickers or damaged chip) and know the merchant will fall back to swipe.

        Sooo…If a merchant processes chip cards as chip (EMV), there systems will still process and potentially store full PAN if they do not have E2EE or P2PE with Tokenization implemented. Bad guys breach and steal this unencrypted track data. Bad guys encode cards with stolen PAN. If the stolen card was a chip card, no problem, encode the stolen card data on to a fake chip card. Merchant will read, try to dip, and then “fallback” to swipe. Bad guy still wins.

        EMV by itself will do nothing other than shift billions of dollars of liability off of the issuing banks and on th merchants. This is a shell game and not about security. The merchant community needs to wake up.

        The real criminals are the card brands and the issuing banks. They do not care about security. They are trying to stay one step ahead of government regulation. They care about “frictionless” payments. They want fast, easy payment. The guests are protected. The merchants have paid the price for PCI, interchange fees and now EMV. Enough is enough.

        RTW

        • RTW, you were doing so well with an accurate and informative post. However, the “banks as criminals” rhetoric is just tired and misguided.

          EMV has been an enormous expense for all of us. You’ve managed to disregard the thousands of community banks and credit unions that have been subject to a tumultuous 10-year stretch of fraud, regulatory red-tape and razor-thin interest rates. Institutions (some being non-profit) that despite losing millions of dollars in fraud, spending millions in updates to comply with regs and returning little to no interest income continue to offer consumers generous lines of credit, overdraft protection and credit cards. Those services have allowed many undeserved consumers to continue spending money with merchants. In return those same merchants have not always been helpful assisting with fraud prevention – only now do we see large retailers tightening up their gift card sale procedures – initiatives like that could have helped 5 years ago.

          Spare us the generalizations. The issues facing our industry are just too complex for that.

          • EJ,

            I will acknowledge that I may be assigning too much blame to the issuing banks. I also agree that many merchants (including the large ones) have not done their part. With that said, the instrument in question is owned by the card brands and the issuing banks. The responsibility to provide a secure intrument is theirs. They have the power, they have control, they have influence. As a merchant in 2016, there are few options to not accept the major card brands.

            We all pay for fraud but there is little evidence that the industry (particulary the card brands) care about truly stopping fraud. EMV and the associated liability shift in my opinion was used as a stick vs. a carrot. Additionally, it feels more like a shell game just changing who pays for fraud vs. stopping fraud.

            As you indicated, this is far too complex. There needs to be some unity and collaboration between the issuing banks, the card brands, merchants and the consumer. We need to root out the complexity, regulation, cost and all participate in identifying fraud to help law enforcement track down and prosecute these criminals.

            AJD,

            You are correct. As long as the merchant is EMV capable, attempts the EMV transaction and indicates in the message that fallback occurred as a result of a failed read, the liability falls on the issuing bank. Again, that just addresses who pays for the fraud and does not do anything to prevent it. I hope the issuing banks begin to decline “Fallback” transactions. Then, we may be stopping fraud.

            I am sure you can tell I am a passionate merchant who has been engaged in this problem for some time. As a merchant, we have achieved PCI compliance every year since 2007 (CISP), dealt with CAPN and balance receptive with the invention of pre-paid branded cards, have been active in our segment and are just battle wiery and don’t see an end in sight. We would all rather serve our customers than constantly fight to defend against thugs and criminals. We are just looking for a real weapon to fight it.

        • Regarding “fallback” transactions, liability falls on the issuer in these cases. The merchant is protected as long as they have an EMV compliant terminal. If the card is not EMV compliant it falls to the issuer as well as “fallback” transactions.

          • I work for a card issuer, and it is for exactly this reason that we have set up our card authorisation strategy to decline all mag stripe transactions at chip-enabled terminals. For our customer base at least, it barely impacts legitimate transactions – while making our cards worthless to skimmers.

            • There are still plenty of non-chip enabled terminals, especially at gas stations, but hopefully not at big box retailers where a lot of the cloned cards are used. I’m afraid I wouldn’t know since I tend to avoid most big box retailers. I know I’m still swiping at Costco but not a some WalMarts. However your strategy should help minimize your fraud exposure.

      • CJD
        The chip still provides a Track II, with the PAN in the clear. What goes with a transaction is a cryptogram that is calculated by the chip that helps authenticate the transaction.

        In addition there is the PIN as additional card holder verification, which has always been encrypted since pin debit became available. Which is another reason to drop chip and SIG, since nobody really checks signatures.

        Yes, P2PE can be expensive, but it reduces the cost of PCI/PA-DSS audits, which are also expensive. And it significantly lowers the risk of a breach, which is very expensive!

        P2PE is an option. Do your cost benefit analysis, and decide!

      • Robert.Walter

        Your comments make it sound like the cost of credit transactions aren’t already priced into the product. After so long on the market, I can’t believe retailers still take the hit for credit card fees. Rather, I think retailers are trying to find a way out from under such fees to add to their profit margin (think CurrentC.)

  3. How long before retailers start posting signs “Chip cards only!”

    • If they had any sense, between about 5 and 10 years ago.

    • itsmeitsmeitsddp

      There is a small chain of restaurants where I live that only take chipped cards or cash and have since the emv transition.

  4. Isn’t there a way to prevent malware of this type from getting installed on the POS terminals? block USB drives, firewall them away from other network systems, etc?? Of course there is. Why isn’t anybody doing this? Where are the POS vendors?

    • POS – Piece of S…? or
      POS – Point of Sale?

      • Robert.Walter

        Given all the seeming launch problems of chipped card I would say both definitions are simultaneously correct.

    • There is probably no way to absolutely prevent this. But a merchant can drastically reduce the chance of this type of breach by implementing and maintaining the controls in the Payment Card Industry Data Security Standard (PCI DSS), a couple of which you mentioned Dave-O.

      Unfortunately, many businesses seem to have PCI DSS controls in place during their annual audit but let them slip after that.

    • Software whitelisting should prevent these types of breaches, but many people in the restaurant industry don’t want to take on the additional cost. For NCR customers, check out the Threat Defender Product. For others, you may look into products like Carbon Black.

    • More Anonymous Than Usual

      Don’t get me started with the POS vendors. I have a background in IT security and I own a retail company. The POS software requires specific expertise that I have no time or interest in acquiring, so we outsource most of the configuration and whatnot to a POS reseller. The standard experience with these vendors could best be described as “a perfect and complete collection of Worst Practices.” We go in an clean up after them in our company, but obviously most retail businesses don’t have the in-house expertise to even know they have a problem until it’s much too late.

      • Hey Mr. Usual, have you experimented with network ACLs or other controls that would restrict your POS devices to communicating only with the payment processor? From an outsider point of view, this seems like something that could be at least one part of a solution. Curious to hear your thoughts on the level of difficultly to implement and possible effectiveness of this technique.

    • I work for a large finical institution and something that I was surprised about is some POS terminals at stores (and even at a bank branches) get stolen and replaced with ones with malware. The criminals must practice this as it only takes a fraction of a second to complete. We have switch to put asym certs on all devices to stop this but not something done especially in smaller (non-box) retailers.

  5. Love the bit about no terminal use for the card. Theft will now happen to all cardholders. No presence needed in a store. Remember, to get your tinfoil embedded wallets out. If I remember correctly, those DVD chips can be read up to 600 foot away, that was prior to 2000. Using a laptop. Those same programs will run on Android, apple and ms phones. Just walk thru the store, or better yet, wall Street area, and scan?
    By the way, did anyone see the Wikipedia/apple inquiry?

  6. Love Google’s spell check, modifies the sentence nicely. That’s RFID.

  7. Interesting article on slashdot, have kepersky, and demo of the malware on ATMs.

  8. RFID NFC communication has a reach of 2 – 4 cm (check Wikepedia) ; Maybe you are thinking of Bluetooth.

    Should you be worried about hackers trying to steal your card number this way? Not likely. It is a very expensive and time consuming way to harvest card data.

    Plus there are other measures in place that restrict the use of a card number that was obtained that way.

    And, as long as they don’t have your PIN, it can only be used for small amounts for which you are not liable

    • You can read them further than 2-4 cm… you just need the right powered reader… cards will broadcast their info when powered up… Readers in a laptop bag that have been made to do this can reach ~10 feet.. maybe more if adjusted… I haven’t looked at this in a while… Put mine away shortly after building it…

  9. Brian,

    Any details on the potentially affected states/regions?

  10. This process STARTS with the card issuers and they have succeeded in pushing off the liability for their insecure cards. They make truckloads of fees from interchange and customer balances. As a merchant you have to do what the market does – accept cards and try to get enough margin to cover this huge monthly expense. You figure out how to connect to the network through a processor, if you’re a retailer you typically need a POS (or many) and get to pay for that expense. Then you rely on the guidance of that equipment supplier (typically a salesman who knows very little and a technician whose only interest is in getting it functioning). You’re told you need to be PCI compliant, so your processor puts you through the exam and expense to do that annually.
    If you’re mega corporation yes, you can probably afford a team of IT staff to try to configure the right settings and take encryption & other precautions. In the real world the Majority of businesses are small or micro so blame them for the lack of knowledge and shift the liability from the bad guys and then tell them to just raise their prices to cover the costs. Oh don’t forget to tell them they need new POS terminals on a regular basis…

    • On the surface, I sympathize with this position….I understand.

      Most of the biggest problems are not coming from mom-and-pop shops. Wendy’s is not a small time operation. Neither is Target or Sony.

      I am not expecting the mom-and-pop hole-in-the-wall small business to spend hundreds of thousands of dollars on an IT dept. By the same token however, I do expect you (as the small business) to understand that YOUR lack of knowledge, YOUR lack of proper security measures, and YOUR lack of attention to my information is NOT going to make me feel better about giving your business my money.

  11. Where is your Flying Spaghetti Monster now?

  12. Posting here as a comment because I can’t find a way to submit a story to Brian via the site…

    Interesting article posted yesterday at the Mainichi (Japanese daily newspaper, article in English) detailing how a card scam attack against ATM Machines belonging to Japan’s Seven Bank were hit to the tune of USD$12.7 Million in 2 hours. From the scant details provided, it looks very much like an inside job…

    http://mainichi.jp/english/articles/20160522/p2g/00m/0dm/044000c

  13. with the increase in number of cyber attacks, it is time Enterprises take security concerns seriously and look out for new age security products that focus to solve issues at endpoint level saner business