February 9, 2017

Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.

arbys2A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.

“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted.

Arby’s has more than 3,330 stores in the United States, and roughly one-third of those are corporate-owned. The remaining stores are franchises. However, this distinction is likely to be lost on Arby’s customers until the company releases more information about individual restaurant locations affected by the breach.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions.

The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks.

“PSCU believes the alerts are associated with a large fast food restaurant chain, yet to be announced to the public,” reads the alert, which was sent only to PSCU member banks.

Arby’s declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017.

Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

The breach at Arby’s comes as many credit unions and smaller banks are still feeling the financial pain from fraud related to a similar breach at the fast food chain Wendy’s. KrebsOnSecurity broke the news of that breach in January 2016, but the company didn’t announce it had fully removed the malware from its systems until May 2016. But two months after that the company was forced to admit that many Wendy’s locations were still compromised.

B. Dan Berger, president and CEO of the National Association of Federal Credit Unions, said the number of cards that PSCU told member banks were likely exposed in this breach is roughly in line with the numbers released not long after news of the Wendy’s breach broke.

“Hundreds of thousands of cards is a big number, and with the Wendy’s breach, the alerts we were getting from Visa and MasterCard were in the six-digit ranges for sure,” Berger said. “That’s probably one of the biggest numbers I’ve heard.”

Berger said the Wendy’s breach was especially painful because the company was re-compromised after it scrubbed its payment systems of malicious software. Many banks and credit unions ended up re-issuing customer cards several times throughout last year after loyal Wendy’s customers re-compromised their brand new cards again and again because they routinely ate at multiple Wendy’s locations throughout the month.

“We had institutions that stopped approving debit and credit transactions through Wendy’s when they were still dealing with that breach,” Berger said. “Our member credit unions were eating the costs of fraud on compromised cards, and on top of that having to re-issue the same cards over and over.”

Point-of-sale malware has driven most of the major retail industry credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware sometimes is installed via hacked remote administration tools like LogMeIn; in other cases the malware is relayed via “spear-phishing” attacks that target company employees. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).


109 thoughts on “Fast Food Chain Arby’s Acknowledges Breach

  1. LaLa

    As a Credit Union employee who has to reissue all these cards and deal with the fraud transactions, I can’t say in polite terms how I feel about how often this keeps happening. 🙁

    1. NICHOLE

      I agree with you as I also reissue these cards and deal with fraud. When are the merchants going to have to take some responsibility on their end for the costs they are incurring to the financial institutions? All for the sake of convenience!

        1. Dennys

          Arbys “outsourced” the IT dept according to the web.
          It seems that Target and the rest outsource IT that includes all the transactions, to India.
          It might seem that if someone in India took advantage of the US customer’s data, the laws there are not applied to those in our country.
          Sure, Arbys saved some money. But, my credit card had a $2,000 hit on Home Depot. It took me over 40 hours of my personal to repair most, not all of my credit exposure, get new accounts and generally recover. Millions of citizens won’t be reimbursed for the time and efforts.
          IT SHOULD BE A FEDERAL LAW to post:
          Your credit card transaction leaves the US at this register.
          I HAVE A RIGHT TO KNOW the RISK.
          To heck with political correctness. The consumer has a right to know the risk.
          Arbys also has a history of using H1-B visas. Really? These are technology jobs that Americans can fill.

      1. Peter

        When are the merchants going to have to take some responsibility on their end for the costs they are incurring to the financial institutions!?!?

        Currently merchants are paying monstrounous fees to you – the financial institutions – each time a customer uses his card. The cost for new cards and fraud has been a long time part of these fees.

        In fact it are the financial institutions who have been dragging their feet in switching to more secure chip. If the US would have – like the rest of the planet – switched to chip, this would have been a total non-issue as crooks could not have used this data either online or print on a magnetic stripe.

        1. Jon

          Why does everyone try to find a single party for blame like this? Yes, the financial institutions are dragging their asses in implementing chip (and chip+pin), but it’s not like merchants are not dragging their asses in implementing the chip readers, either.

        2. Brenda

          We switched to Chip cards and we still are affected by these Cam alerts

          1. icknay

            Just to clear this up – the stolen card numbers are NOT from chip cards, they’re from magstripes. You should focus your irritation at merchants still using the magstripe .. leading to these breaches.

            1. Linda

              However my cards all have chips but all of the fast food places only swipe them anyway. Does that mean they are at risk also?

              1. Scott

                that’s the real issue. regardless of some cards having chip capabilities, we are forced to rely on the magstrip because card reader adoption and related issues are far from solved.

          2. Ali Hasan

            Excellent reporting Brian, as always. You are one of the world’s greatest gems!

      2. Chris

        What is stopping the financial institutions from litigating against companies where these breaches are occurring?

      3. MD

        As a merchant that was breached- when will Visa, Amex, and MasterCard tell us the things we need to know to protect the card holder. They keep known malware quiet and then act surprised when it spreads and blame us for not having the right technology in place. You know… as a merchant, it is hard to keep up with the bad guys. They are way smarter than a simple anti-virus scan My company is an industry leader in our field and if it happened to us… it will happen to many more. What we saw was scary and until the card community works to truly help the merchant prevent this it will keep happening.

        1. Catwhisperer

          How often are you updating the POS firmware. Is there POS firmware anti-virus? Is updating firmware up to you or is it up to the company that provides the POS? Should you be powering down the POS every night like an IOT device to insure that the malware is erased from memory?

          These are questions that merchants need to answer or get answered to determine where liability lies. Do you get POS updates from US-CERT ( https://www.us-cert.gov )? If not, why not? Why are you being left out in the cold by financial institutions that know that a breach has occurred but have failed to notify your business and/or have not issued a firmware update.

          Consumer (and I’m sure merchant) inquiring minds want to know the answers to these questions…

    2. EJ

      Someone correct me if I’m wrong, but I believe the whole point of the EMV liability shift was that merchants who process a chip-bearing card as a magstripe payment are responsible for eating the costs of the fraud. Around here at least, the big local credit union has long replaced all their members’ cards (credit + debit) with chip cards.

      I would think, then, that the liability shift would make the hacked merchant (and/or the merchant where the stolen card is cashed out, which also must have processed the payment as magstripe) entirely responsible for the stolen funds.

      Of course, as LaLa notes, there’s still the administrative overhead of re-issuing the cards and sorting out the fraudulent transactions. Does anyone know if the liability shift covers that as well? It would make sense, since otherwise there’s not a huge incentive for banks who’ve transitioned to chips to re-issue those chip cards after their magstripes have been compromised. They can just as well say “the merchants who got hacked are the problem here, let them eat the cost, and if they want us to reissue the cards to make it stop, they’ll need to pay for it”.

      Perhaps this is what Krebs is talking about when he says that larger institutions are choosing to “manage losses from compromised cards” rather than re-issue them so aggressively. I suppose smaller banks/credit unions might have more to lose in terms of customer trust when customers find fraudulent transactions on their cards that they have to report, hence the more proactive re-issuing.

      1. Ashley

        The liability falls on whoever has the least amount of protection. If a chip card is used as a magstripe card in a chip enabled terminal, this is called fallback. Since they technically have a chip terminal, the liability still falls on the issuer. The merchant is only on the hook if the cardholder has a chip card and the terminal only has the magstripe option. If the transaction is fraudulent then the merchant holds the liability.

        1. EJ

          Wow…so as long as the merchant initially goes to the trouble of setting up chip-enabled terminals, there’s no financial/liability incentive beyond that for them to actually *use* the chip functionality? That would certainly align with what I’m seeing in practice: most merchants nowadays have chip-capable readers, but the majority have the chip slots blocked off with a sign saying “please swipe your card”. Since magstripe transactions are speedier and less goof-prone (for now especially, due to customer unfamiliarity), the merchant has every incentive to continue this indefinitely, so long as the liability hot-potato is no longer in their hands.

          Sounds like this is a loophole/bug in the liability system. It forces merchants to pay the high cost of upgrading to chip-capable systems, but by and large fails to deliver on the benefits. (I’m sure the payment processing vendors who supply those chip-capable systems are plenty happy about this, but no one else is.)

          I’d always thought that “fallback” magstripe transactions with chip cards were something the merchant did at their own risk (accepting liability if it turned out to be fraudulent) – therefore putting the onus on them to make the judgment call of whether a fallback is in fact justified (e.g., the chip is physically damaged). Since they can physically inspect the card, the merchant is in the best position to make this call. They could, for instance, insist on checking photo ID for any fallback transactions. But from what you say, it sounds like this is not the case.

          I suppose a big part of the problem is (as Krebs has discussed in many articles) banks’/payment processors’ failure to properly implement the backends for EMV transactions, thus allowing loopholes that shouldn’t really be there – for instance, where carders flip off the “this card has a chip” bit in the magstripe data when they clone it onto a dummy card, thus forcing a fallback transaction since the merchant has no idea that a chip *should* be present. Or the loophole exploited by “shimmers”, which use data read from a chip to clone a magstripe that is missing key CVV data (but is nonetheless accepted by flawed backend systems). But these are mainly issues on the “cash-out end” of the fraud. To stop card data from being stolen in the first place, chip cards should be processed as chips whenever physically possible – which means there needs to be an incentive for the merchant to do this.

          Presumably, for the banks this is a delicate balance between the fraud losses that could be avoided by aggressively refusing to authorize transactions through faulty payment networks (or to merchants who refuse to use chips even when they can), versus the lost revenue from simply not getting the transaction at all because customers switch to cash or another bank’s card that isn’t so picky.

          1. The Merovingian

            Whoever has the weakest security is liable for the full cost of the theft. If the restaurant doesn’t have chip readers, the restaurant is liable. If the restaurant has chip readers that don’t work (like every place with tape over the chip slot and a little sign saying “chip cards coming soon!”), that restaurant is similarly liable.

            If the restaurant has working chip readers, and 99 customers have cards with chips, but one customer’s card has a card with only a mag stripe, and all the cards gets stolen at that restaurant, the bank who didn’t issue the chip card is liable for the one card’s fraud. The restaurant will still likely be on the hook for the other cards’ fraud, but just skimming account numbers from chip cards makes it very hard for thieves to abuse them.

            However, when the situation is this big, you can bet that everyone in the game is busy lawyering up, and figuring out who ends up paying the bill will take years of court wrangling. Nothing is certain at this time.

            1. Dick

              Merchants around here who have chip enabled terminals with the slot taped off indicate to me that it’s their payment processor that isn’t ready for chip transactions. Where’s the liability in those cases?

              Good news though, our Safeway finally started chip transactions this week 🙂

              1. signaldistress

                There’s huge hurdles still for companies that have paid for chip reading terminals to get them turned on. there’s pretty much a “waiting list” for these merchants to get their rigs set up. If a merchant has the chip terminal “taped off” it’s because they’re not set up yet, and they’re still liable on the fraud. A chip card swiped in a functioning chip terminal will beep and you and tell you to “dip the chip”. if the chip is damaged, it can then be swiped as a “fallback” transaction and the liability is back on the issuer.

            2. DFB

              I think discussion of EMV may not be relevant here. The chip is designed to stop a fraudulent purchase at the place where the card is presented, for example, to pay for a meal with a counterfeit card derived from magstripe info on a chipped card. That’s not the nature of the penetration at Arby’s. Someone stole POS data. It can then be used to create fake cards for use at OTHER places that don’t require a chip.

          2. SaxCatz

            Most (all?) EMV-enabled terminals have a “workflow” which requires the chipped card to be unreadable before prompting to swipe the card and accepting the MSR. This means that, so long as EMV is enabled on the merchant’s terminal, the merchant has done nothing wrong during the transaction and thus the flow of liability that was described above.

      2. Eric

        Yes, merchants (excluding gas stations) that have terminals not configured for accepting EMV can be charged for fraudulent transactions. The card issuer still needs to confirm it is a fraudulent transaction but if confirmed then the merchant can be held liable for that charge.

        Where this can get screwy is that not all debit/credit cards across the USA have been reissued as EMV enabled cards. How then do you determine that a transaction was indeed fraudulent? A customer stating they did not authorize that charge is only the beginning. There are many other factors to take into account such as: geo-location, signatures, account/merchant activity. If a transaction is within a reasonable distance of where a customer normally shops, did not require a signature, and the merchant has no other complaints of fraud, then the card company might be reversing legit transactions the customer “forgot” they made. Reverse too many legit transactions from a merchant and they may consider not accepting your brand of card in the future.

      3. MD

        As a merchant you can’t just flip out your POS hardware. It has to be EMV certified etc. Have you seen EMV table card readers yet that work with the big named POS terminals (i.e. micros)? you have not because they are not certified yet. Would be nice of the POS hardware people could get their hardware certified faster so us merchants can be fully compliant!

      4. timeless

        So, one problem is that there are typically two merchants in fraud:

        A. The merchant whose terminal was compromised
        B. The merchant whose terminal receives the cloned card

        Suppose the flow is:
        1. Bank issues a Chipped card to a customer
        2. Customer takes card to A, and swipes it
        3. A says “you must use chip”
        4. Customer uses chip to make purchase
        5. Terminal transmits information from rejected Swiped transaction to thieves
        6. Merchant A sends chip validated transaction through payment network to Issuer for settlement.
        7. Thieves generate a new card based on the swipe attempt — this card is possibly designed to fail chip transactions in various ways
        8. Thief takes card to B
        9. Thief inserts card into chip reader backwards — three times
        10. Thief makes purchase by swiping because “chip reader isn’t working”
        10. Merchant B sends magstripe transaction through payment network to Issuer for settlement.

        Who’s at fault?

        Keep in mind that B is often a very large company, and the Issuer can’t afford to say to their customers “We’re sorry, you can’t use our card at Best Buy / Walmart / …” — there’s a reason that Walmart and Costco can command such deals against payment networks — they have leverage, their customers will vote w/ their accounts and get an account that will work.

        The answer in my book to “who’s at fault” is merchant A.
        But! The liability rules probably put the blame on merchant B.
        Remember, the transaction that merchant A processed was done via Chip, and it was a legit transaction.

        No one goes into Arby’s trying to buy millions of dollars of food with the intent to resell that food (it has no value, and it loses value by the minute).

        1. Vog Bedrog

          Who’s at fault?

          Everybody:

          a) The fraudsters.

          b) Card issuing bank – are they accepting mag stripe fallback transactions? How effective is their fraud detection/mitigation? Do they correctly check transaction security features (eg. transaction counters)?

          c) Merchant A (compromise) – do they have adequate physical security for terminals? Do they ever check terminals for tampering? Would they recognise tampering if they saw it? How effective are their visitor procedures around on-site technicians?

          d) Merchant A’s bank – have they supplied high quality terminals? Are those terminals configured properly? Are they checked regularly?

          e) Merchant B (spending) – do they have up-to-date terminals? Are those terminals being used correctly? Would staff know if they were being used correctly? Would they care?

          f) Merchant B’s bank – have they supplied high quality terminals? Are those terminals configured properly? Do they correctly check transaction security features (eg. transaction counters)?

          g) Cardholder – do they check their statements or account activity regularly? Do they make use of available banking security features (eg. bank’s app)? Do they use the security features of the card itself (eg. attempt a chip transaction FIRST, consider an alternate merchant if chips are not accepted)? Do they inspect payment terminals at all or simply complete all transactions thumb up bum, mind in neutral?

          There are so many variables to consider that it would be impossible to correctly attribute liability for any fraud to the contributing weak links in the above chain. Merchant B may be held liable simply because they’re an identifiable party (forget merchant A – you can’t link a specific compromise to a specific fraud spend with 100% certainty) – but it will sometimes be the card issuing bank that wears the cost because they accepted the transactions (eg. fallback transactions work this way). We’ll see this improve enormously only once mag stripes are phased out of card production.

          1. timeless

            You aren’t wrong (everyone bears at least a little responsibility). Although we’re missing the payment processors (which I glossed over when I described the network). They’re the ones who offer the terminals to the merchant. And they often charge more to process EMV transactions, giving merchants a disincentive when it comes to how to safely configure their terminals.

            The payment processors have apparently been very slow in getting new EMV systems certified — which isn’t helping matters.

            1. Vog Bedrog

              Payment processors would be ‘Merchant A’s bank’ and ‘Merchant B’s bank’ in my example (acquirers, to use the lingo) – hence the questions around quality of terminals etc. I agree they’re often forgotten in the compromise-fraud chain, but they’re definitely guilty of contributing to it sometimes – I’ve come across cases where ancient (and doubtless unsecure) terminals have be re-purposed without updating their identifying info, acquirers (or their switches) have not correctly checked transaction cryptograms or components thereof, and merchants have been able to spoof new terminal IDs when experiencing difficulty with a payment.

              The slow rollout of EMV in the US is frustrating to watch, but at least it’s happening. Its impact will be mainly determined by mag stripe acceptance in any case.

              My real bugbear in US payment systems are the ‘ghost hotel’ terminals – fly-by-night, and clearly fake, online payment processors (with hotel-based narrations, hence the name), usually used to test cards prior to fraud spending. Whichever acquirer is setting these up is either negligent, complicit in the frauds, or looking very hard the other way.

    3. Andrea Moore

      Do you know if Pine Bluff, Arkansas Arby’s got hacked?

      1. Wayne

        Call them and ask them if they’re a corporate store or a franchisee. If the former, then probably yes. I’m going to be doing that Monday with my semi-local store. Regardless, watch your bank account online for probe charges: a charge for $1-4 from cities and businesses that you don’t do business in/with.

        1. Spanky

          Set up alerts. Too often the test ping is at the soda machine outside the Walmart and a working card is being used inside long before the most paranoid person would be checking their activity online.

    4. M Cantin

      I am in complete agreement. I’m just outside of the KC Metro area and have only seen 4 cards with Arby’s so far. However, the Wendy’s mess was apparently not under control in June (at least at our local store) as they indicated. My CU was hit with a huge list again in mid-December. All told, I had to reissue close to 3000 cards on a 5000 card portfolio. Disgraceful.

  2. Jim Miller

    So when do the card issuers finally decide it is time for chili and PIN?

      1. tmiw

        I’m down for chili. Maybe chips for dipping into said chili too. (I may or may not have had lunch yet.)

        1. John Stewart

          Don’t eat the chili at Arby’s. Don’t eat *anything* at Arby’s. Credit theft is the *least* of your worries if you dine there.

  3. DC

    Would using a mobile payment app such as apple pay, android pay, paypal…etc…shield a person from worrying or being affected by such a breach?

    1. DH

      Transactions with those payment methods are tokenized and your actual card number is obfuscated to begin with. So yes, multiple, yet different layers of protection. The only question is what new attack vectors do those bring with them? Needless to say, far fewer holes than magnetic strip.

    2. tmiw

      Depends on if the bank actually lets the Device Account Number and expiration go through in contexts other than contactless and card-not-present*. As we’ve seen with other EMV “vulnerabilities”, a lot of it has to do with how well the backend is configured.

      * Apple/Android Pay supporting apps and websites send additional data to the merchant processor that’s supposed to be used for validation.

    3. Vog Bedrog

      Using ANYTHING other than the mag stripe on your card is the best protection you’re going to get. That’s not to say you never have to think about fraud again (if there were an answer to that we’d all be doing it by now and Brian would be writing a fishing and camping blog), but you’ll minimise the opportunities to counterfeit your card.

    4. John

      How secure is your mobile device? Does your mobile push out security patches in a timely fashion? Is the software in their app store thoroughly vetted? Do you have any side-loaded apps installed?

  4. Chester Wisniewski

    Perhaps some additional advice is to not shop at restaurants and other shops that don’t offer NFC or EMV payment options. This type of fraud is only going to continue with the use of antiquated magnetic stripe thefts.

    1. Moike

      Re: NFC/EMV – the choice of those who accept the more secure payment keeps growing: McD’s, Subway, Firehouse, Jimmy Johns, Chick Fil-A. It’s interesting that the 2 who were hardest hit in the last year Wendys and Arbys don’t accept the more secure payment.

      1. Mooneer Salem

        I don’t think Chick-fil-A and Firehouse Subs have EMV yet, actually. The terminals are capable of supporting it, sure, but they have had the slots covered for months.

        1. Jon

          The one near me in San Antonio at least supports NFC as I use Android Pay when I’m there. Not sure about chip, though.

      2. Mike

        My local Arby’s takes chipped cards, at least the one I go to, while another in a local mall has the typical stupid restaurant readers with the screen and the mag stripe only reader built into the side.

  5. DH

    This comes on the heals of a report in the last few days that POS malware was down. Interesting times my friends!

  6. Brian

    Excellent reporting Brian, as always. You are one of the world’s greatest gems!

    Hey, I have a question, do you know what Arby’s DMV terminal deployment status is, and if they did have those terminals, if a cistomer used their chip enabled card at one of their emv terminals, would that have prevented any actual mometary theft for those particular customers/financial institutions?

    I can’t understand why so many retailers have been so slow to roll out emv terminals given their financial liability now if they don’t. Seems moronic. It also isn’t customer friendly.

    Thanks,
    Alan

    1. tmiw

      A lot of people actually prefer that retailers don’t support it, so that seems to be the more “customer friendly” option. It’s not a good idea, of course.

  7. IRS iTUNE cards (real)

    The article states “Our member credit unions were eating the costs of fraud on compromised cards”

    “Eating the cost” as Dr Smith from Lost in Space would say” oh the pain, the pain”

  8. Ed

    Here’s a better idea… Make the entity that was compromised pay 100% of the costs involved if they are not using CHIP readers!

    1. Peter

      As a credit card company you’d love that. Rack up and the huge merchant fees *and* have all cost for fraud paid by the same merchant.

      Reality cost of fraude has been inserted into these fees for fees, so the merchants and thus the customers are the ones paying for this.

  9. Tony

    A simple solution for “in-person” transactions is to pay cash.

    Then and only then the charge card companies will realize that they are loosing business and precious marketing data and provide a secure solution to win back the customers.

    Start paying cash and abandon the defective technology.

    1. Bruce Hobbs

      I usually pay cash at fast food restaurants since it’s small amounts of money (around $10) and it’s just better to avoid the exposure.

  10. IflyVFR

    So when do the card issuers finally decide it is time for chili and PIN? Jim miller

    Chip not chili

    “Hold the mag stripe”?

  11. Cheese

    I don’t understand why the credit unions would just block Wendy’s, because that really does nothing. The card still has to be processed to get the decline, and it still gets compromised. Their customers simply get the transaction declined, and it does nothing to protect the financial institution.

  12. D

    From the Retail Industry Leaders Association (RILA) website, public policy page:
    Consumer Issues: Protecting Consumers, Promoting Innovation
    The safety and security of consumers is paramount to America’s retailers. As the retail industry continues to innovate, building consumer trust through enhanced measures to safeguard data is a top priority. RILA is working with lawmakers to help shape policies that help protect retailers and their customers from cyber-attacks without stifling innovation.
    Really RILA?

  13. arbynomore

    Christopher Fuller, Arby senior VP, said “But this is the most important point: That we have fully contained and eradicated the malware…”

    No, the most important points are that you got malware in the first place, that it was there for months, and that you gave away hundreds of thousands of credit card numbers.

    1. IlikeCash

      Make an attack sandwich of spear phish, metasploit and mimikatz: viola, almost any commercial off the shelf network is gutted for it’s data.

  14. Mich

    Brian, do you think you could put together a post on the different payment methods currently available (cards with chip, cards with no chip, mobile payment options such as Apple Pay and Samsung Pay, etc.)? It would be cool to see the pros and cons of each payment, how each payment method works (the communication protocols, encryption, tokens, etc.), and why each is susceptible to fraud. Perhaps there is a site or graphic that exists on the Interweb?

    1. timeless

      So, the short of it:

      * Person’s name ( long expired)
      * Card number (long expired)
      * Name + Number + human signature (expired)
      * Name + Card number + expiry — recorded on a slip + human signature
      * Imprinted (Carbon-Copy) Name + Card number + expiry + human signature
      * Name + Card number + expiry — CNP (card-not-presemt)
      * Magstripe (Name, Number, Expiry, CVV1)
      * Name + Card number + expiry — CNP (card-not-presemt) + CVV2
      * Imprinted Name + Card number + expiry + CVV2 + human signature
      * Chip (Name, Number, Expiry, dynamic signature)


      There are various other variations on the above.
      beyond that, there are the security-theaters like “verified-by-visa” – – which mostly increase your attack surface while not actually adding remotely useful protection for anyone (except visa) involved (you, the customer gain liability and risk having your credentials compromised in various ways).

      It’s probably best not to try to enumerate all the individual combinations, but instead to look at what’s collected and how:

      1. Name
      2. Account
      3. Expiry
      4. human signature
      5. Postal Code (this is stellar, especially the places that demand a 5 digit code from people who live in canada where postal codes are L#L#L# — three letters and three numbers)
      6. Street number
      7. Street name
      8. City
      9. Another static number (CVV)
      10. Dynamic transaction hash

      These are the things (more or less) that can be collected.

      How can they be collected:
      1. Pen-and-paper (or by phone, effectively the same)
      2. Carbon-copy-imprint
      3. Magnetic reader
      4. Chip reader

      How they can be transmitted:
      1. Postal Mail
      2. Phone-Audio
      3. Phone-Data
      4. Digitally (IP or Private networks)

      What gets transmitted and how:
      1. Afaict, transactions might only be summaries instead of the full details (e.g. it’s possible that a merchant won’t send your signature, but would keep it on file in case of a Challenge)
      2. Everything
      3. Tokenized — this substitutes account information for tokens which are somehow mappable to a card
      4. Encrypted — this ensures that for a limited period (say 1-2 years) most people who can’t get the encryption/decryption keys will be able to read the transaction*

      ApplePay/Samsung/whatever more or less amount to Tokenized+Encrypted. The real question with them is how many implementation bugs do they have, and where. ApplePay initially had a sign-up bug (not a bug in ApplePay, a bug in the Bank Issuance process at some Banks) where “people” could sign up for ApplePay before the bank had any process to verify the card holder (this was pretty hilarious — don’t bank at places like this).

      The problem w/ ApplePay and friends from my perspective is that the Issuers (typically banks) are about as clueful (i.e. not-at-all) as the car Insurance companies were about security. When cars came out w/ key fobs, the insurance companies trusted the car companies who claimed that they were secure. When people reported their cars were being stolen, the insurance companies rejected the claim accusing them of “fraud”, after all, “the key fobs couldn’t be duplicated”! This was a total lie. As a customer, you don’t want to be in a position where the people you deal w/ claim “the technology is bulletproof, so any time there’s a transaction, it must have been authorized by you”. There have been attacks against Fingerprint readers (MacGyver, Mission Impossible, and James Bond all described the general theory long before people started to try to deploy them for normal use, and hackers have developed working attacks against current technology).

      There are also strange deployments:
      * “pay by sms”
      * “pay by QR”
      * “pay by email”
      * “pay by Twitter”
      — Most of these are horribly insecure if you spend any time to think about them. Because they’re working based on things which aren’t secure:
      * the telephone network can be hacked/socially engineered in dozens of ways (the easiest is probably an account take-over of a phone account by socially engineering customer support).
      * QR codes be be painted/pasted over.
      * Twitter can be taken over (if you have a Twitter account, you should be using 2FA, but you probably aren’t, if you aren’t you’re definitely vulnerable, see @mat amongst other stories).
      * While email in theory could be made somewhat secure, most deployments are horribly insecure. And most people don’t understand what parts of an email envelope can be trusted.
      * I still deal w/ large companies who don’t understand that the “From” line of an email isn’t proof of ownership of an email address (hello IBM)
      * TLS implementations to secure data in transit are ad-hoc (some companies manually curate their list of trusted roots, which is pretty much insane)
      * S/MIME (a digital signature solution) has been dead in the water for over a decade
      * PGP adoption isn’t much better than S/MIME, and the trust model is probably arguably worse (although, I suppose it depends on who you think your attacker is, but let’s assume you’re more worried about serious entities w/ time and resources as opposed to a single bored 10 year old).
      * As a user, you will be tricked into making a transaction you didn’t want to make.

      There are alternatives to the standard credit card system, PayPal is the most obvious one. The downside to PayPal is that it’s mostly an unregulated private company. That means that to some extent, they are their own law. They aren’t a credit card company bound by laws covering credit cards. At one point portions of them were a bank (and they had a money market which offered interest).

      For a really insecure way to send money, look into SWIFT and friends [1]. Note: SWIFT, ACH, and similar all are built around a “we trust everyone who has the account number” system. Think about credit cards from before the CVV, except that money can be sent either way.

      * Encryption isn’t about protecting data forever, it’s a mathematically complex process to make it computationally hard to crack given currently available technology. Most ciphers have or will be broken given time and advances in technology. There was a time when it was computationally infeasible to crack an 8 character password, and then there was a point when it would take three months, at this point it’s feasible (<6 hours given 5 special computers, more like a week given a macbookpro) [2].

      [1] http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-idUSKCN0XM0DR
      [2] https://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

  15. troyj

    Those thiefes been always so rich..
    and supported from the west.

    Swiss franks were sent to Lenin’s account in one of the Swiss banks. According to the newspaper, Trotsky had 11 million dollars and 90 million franks on his accounts, Zinoviev – 80 million franks; the “knight of the revolution,” Dzerzhynsky, had 80 million, while Ganetsky-Fuerstenberg had 60 million franks and 10 million dollars. Lenin, in his secret note to the Cheka leaders Unschlicht and Bokiy of April 24, 1921, demanded that they find the source of the information leak. However, it was never established.

    Was this money also meant for the world revolution? Or is it a kind of kickback from the politicians and financiers of those countries where Lenin and Trotsky’s “red horses” were not ordered to go? One can only hypothesize. Even now a considerable proportion of Lenin’s papers is kept top secret.

    Ninety years has passed since then, but revolutionary romanticism around the world keep maintaining that the Bolsheviks were passionate revolutionaries with high moral standards, patriots of Russia, and champions of Ukraine’s freedom. Until now there is a monument to Lenin in downtown Kyiv with an inscription that reads that it is only via the union of Russian and Ukrainian workers that a free Ukraine is feasible, while without such a union, our freedom is out of the question.

    Until now, on “revolutionary” holidays, people lay flowers at the monument to the man who was paid by the German intelligence. Unfortunately, even now a considerable part of Ukrainian society fail to perceive the huge difference between the leaders of the October revolt and the Ukrainian revolution of 1917 – the difference being that the Ukrainian revolution did not get any sponsorship from abroad.
    – in history everytime when there is stealing large ammounts of wealth it meand it goes to some regime…so i guess this it goes to ukraine

  16. Matt

    Regarding using cash for small purchases, I use a card for several reasons. One, I hate dealing in cash and especially with coins. Two, between points and required minimum uses (for several high interest bearing credit union accounts), it’s worth it to me as long as I know that I am making a secure (chip based) purchase.

    1. askmrlee

      * Two, between points and required minimum uses (for several high interest bearing credit union accounts)*

      If minimum use is generated by a debit card, you’re asking for serious trouble and inconvenience if the breach results in your debit card being compromised and fraudulent transactions against your checking account.

      Sure your funds may be restored after a few days or ultimately weeks but it’s your cash that’s been taken away until it is restored.

  17. DBA Chip

    Good golly. Even the DBAs have loads of work to clean up hot cards. The folks on the front facing the public also have a lot of work before them.

    smh

    BUT WEINERSCHNITZEL PASTRAMI SOUNDS GREAT.

  18. Marc Kilgore

    excellent article, Brian. Thanks for digging into this and letting us all know what happened.

  19. teddybear

    I wish blogs like this would make it clear that having EMV enabled readers does not protect PAN — your credit/debit card numbers — and other cardholder data from being stolen. It prevents fraudulent card present transactions–meaning someone couldn’t take a cloned card to a store and use it in store if your card ships with an EMV chip and they use EMV enabled devices. Someone could use EMV dip on an improperly secured system and still have their data stolen; however, this data could only be used in card not present environments or at stores that do not have EMV enabled readers. The point is, you do not know if your PAN and other track data is safe in both magnetic swipe or EMV dip situations without knowing the security policies and other details of the cardholder environment. EMV is not bullet proof.

    1. vb

      Someone getting the Primary account number (PAN) from an EMV hacking is not going to get the CVV1 or CVV2. Which means that they can’t do a magnetic stripe transaction because CVV1 is needed. And they can’t do a card-not-present transaction because CVV2 is needed. And if they get the iCVV and try to re-use it, that’s not going to work.

      PAN is not enough to clone a card.

      1. teddybear

        Hummmm……the crypto is additional information/security — EMV Chip contains Track 2 data CVV and PIN are included in the discretionary data section of that track 2 data.

        From Wiki

        “In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards. This attack is possible only where (a) the offline PIN is presented in plaintext by the PIN entry device to the card, where (b) magstripe fallback is permitted by the card issuer and (c) where geographic and behavioural checking may not be carried out by the card issuer.

  20. TSSG

    “but that it had not gone public about the incident at the request of the FBI.”

    Did they notify their customers while the FBI flailed around or did LE not think that was a good idea either?

  21. Mahhn

    I’ll say it again: If these places had firewalls with strict access to only the payment processing company and or a HQ IP that then went to payment processing, the malware would not do a damn thing as it wouldn’t be transmitting data anyplace. There is no valid reason for a payment system to be on an unrestricted network.

    1. John

      Plus an investigation on how a PoS network gets infected in the first place.

  22. James Buchanan

    And interestingly enough, there was a second paper relating to codes to use on “chips”. A good guess, they will end as problematic as the stripe. The waitress takes the card, inserts it to the reader, it was refused. Customer pays with cash, but the reader was now infested.

  23. Santa Claus

    In the end consumers pay. Prices go up to cover the losses.

  24. JimV

    Haven’t eaten at an Arby’s for many years, and while unlikely to do so anytime soon I’ll be interested to see what the geographic pattern of compromised stores might reflect when the corporate HQ releases that list.

  25. S DAVIS

    ARBYS IS THE S*IT the 2 for 5 is whats getting everyone the jamocha shake and that fish Sammy!

  26. John Gomez

    We exclusively have the latest Internationally Patented Technology available now. 100% SECURE against all cyber borne threats…yes including hacking. A Very Long Line will Be Forming. Vir2us® Vmunity® is available, and costs less than all of the products that chase the problems from the top down. We Secure 100% from the bottom up. Guaranteed. This software is the True “Game Changer”-NSA

  27. John

    Meh, just another day and a few hundred thousand cards stolen. Does it really shock anyone anymore how poorly these companies secure your information? Not to mention how many of these places still lack chip card boxes. I suppose nobody wants to spend the money to upgrade them. I was thinking the other day, my cards don’t wear out anymore because I have to get news ones because of the compromises.

  28. Chucky

    J. Edgar Hoover would be proud of the FBI in this situation. Telling Arby’s to keep quiet about a major data breach while the Bureau tries to frame the Standing Rock protesters as domestic terrorists.

  29. Phil

    None of the fast food restaurants I have been to across the US use chip cards. They either don’t have a chip card reader at all like Wendys who ironicly still don’t after there there fiasco or they do have them but not turned on. I’ll wager over 80% of fast food restaurants across the country don’t insert.

Comments are closed.