19
Jul 16

Cici’s Pizza: Card Breach at 130+ Locations

Cici’s Pizza, a Coppell, Texas-based fast-casual restaurant chain, today acknowledged a credit card breach at more than 135 locations. The disclosure comes more than a month after KrebsOnSecurity first broke the news of the intrusion, offering readers a sneak peak inside the sprawling cybercrime machine that thieves used to siphon card data from Cici’s customers in real-time.

cicisIn a statement released Tuesday evening, Cici’s said that in early March 2016, the company received reports from several of its restaurant locations that point-of-sale systems were not working properly.

“The point-of-sale vendor immediately began an investigation to assess the problem and initiated heightened security measures,” the company said in a press release. “After malware was found on some point-of-sale systems, the company began a restaurant-by-restaurant review and remediation, and retained a third-party cybersecurity firm, 403 Labs, to perform a forensic analysis.”

According to Cici’s, “the vast majority of the intrusions began in March of 2016,” but the company acknowledges that the breach started as early as 2015 at some locations. Cici’s said it was confident the malware has been removed from all stores. A list of affected locations is here (PDF).

On June 3, 2016, KrebsOnSecurity reported that sources at multiple financial institutions suspected a card breach at Cici’s. That story featured a quote from Stephen P. Warne, vice president of service and support for Datapoint POS, a point-of-sale provider that services a large number of Cici’s locations. Warne told this author that the fraudsters responsible for the intrusions had tricked employees into installing the card-stealing malicious software.

On June 8, 2016, this author published Slicing Into a Point-of-Sale Botnet, which brought readers inside of the very crime machine the perpetrators were using to steal credit card data in real-time from Cici’s customers. Along with card data, the malware had intercepted private notes that Cici’s Pizza employees left to one another about important developments between job shifts.

Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Tags: , , ,

26 comments

  1. Even better than Brian’s good suggestions is to set your cards up in a device that uses tokenized payment like Apple Pay.

    You get a virtual card number assigned to your device and a single use pin is used with every transaction. Even if the POS device is comprimised, the info is useless. The number is known to the network as something assigned to an Apple Pay device (your iPhone or Apple Watch – each gets a different number) so it can’t be encoded into a mag strip card or used on the Internet.

    Even if the number were to be put on a card, without the correct new PIN being generated each time, the transaction will fail.

    I feel like a broken record saying the above, but the more people who have these kinds of devices who put pressure in recalcitrant banks and merchants to sign up to Apple Pay and to get their NFC POS terminals on line, the sooner this scourge will come to a screeching halt.

    • Put pressure? How? The clerks simply don’t care – they have no say in it, and neither does the store manager. It is ultimately corporate that needs to roll the thing out, and they figure that most people will just pay some other way rather than take their business elsewhere.

      Some companies simply don’t care and won’t upgrade – some people commenting on this site have even expressed this attitude. From the standpoint of places like CiCis, they aren’t really in a position to lose very much – it is other merchants who sell high-dollar easily pawnable things that might get scammed with counterfeit cards.

      And even then – even if the merchant does accept NFC payments sometimes it just doesn’t work for some reason. When they pushed down the Android Marshmallow update, it changed the way the thing worked so it is now a huge pain in the neck (I have to enter a password each time I pay for something – even after having unlocked the phone with my fingerprint). It never used to do that.

      Honestly cash is the way to go – especially for small merchants like this. I suppose in theory they might worry about an employee dipping into the till or someone robbing the place, but that’s their problem, not mine. And if they want more people to pay by some form of credit, then they need to get busy and support something more than just a plain magstripe.

  2. Krebs leads the pack! Well done.

  3. Trying to be helpful… Date typos. Original articles on Cici’s breach and POS botnet were published on JUNE 03 and JUNE 08, respectively, not in July as stated.

  4. Lets be honest, if you eat at Cici’s you are kind of asking for it, LOL! 😉

    • Porter Jervis

      Exactly. Worst pizza ever

      • I dunno, I think Dominos in the late 80s was far worse. That being said, Cicis really went off a cliff a few years ago. Before the cliff they were decent (not bad, not good, just decent), after the cliff they became what they are today.

        Shortly after they went off the cliff all the stores in my area closed up shop because everyone refused to eat there. I feel sorry for whoever is in such a food desert that Cicis hasn’t closed.

      • I can’t tell you how many breach cards I have seen where the cardholder only ate at Cici’s once. Wendy’s, Noodles & Co etc show up on those breach cards every week or so, but once is enough for Cici’s.

  5. Vomit Central

    I’m sure that people who eat at Cici’s pizza don’t care about their health or safety to begin with.

    • There’s been rumblings that EMV skimmers (not mag) have been found in Florida, California, and Chicago and fraudsters are already duplicating EMV cards. Haven’t heard from Brian about this. I know Aperture Labs presented on the topic back in 2011. What’s the word Brian?

  6. Why can’t we get legislation that would require a retail merchant to post a sign next to every terminal in every store that was breached that includes:
    1. The dates when the breach occurred
    2. When the terminal was remediated
    3. Recommended action to take
    It would be necessary to keep the sign posted for 60 days after either the remediation date or the date when the sign is first displayed.
    This would provide another channel (besides your blog) to notify consumers about the breach, and would provide a strong incentive to tighten terminal security.

    • Getting the legislation is one thing. Enforcing it would be quite another.

      • Doesn’t take much to have a couple teams randomly running checks. Make the penalty be permanent closure of the location and they’ll take notice (even if it means having their special interest group hire lobbyists to get the regulation repealed).

        Health codes are enforced the same way at restaurants. The only problem is local governments are normally quite corrupt, all it takes is one mole accepting bribes for advance notification of visits to deflate the balloon. Though before the visit they typically are cleaned up, so it’s not a compete deflation.

        • Are you talking about the same health codes that take years to shut down a disgusting facility down, and then tend to only bar the company from opening up again, not the operators?

  7. Not to be snarky, but what does POS stand for nowadays? Not Point of sale.

    • I was once a member of a BBS whose owners used the abbreviation SOL to refer to the BBS name.

      Someone gently broke it to them one day that SOL was an abbreviation for something else. After that they stopped abbreviating the name.

  8. Or just use cash and not worry about it, period.

  9. Porter Jervis

    I guess I’m good. They have the worst pizza ever. Won’t be tempted to use any type of card payment there/

  10. Annnd their site is HTTP only. It speaks to their level of security awareness for their customers.

    • Site seems to be info page only, not a portal or shopping cart, nor anything with sensitive information. I think that is reaching.

  11. It seems like 100+ affected is a trend. Hey ! They have thousands of locations probably, so more than likely I am not affected ! And people drop the subject and the issue goes cold.

    Then the REAL numbers come out and there is just a small rumble of displeasure where it counts, at the counters where payment is accepted.

    Lets just hope in the end – if there is one, that these numbers remain low. Time will tell.

  12. I’m currently doing some research on POS in-security. I’ll post the results on my website Pentest.guru

  13. Can ya please open a branch he in the Rochester area I miss ya pizza and my kids

  14. So where is that Todd guy from their PR firm now? I was reading over his comments back in June and they look pretty hilarious in the face of this.