April 14, 2017

It’s Friday, which means it’s time for another episode of “Which Restaurant Chain Got Hacked?” Multiple sources in the financial industry say they’ve traced a pattern of fraud on customer cards indicating that the latest victim may be Shoney’s, a 70-year-old restaurant chain that operates primarily in the southern United States.

Image: Thomas Hawk, Flickr.

Image: Thomas Hawk, Flickr.

Shoney’s did not respond to multiple requests for comment left with the company and its outside public relations firm over the past two weeks.

Based in Nashville, Tenn., the privately-held restaurant chain includes approximately 150 company-owned and franchised locations in 17 states from Maryland to Florida in the east, and from Missouri to Texas in the West — with the northernmost location being in Ohio, according to the company’s Wikipedia page.

Sources in the financial industry say they’ve received confidential alerts from the credit card associations about suspected breaches at dozens of those locations, although it remains unclear whether the problem is limited to those locations or if it extends company-wide. Those same sources say the affected locations were thought to have been breached between December 2016 and early March 2017.

It’s also unclear whether the apparent breach affects corporate-owned or franchised stores — or both. In last year’s card breach involving hundreds of Wendy’s restaurants, only franchised locations were thought to have been impacted. In the case of the intrusion at Arby’s, on the other hand, only corporate stores were affected.

The vast majority of the breaches involving restaurant and hospitality chains over the past few years have been tied to point-of-sale devices that were remotely hacked and seeded with card-stealing malicious software.

Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register. Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Many retailers are now moving to install card readers that can handle transactions from more secure chip-based credit and debit cards, which are far more expensive for thieves to clone. Malware that makes it onto point-of-sale devices capable of processing chip card transactions can still intercept data from a customer’s chip-enabled card, but that information cannot later be used to create a cloned physical copy of the card.

Update, April 16, 2017, 10:05 p.m. ET: After this story was published, an Atlanta-based company called Best American Hospitality Corp. published a press release claiming responsibility for a card breach impacting dozens of Shoney’s locations. Here’s the company’s notice about this incident, which lists the locations thought to have been compromised so far.

46 thoughts on “Shoney’s Hit By Apparent Credit Card Breach

  1. Jasper Corrigan

    This is all because of the Season 3 premier of “Rick and Morty”

    1. Mike

      As soon as I read the headline, I though the same thing.

  2. IRS iTunes Card

    I think their is one here in Daytona Beach on International !

  3. zzz

    > more secure chip-based credit and debit cards, which are far more expensive for thieves to clone

    that won’t last long if the only reason is because it is more expensive to clone…. price will drop.

  4. B_Brodie

    Lowe’s hardware has pin & chip terminals, but only for credit cards – you have to swipe debit cards.

    Two other retailers I visited locally this week were in a similar boat: chip terminals that are not yet operating at all for chip, forcing me to swipe.

    Isn’t it great to be too big to fail?

    1. Tony Pelliccio

      Interesting. Around here the debit cards use the chip.

    2. Gnecht

      There’s a long row of boxes that all have to be checked before a chip reader is usable. Many of them are on the merchant service’s end, and there’s not a single thing the store can do about them other than wait.

      The store might be able to change merchant services. On the other hand, the store’s software might know how to talk to only one or two of them.

    3. Robert.Walter

      Who were they? We name and shame around here!

    4. L Ross

      Most issuers allow you to use your debit card as “credit” allowing you to run your card as a chip, even at locations that require credit only transactions. It does depend on your issuer’s card requirements though.

  5. Joel

    I feel like I’ve said this before, but…

    If you eat at Shoney’s, you’re kind of asking for it. 😛

    1. Robert

      Oh, Joel too funny… But you have to try the Slim Jim with onion rings. You’re cardiologist will thank you….

  6. Chris Haskett

    December to March? Three to four months. Why so long before announcing it?

  7. tmiw

    It’s kinda disappointing that P2PE isn’t a mandate at this point, even if you have a chip enabled terminal. You’d think we’d have done both at the same time and eliminated even the possibility of being able to skim chip data for CNP fraud. (Little known fact: CVV2–which isn’t on the chip–isn’t actually required by a lot of online stores. Amazon is an example of a larger retailer that only needs the PAN and expiration, both of which are on the chip.)

    1. vb

      I just entered a new address on Amazon for an order and the Amazon website made me re- enter the card account number and include CVV2.

    2. mjb

      Use a credit card on Amazon? Why? If you use their store card, you get a 5% rebate every month on EVERY Amazon.com purchase.

      1. vb

        Thanks. I didn’t know that. I use an airline card on Amazon so I get frequent flier miles.

  8. vb

    Does anyone know why these hacks take so long to discover – typically weeks or months? After months and years of these seemly same breaches, are they still hard to detect? Have the hacks changed over time?

    Would it really be so hard for the company to sniff the network on occasion and maybe say “gee -look these here packets seem the same as the dozens of other point-of-sale-terminal hacks – maybe we’ve been breached?”

    1. sg

      Companies aren’t typically willing to pay specifically for preventative/exploratory malware scans. Currently they’ll only pay for defensive hardening services, but will only do in-depth malware scans in response to a confirmed breach. It won’t be long, though, before preemptive “check-up” scans for malware that you didn’t know you had becomes commonplace, possibly as a requirement for obtaining a “cyber insurance” policy.

    2. Mahhn

      I’m sure most of these hacks could be avoided if they had firewalls with strict rules of deny all traffic that isn’t going to or from specific vendors. But these $100 solutions to million dollar problems are blocked by executive stupidity.

    3. The Phisher King

      The answer is PCI compliance.
      If PCI requires it, it gets done, otherwise it does not get done.
      Merchants, for the most part, care only about meeting basic PCI compliance requirements to avoid being hit with penalties by EMV.
      Sadly they do not realise (or maybe even care) that being compliant does not mean being secure. One does not equal the other.

  9. Bill

    If the card reader itself performs encryption then the POS never sees the card data. The PCI certified card readers are made of unobtanium so the only options are to have an certified environment or a secure environment. Most companies are forced to take so much of their CDE out-of-scope just to get PCI certified that they’re fundamentally insecure. Does anyone really believe hackers care about PCI scoping? No.

  10. Tony Pelliccio

    When are we going to stop playing the game and go with two factor for credit and debit cards. Use an RSA token or even Google Authenticator. Be impossible to crack that one, well maybe not but a damn sight more secure than what we have today.

    1. Gnecht

      In November 2016, Pew Research found that 77% of Americans own smartphones. How would the rest of them run Google Authenticator?

      And I’ve heard the RSA tokens are shockingly expensive to deploy and run. Considering that USA was last to get chip cards because it was cheaper for the card issuers to just eat the fraud (and take it out on merchants with chargebacks) high-cost, complex authentication seems unlikely to happen.

      1. H Davis

        Maybe we (U.S.) could have gone with chip and PIN instead of chip and hope.

        1. JCitizen

          What’s the difference? Even out here in the desert they are going all out for “Cowchip-n’-pen”. I’ve never thought it was worth the expense, but I have no choice now, because all my cards have the chip embedded.

  11. S Colson

    You would think these companies would have appliances at each location that would block traffic not going to specific IP addresses and done with careful packet inspection. To me this is just sloppy indifference on their part.

    I have seen too many companies see IT as an expense that they have to reduce at any opportunity, no matter what the impact. Hire the best people listen to their advice and follow it. The IT department should NEVER be controlled by the finance or accounting departments of a corporation.

    1. Gnecht

      Have you ever tried to maintain a firewall whitelist for card processing?

  12. Bryan

    Bill is correct, the only way to go now is P2P encryption on swipe. That’s the way PCI is pushing everyone. The larger stores are weighing the costs of upgrading their POS systems (10s of millions) versus mitigating controls and isolating their CDE. The best way might be to put the POS on an island and use cellular to push everything back the processor where the vendors only have an authorization number to reference.

  13. Ken

    Believe it or not, credit card processing fees go UP when a merchant moves to P2P encription. The processors actually incentivize the less secure method. Nuts.

    1. Peter Shenkin

      They get a discount up front, but they pay later.

  14. aliog

    problem reaction solution… im sure we should work with reasons why problems occur.
    Those breaches and few kids from ghetto try to swipe cards its just tip of the iceberg.
    banks goverment and all institutions can shout down all scams and frauds in one day.
    for example russia? Can you do fraud there? No !! If you do fsb will haunt you down will take your money. btw…the security is bulletproof also nobody in countries like russia eastern europe or some european countries dont even think about.
    so what usa do differently??

    1. Stiles Hit

      Seriously. They’re not really hitting high rollers with that hack. It’s like robbing a lemonade stand.

  15. Jim

    Very good, interesting arguments also. Very good ending piece sumerizing the current credit card situation.
    Here is a kicker, a random thought, about a company that you invade,security wise, after you are sure the software is installed, send in a mule, to use a specific card. How many times, and check the reads for time. I’m not a security expert, but two signals that are a known, give you a pattern, patterns can be broken, how many algorithm s will a chip reader have? Probably one for each card company. After all, they have to be able to read it. Could that be a weak spot?

  16. FARO

    From readings on this site, I have changed my purchasing practices and use cash at restaurants. Use cards slaringly. Thanks Brian.

    1. FARO

      Question the motives of your sources or the methods
      and timing of arriving at their conclusions. Having a nice stay in Nashville this Easter weekend. Nice to see I can post from a cell phone.

  17. olaje

    usa is nation of 0 brain 0 iQ dumb.
    thats why azekanezis take from them.
    fix your country education. brains..then fix

    1. TechGeek

      You have no idea what you’re talking about. If you’re trying to make a useless point of some sort, at least use proper grammar.

  18. E. Bay

    The article says the writer had tried for weeks to get a comment from Shoney’s….what do they have to hide? If you go to Best American Hospitality’s website, you find a list of “affected” locations. and it says they are managed and operated by corporate Shoney’s.

    1. Reader

      That information was not made available until after the article was published. Their press release (link below, in another comment) came after, as well.

  19. Robert Barron

    “Malware that makes it onto point-of-sale devices capable of processing chip card transactions can still intercept data from a customer’s chip-enabled card, but that information cannot later be used to create a cloned physical copy of the card.”

    Not 100% true. If the card it taken in a swiped format (not dipped), then it would be possible to clone the card and use it on a non-EMV enabled POS system.

  20. HankC

    “Best American Hospitality Corp. … claiming responsibility” makes it sound as if BAHC is the hacker.

Comments are closed.