09
Jun 16

There’s the Beef: Wendy’s Breach Numbers About to Get Much Meatier

When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.

wendyskyOn January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores.

But since that announcement last month, a number of sources in the fraud and banking community have complained to this author that there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.

What’s more, some of those same sources said they were certain the breach was still ongoing well after Wendy’s made the five percent claim in May. In my March 02 piece Credit Unions Feeling Pinch in Wendy’s Breach, I quoted B. Dan Berger, CEO of the National Association of Federal Credit Unions, saying the he’d heard from three credit union CEOs who said the fraud they’ve experienced so far from the Wendy’s breach has eclipsed what they were hit with in the wake of the Home Depot and Target breaches.

Today, Wendy’s acknowledged in a statement that the breach is now expected to be “considerably higher than the 300 restaurants already implicated.” Company spokesman Bob Bertini declined to be more specific about the number of stores involved, citing an ongoing investigation. Bertini also declined to say whether the company is confident that the breach has been contained.

“Wherever we are finding it we’ve taken action,” he said. “But we can’t rule out that there aren’t others.”

Bertini said part of the problem was that the breach happened in two waves. He said the outside forensics investigators that were assigned to the case by the credit card associations initially found 300 locations that had malware on the point-of-sale devices, but that the company’s own investigators later discovered a different strain of the malware at some locations. Bertini declined to provide additional details about either of the malware strains found in the intrusions.

“In recent days, our investigator has identified this additional strain or mutation of the original malware,” he said. “It just so happens that this new strain targets a different point of sale system than the original one, and we just within the last few days discovered this.”

The company also emphasized that all of the breached stores were franchised — not company-run — entities. Here is the statement that Wendy’s provided to KrebsOnSecurity, in its entirety:

Based on the preliminary findings of the previously-disclosed investigation, the Company reported on May 11 that malware had been discovered on the point of sale (POS) system at fewer than 300 franchised North America Wendy’s restaurants. An additional 50 franchise restaurants were also suspected of experiencing, or had been found to have, other cybersecurity issues. As a result of these issues, the Company directed its investigator to continue to investigate.

In this continued investigation, the Company has recently discovered a variant of the malware, similar in nature to the original, but different in its execution. The attackers used a remote access tool to target a POS system that, as of the May 11 th announcement, the Company believed had not been affected. This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated. To date, there has been no indication in the ongoing investigation that any Company-operated restaurants were impacted by this activity.

Many franchisees and operators throughout the retail and restaurant industries contract with third-party service providers to maintain and support their POS systems. The Company believes this series of cybersecurity attacks resulted from certain service providers’ remote access credentials being compromised, allowing access to the POS system in certain franchise restaurants serviced by those providers.

The malware used by attackers is highly sophisticated in nature and extremely difficult to detect. Upon detecting the new variant of malware in recent days, the Company has already disabled it in all franchise restaurants where it has been discovered, and the Company continues to work aggressively with its experts and federal law enforcement to continue its investigation.

Customers may call a toll-free number (888-846- 9467) or email PaymentCardUpdate@wendys.com with specific questions.

Wendy’s statement that the attackers got access by stealing credentials that allowed remote access to point-of-sale terminals should hardly be surprising: The vast majority of the breaches involving restaurant and hospitality chains over the past few years have been tied to hacked remote access accounts that POS service providers use to remotely manage the devices.

Wednesday’s story about a point-of-sale botnet that has stolen at least 1.2 million credit cards from more than 100 Cici’s Pizza locations and other restaurants noted that Cici’s point-of-sale provider believes the attackers in this case used social engineering and remote access tools to compromise and maintain control over hacked cash registers.

Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register. Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Many retailers are now moving to install card readers that can handle transactions from more secure chip-based credit and debit cards, which are far more expensive for thieves to clone.

Gavin Waugh, vice president and treasurer at The Wendy’s Company, declined to say whether Wendy’s has any timetable for deploying chip-based readers across it’s fleet of stores — the vast majority of which are franchise operations.

“I don’t think that would have solved this problem, and it’s a bit of a misnomer,” Waugh said, in response to questions about plans for the deployment of chip-based readers across the company’s U.S. footprint. “I think it makes it harder [for the attackers], but I don’t think it makes it impossible.”

Avivah Litan, a fraud analyst with Gartner Inc., said chip readers at Wendy’s would help, but only if the company can turn them on to accept chip transactions. As I noted in February, although a large number of merchants have chip card readers in place, many still  face delays in getting the systems up to snuff with the chip card standards.

Litan said the biggest bottleneck right now to more merchants accepting chip cards is first getting their new systems certified as compliant with the chip card standard (known as Europay, Mastercard and Visa or EMV). And the backlog among firms that certify retailers as EMV compliant is rapidly growing.

Litan said the reality is that chip cards will continue to have magnetic stripes on them for many years to come.

“Unless the mag stripe data is not transmitted anymore and you get rid of the mag stripe, there is always going to be card data compromised, stolen and counterfeited,” Litan said.

Update June 13, 9:49 a.m. ET: Added referenced to interview with NAFCU CEO Berger.

Tags: , , , , , ,

61 comments

  1. At least Wendy’s is being up front about their breach — unlike CiCi’s Pizza and their POS vendor, who seem to be in denial about their issue.

    • Wendy’s is actually worse, their phones have been off for 2 weeks and they lied about the problem. Even tried to hide it by dropping it in a quarterly report… State AG’s should be pounding on the doors right now.

    • Up front?! As in honest? They said it was a tiny fraction. When the reports looked like it was a huge number, and I’d seen it mentioned multiple places, included in comments and stories here. Maybe them and their investigators are “honestly” incompetent!

  2. Robert Scroggins

    More highly sophisticated malware! I guess their security procedures, employee training, and company management just were not up to the task of handling it!

    Regards,

    • As I read the article, I was looking for the “highly sophisticated” excuse to be raised. That’s the latest PR doublespeak, that means absolutely nothing.

      For this kind of thing, all the attacks that get through are “highly sophisticated”.

  3. Hey, Brian.
    Solid reporting (again).
    Efficiency inside the certification funnel is improving, but the sheer number of merchant hardware-software-middleware-gateway-processor combinations needing to certify is still a Big Gulp.
    Look for the cert logjam to start clearing and data breaches to subside when the terms “pre-certified” and “semi-integrated” get more airtime among thoughtful Krebs readers working in POS.

  4. Good thing I don’t eat out anymore – I’ll never have to worry about this. Of course that is of little comfort, as I’m sure Target, Home Depot, or Menards will probably get hit in the near future. I doubt Target is invulnerable, despite trying to batten down the hatches from the last one.

  5. Robert.Walter

    “Gavin Waugh, vice president and treasurer at The Wendy’s Company, declined to say whether Wendy’s has any timetable for deploying chip-based readers across it’s fleet of stores — the vast majority of which are franchise operations.

    “I don’t think that would have solved this problem, and it’s a bit of a misnomer,” Waugh said, in response to questions about plans for the deployment of chip-based readers across the company’s U.S. footprint. “I think it makes it harder [for the attackers], but I don’t think it makes it impossible.””

    Why would it have not solved the problem? AFAIK, this is the reason for the conversion to chip+pin/chip+sign cards!

    The VP’s statement is not only misleading, it is a bit ridiculous in that he talks if “impossible” when he should talk of “improbable” whis is what the chips should achieve. He seems either incompetent or dishonest by seemingly creating a strawman arguments.

    If his organization had spent more time installing chip/NFC readers, and incentivizing his franchisees, instead of pursuing MCX/CurrentC, that still-born wet dream of many merchant CFO’s (trying to capture the fees of credit cards) Wendy’s would not have been able to prevent losing customer card data, but could have reduced it by the number of cards paying via chips or NFC.

    http://www.pymnts.com/news/2015/wendys-leverages-its-new-standard-payments-systems-to-launch-mobile/

    At 500$/chip POS device is under 2M$ investment (exclusive of software integration cost) – I bet the fraud costs are in excess of this.

    • “I think it makes it harder [for the attackers], but I don’t think it makes it impossible.”

      Properly implemented – a very important phrase in this scenario – chip security (both EMV and payWave) *does* make copying the cards impossible: even in a perfect-case scenario where an attacker can pull out a science-fiction matter duplicator and make a 100% identical copy of a card, as soon as the transaction counters between that copy and the genuine card get out of sync the card (meaning both the copy and the original) should be shut down by the issuer/switch. Unfortunately, I don’t believe this is the general standard of implementation.

      • EMV only creates a barrier to card duplication. PAN, exp date and name is still sent in the clear (allowing it to be captured). This still allows card not present (e.g. online purchases) and swipes at non-EMV enabled retailers (many as Krebs has pointed out). It really wouldn’t have done much AFAIK. P2PE with tokenized payments would have been a far better solution, but that seems a ways off given the rate of EMV adoption.

        • I dont’ think that is 100% fair.

          Card not present fraud requires pretty much always the ‘code on the back’ (CVV2/etc), so EMV or slide would not matter much here.

          Also with EMV in many cases the name of the cardholder is not transmitted. That is an agreement between an increasing number of companies, as it explicitly hinders fraud. Now, the name is often not used I believe except with American Express, but all bits help.

          So all in all, EMV does help prevent this kind of fraud. It completely blocks it on terminals that only accept EMV (through the index number), preserves the existing security by not providing the CVV2 and limits fraud further by not providing the name of the card holder.

          The real issue is that this doesn’t help Wendy. Using EMV or not has no effect on liability for the damages in case of a POS breach. That depends more on the contracts between them, francise holder and POS vendor. EMV only helps in the liability shift, when a card was cloned somewhere else.

          So ironically Wendy’s usage of EMV would have only helped some other company that did not yet use EMV, in case Wendy’s breach data is used to create a fake card, which then is used there.

  6. “Litan said the reality is that chip cards will continue to have magnetic stripes on them for many years to come.

    “ ‘Unless the mag stripe data is not transmitted any more and you get rid of the mag stripe, there is always going to be card data compromised, stolen, and counterfeited,’ Litan said.”

    Would Apple Pay/Android Pay mitigate this situation?

    • >Would Apple Pay/Android Pay mitigate this situation?

      Definitely. There’s a disturbing pattern I’ve seen in which Home Depot and a regional grocery chain who did accept Apple Pay for a time, stopped accepting NFC when their chip reader was certified.

      Slower and less secure (for all the people who forget and swipe before reading the chip)

      • Agreed. I believe both use one-time use tokenized payments–meaning your card data never passes through the POS device.

  7. Interesting defense, “The company also emphasized that all of the breached stores were franchised.” They are clearly trying to deflect liability for the breach.

    This is the same defense franchise companies have used in labor disputes, and if the parent company forces the franchises to follow the parent company’s (“franchiser?”) standard (in labor examples, requiring standard payroll software or timecard systems), the parent company can be sued directly. Given that it’s a POS and they are talking about rolling out fixes and running forensics, sure sounds like the Wendy’s corporation, not the franchisees, are liable for the breach.

    (I can find citations to back the above paragraph, if needed. I believe it was a Marketplace.org story recently, but am not finding it right off hand.)

  8. Cash is looking more and more favourable right now.

  9. It would be interesting to find out whether any of the Canadian-based POS terminals at Wendy’s were breached — where we have chip and pin in place!!!! Same goes for the breaches at Home Depot and for Target (before they closed up their stores north of the border). Were there any Canadian stores affected with these?

  10. Honestly, I only use cash when at restaurants.
    And, I do not agree the chip in card is safer. Chips can be programmed with anything. And now it’s in the system. Remember something called the dumb card? The card that didn’t read? Then you type the numbers in off the front. What is to say, install a worm, or spider link, or override a program, or add a small unnoticed feature to the card reader? They won’t need to waste time social engineering anymore. Remember your phone, it’s a Bluetooth reader, almost all devices, including restaurants read Bluetooth, wifi, and sniff frequencies. You won’t have to be in the restaurant to read the package any more. Now, with the same packages available to cars? Ho big is your parking lot?

  11. A POS breach via a trusted service provider credentials? The article doesn’t state how the credentials were stolen. Even if the service provider had been breached the bad guys would only have hashed passwords. Key logger? Weak passwords? Poor security practices (using telnet instead of SSH or perhaps credentials were kept in a text document)? None of these scenarios speak well of security service provider! Inqiring minds want to know!

    • My impression is that once the crooks have the admin/remote credentials for the POS system, it’s game over. Because they can then install malware or whatever else they want. That malware captures credit and debit cards, which are then re-sold in the dark web.

  12. From experience up here in Canada I am suspecting that Litan and Waugh are not operating with the full information regarding how chip card implementation stops card fraud. Chip and PIN is quite prevalent here in Canada and our cards indeed still do have the magnetic stripe. But the thing is when you go to a POS merchant that is chip equipped they will not let you use the stripe. the machine forces you to use the chip even if you TRY to swipe. I experienced this a couple times in the beginning before I got used to the chip & pin system. So that means even if my cards information gets stolen and put onto a fake card the thieves are going to have one hell of a time trying to find a merchant POS that will allow them to use it. My suspicion is that Canadian cards still have the stripe so that whenever we travel to the United States we’ll be able to use our cards. But if everyone accepted chip and NOBODY accepted stripe then I do believe you magnetic strip problems are over and done with finished.

    • Sam,

      It is the same down here, but down here if the chip reader is down or is having issues the swipe function of a chip enabled card will work. I have had this experience before at Walmart and Walgreen’s.

      • While I’ve no doubt that’s happened to you it hasn’t happened even once for me so far. Since we got chip-enabled cards I haven’t swiped once – even when, as I stated in the original post – at the beginning I tried to swipe because I wasn’t used to the chip yet.

        So those few times when you may be forced to swipe is not a very large attack vector for thieves trying to use a copy of your magnetic stripe.

    • Blanche Dubois

      Everything you’ve said re. Canada, is what a First World country does to add security to a common, inexpensive, worldwide, plastic payment system. (Something that Apple Pay, other wannabes can only dream of for a long time to come.)
      Post 1Oct2015 “US claimed start to EMV-PKI”, Canadians and their Issuers, have to realize that any Canadian with plastic visiting the US, is the EMV equivalent of visiting Haiti, Bangladesh, Chad or any other Third World country.
      Shed no tears for the large majority of US Acquirers and their Merchants; they had FOUR YEARS notice of EMV-PKI, and apparently did little to NOTHING to get POS systems in place and certified until post Oct2015.
      Today, US Issuers are still waiting for US Acquirers to get all their Merchants up to speed on “Chip & Signature” (Who today even checks signatures for checks, let alone plastic?). That alone will take several years.
      Then the US Acquirers can start the really heavy lifting of certifying the full “Chip & PIN” which the First World started implementing in 1992 (France).
      That will take several more years.

      When 90-95% of US Merchants are at full “Chip & PIN” capable, then the US Issuers and Acquirers will be able to suspend the magnetic stripe for ops in the US, while retaining it on the plastic card so it will operate when the US Cardholder notifies his Issuer he will be visiting Haiti, Bangladesh, Chad or any other Third World country, for a preset period; i.e., just what a Dutch writer wrote in Brian’s blog several months ago to little acclaim; he was mystified why the US had a major card fraud problem.

      The take-away for this 5-10 year US process:
      (1) Brian will have a rich lode of major US plastic card breach stories for the next 5-10 years;
      (2) Knowing this payment card playing field, the rest of us can enjoy the unfolding story of how the US rejoins the First World. There will be a lot of financial blood on the floor;
      (3) Canadians should rightly claim superiority and gloating rights over the US in this area for at least the next 5-10 yrs., as apparently you have senior execs in your Issuers, Acquirers, Brands, and a government that works, to implement a very secure payment card system, invented elsewhere in the First World.
      You know Copy and Paste when you see it; not the US.

      Up until 2010 the ROI for US Issuers on plastic ops was 25% – 28%/yr., so 4%-5% in fraud losses was a cost of doing business.
      That’s now ancient history, so fondly remembered…

  13. Didn’t Wendy’s have a MSSP minding the store? If so, who was it and why didn’t they catch it?

  14. I would start looking into a Chick-Fil-A …

    • Chick Fil-A had their own breach, and what’s more they don’t take either chip or Apple / Android Pay.

      • Paid Yesterday

        Perhaps not where you live. I used ApplePay to buy lunch at the local Chick-fil-A yesterday.

        • Cool! Now that at least some Chick Fil-A take Apple Pay, my faith in humanity has been restored.

          • Plus with them launching their Chickfila One app, that’s just another alternate payment method.

  15. My 2 cents.. The question isn’t chip vs sign.. The question is where’s the encryption. There isn’t anything wrong with mag readers except they are subject to skimmers. a properly E2EE or P2PE setup the card data would or should NOT being through the POS terminal especially if it’s Windows based. The biggest point of E2EE or P2PE is the transfer of liability.

  16. > Litan said the reality is that chip cards will continue to
    > have magnetic stripes on them for many years to come.

    True, so how abaout a sunset date for magstripe (at least magstripe containing payment information) to be announced by tha card schemes?

    Let´s say be 2020, 2022 new cards may be issued without magstripe or without payment info on the magstripe (some ATMs need magstripe to open the shutter on th ecard slot), relying on the chip (contact or contactless) for payment processing?
    If everybody keeps waiting for the laggards, everybody will still be at risk of magstripe compromise.

    • Well, you always have the option of running a strong magnet over the magstripe, and you could do that today if you wanted to. And if there is a chip reader or NFC I will certainly use that, but there are far too many merchants that haven’t bothered to upgrade anything yet.

  17. Our bank has lost over $30,000 in the past month and the CPP (common point of purchase) has been Wendy’s. I just filed a complaint with the FBI and contacted the franchise owner to inform him what we are seeing. They were surprised and said they were not part of any breach. They did agree to start working with me to verify they have not been compromised. I am almost certain we will find they have been. It really aggravates me that Wendy’s hasn’t felt the need to check all franchises to be certain they have not been breached.

    • It seems like it would be pretty easy for a bank to use a honeypot card at the offending Wendys and then sit back and wait.

      Is there anything in the agreement whereby merchants that are unable or unwilling to correct a malware issue can get cut off from processing credit cards?

    • I feel your pain Joe. We are taking hits left an right with this breach. The problem is that reissued cards are being breached again because Wendy’s has been so slow to move on the problem. It’s been going on since last year. Too bad my customers LOVE to eat at Wendy’s.

    • How would we go about filing a complain with the FBI?

  18. Waugh (Wendy’s VP) is correct in his assessment. EMV does not prevent memory scraping. It prevents thieves from making counterfeit cards for use in card present transactions. Card data stolen via memory scrapers (POS malware) can be used in online fraudulent transactions. EMV would not have prevented Target, Home Depot, Wendy’s or any number of other newsworthy breaches involving POS malware. It would have lessened the impact slightly.

    E2EE encryption, or end to end encryption, would prevent memory scraping POS malware from working. The card data is encrypted at the reader and decrypted at the processor rendering any captured data useless.

  19. About 2 years ago I was contacted by a recruiter for a job at Wendy’s corporate hq, the position was to oversee store POS operations and implement security measures. I passed since their intent was to have this role also travel to most/all locations to implement changes. They obviously didn’t have much success filling that job. Companies who don’t take cyber seriously enough to staff a dedicated team just aren’t going to be able to resist modern threats.

  20. “Hey, Bobby – when you are done cleaning out the grease trap, run security scan on the POS terminals..”

  21. I just got a notice from a credit card provider I have that they believe Wendy’s credit card systems have been compromised (I think I went there and used a card once in the last 3 months) and that they would be watching my account for any suspicious charges and that I should also (rather than just replacing my card).

    Think I’m going to call them and insist on getting the card replaced now.

  22. I’m always surprised at the lack of configuration management and integrity checking for POS systems. It’s a software system. It should be under configuration control. It should be easy to compare against the baseline. If it’s different than the baseline, find out why and redeploy the baseline software. Instead they stumble around and claim malware is “extremely difficult to detect.”

    • There is current malware that has NO drive footprint at run time. It becomes re-infected at each restart from another system which is not as secure.

      • I recently heard about that. Has it been named yet?

      • Something has to be executed locally at restart that puts the remote code into memory. The “something” is going to leave a footprint on the drive. Even if it’s in the boot sector. You think the boot sector can’t be config controlled? It’s all running on identical hardware, it should match a baseline. Regmon, Filemon, and a Process monitor would address this type of malware.

  23. Please tell me why this won’t work.
    Firewall the POS, and or ACL on the Gateways – deny all traffic less required (transactions/updates/headquarters). Even a mom and pop shop can afford a sub $100 basic firewall.

    Am I over simplifying this, or are places to incompetent to bother with security on the wire at all?

  24. Lt. Todd's New Legs

    Me thinks POS says it all…

  25. I hope that quote from Avivah Litan is a misquote. EMV does NOTHING to stop POS data gathering if the data still flows through the POS. The only thing that stops it is encryption at the swipe or dip of the card at the terminal and that is NOT part of the EMV standard.

  26. Cash is king. We are more and more doing transactions in cash. Our commercial enterprises lean heavily to the A in C-I-A. Their determination and action to protect themselves is feeble compared to the determination of the threat actors to compromise them. Time to raise their game.

  27. “I think it makes it harder [for the attackers], but I don’t think it makes it impossible.”

    Well then make it harder! If incremental improvements are your only option besides outright apathy, then make those improvements. Every time I swipe my credit card, I am entitled to that company’s assurance that they’re doing everything they can to protect my info. Instead of taking responsibility, retailers push the burden onto customers and their chosen financial institution’s fraud departments.

  28. Yet another company that needs to realize paying for security is essential. A well run company will have some sort of qualified security team. I don’t think Wendy’s has anything. They probably think physical security at headquarters is good enough.

    A good team stays on top of vulnerabilities and new trends, plus has at least one forensic person. Maybe they will learn. Doubtful.

  29. My question is how is it a support vendor with expertise in supporting POS environments installed a remote admin tool that that has credentials that can even be compromised?

    Doesn’t PCI DSS require multi-factor authentication for any remote access to the CDE?

    It appears to be the feeling, at least in the comments I’ve read on here, that this seems to be common practice for retail POS. How is that possible if it’s in direct violation of the DSS standards? I understood it when the RAT was social engineered onto the platform by attackers, but it seems beyond the pale that single factor RATs would be standard operating procedure for these vendors.

  30. The real question is “Where is the vendor and franchisee oversight program?”.

    Blaming the franchisees who comprise the vast majority of your sales is like blaming your customers. It’s very poor form. Wendys can get away with it because it’s very unlikely that a franchisee will switch to a different brand due to the cost and time, unlike customers.

    Is there any way to tell whether a store is company-owned or franchise-owned? Is it just some small plaque inside the store in a non-standard location and where you can’t see it unless you go inside and are already in line? If so, what’s the point of the finger-pointing?

    Retailers are learning , like banks learned years ago, that their most likely point of breach are the companies they outsource their critical business processes to. And sales is a business-critical process. Just like the banks, it will take a smack-down to get their attention and they will still be kicking and screaming all the way.