77 thoughts on “P.F. Chang’s Breach Likely Began in Sept. 2013

  1. Andy

    This is going be part of the tipping point that puts retailers on the hook for poor security practices. The PCI council is going to have to make an example of someone and prohibit them from accepting credit cards. This just might be the case that make this happen.

    1. Rick Romero

      Just like TJ Maxx? A $40 million settlement in 2007, and when I worked InfoSec at a Fortune 500 retailer in 2011, I was still tasked with trying to convince ‘IT Professionals’ that regularly changing passwords was a good thing.
      Mostly it was ‘too much work’ or ‘not in the department budget’.
      My biggest political win was getting a ‘fully intrusive’ app owner to change his passwords regularly, basically because there was just a single owner. Either he was responsible for an intrusion and lost sales, or simply coordinate the damn password change a whole 4 times a year.
      Large retailers, like where I worked, simply look at a $40million settlement as an acceptable risk, and a ‘possible’ cost of doing business.

      1. Simon

        Why is changing passwords regularly a good thing? My experience is that it makes things LESS secure, in that it forces people to constantly come up with new passwords that they can remember (rather than letting them set a single, highly secure pass-phrase).

        1. Rick Romero

          In this case, we’re talking about changing passwords for automated systems. These are only entered once.

          Yes, SSH keys would be preferred, but not applicable with this particular Windows app.

        2. Tony

          Changing passwords on a regular basis reduces the time an attacker has to use the password. Complex, long passphrases are good against cracking but a keylogger makes the “highly secure” passphrase a known entity. The idea is to make them hard to crack AND limit the time that they’re in use. I agree that some companies go too far (e.g. every 30 days). However, once you’ve shown them how, if people have difficulty coming up with and remembering (in this example) four strong passphrases per year they’re probably not that good at other stuff, too. 🙂

          1. Mark

            yep, good point.
            and for everybody (included me), don’t forget that security is always a matter of layers: each one is important but the whole layer is the Great Wall against bad-bugs.

          2. Robert

            “Changing passwords on a regular basis reduces the time an attacker has to use the password.”

            While true, any attacker better than a script kiddie will install a backdoor. Now he (or she) will no longer need said password.

            1. Anon.

              “While true, any attacker better than a script kiddie will install a backdoor. Now he (or she) will no longer need said password.”

              That provides another opportunity for detection. Many long-term compromises have been detected when a script kiddie installs a backdoor that sets off even rudimentary IDS.

          3. Geoff

            It also reduced the time a hacker has to break a password. Unless you are very careful about security boundaries and most organizations are not chances are you have accounts which will be privileged high security assets being used to logon to low security assets as well.

            For Example:
            Does your wintel addmins ever logon with an account which is a member of domain administrators to their personal laptop? Do they then have the ability to run untrusted and unsigned code on said laptop? If you answered yes to all three congratulations you are like almost every organization.

            Now guess what an attacker might be able to recover the cached credentials from that machines, perhaps (s)he grabs them from lsass after using some browser exploit on the machine while its offsite and not behind the corporate firewall. Chances are they get hashes not passwords themselves. If they have time crack those hashes they might be able to authenticate with your other public facing assets undetected. Now they can get on your VPN with their own machines, they don’t even need a pivot point.

            If the password was strong though and changed frequently by the time the hash is cracked hopefully the password is no longer valid.

      2. Andy

        But, no longer being able to accept credit cards would be a killer for a business where 60%+ of the sales are on credit cards. Really, I think this is what it’s going to take. The credit card companies are not going to blacklist Target, but, a restaurant like P.F. would be the perfect example. If it didn’t kill the business, the entire BOD would be gone as would all the senior leaders. It would send quite a message to any VP or BOD who thinks it’s the processors problem when a breach occurs.

        1. Joe McDonald

          It is highly unlikely that P.F. Chang’s would be prohibited from processing credit cards.

          At the end of the day, it comes down to money. If we assume that the company pays an average of 2% per transaction and 60% of their sales are credit/debit cards, this amounts to roughly $4M per quarter to the credit card companies. I can’t imagine the credit card companies would agree to give up that revenue.

          If an example were to be made, I imagine it would be a smaller company. Probably one that doesn’t have the pocket depth to fight the prohibition in court. With annual sales of over $1B, I think that P.F. Chang’s would fight it and would very likely get an injunction to postpone the prohibition until after the courts have decided the matter.

          1. Bob

            Did you just say, “at the end of the day”? Wow, congratulations, you’re a corporate deadhead panderer and is a litmus showing that you know nothing.

            1. Fenris Ulf

              And your sentence structure shows you’re not too sharp either, Bob.

      3. George Grachis

        I agree, and we now have encrypted password vaults on our smart phones, I say use a paraphrase and the vault.

        I know of K-12 schools where kids as young as 1st grade
        can easily create a complex password. This really is not that hard! We just need to educate users on pass phrases. IE: Iwiwitb$am01 I wish I was in the Bahamas sipping a martini 01… Or Aiwtdih$f01
        Cheryl Crow Song…. All I want to do is have some fun. Who cant remember that one? Have a great day everyone!

    2. sarah

      As a PCI-compliant merchant, I must point out that full compliance does not guarantee we couldn’t be breached.

      1. Rick Romero

        PCI Compliance is, at best, a snapshot at one particular second – assuming all necessary data is present and reviewed. There has yet to be a breach, that I’m aware of, where the forensic audit found that the victim was compliant at the time of the breach. The responsibility is on the merchant to maintain their compliance – hence the Visa/MC fines per card.

    3. Brad

      FYI, the PCI Security Standards Council has no enforcement authority.

      1. Anon.

        “FYI, the PCI Security Standards Council has no enforcement authority.”

        Technically true, but the card brands that comprise the council definitely do.

        Merchants without satisfactory compliance can / are given choices:
        A) Come into compliance within 30 days
        B) Stop taking for transactions
        C) Pay $50,000 a month in fines

        This “stick” has been used many times. In the one case I know some details of, the company actually decided to pay the fines for over two years – because it was cheaper than getting compliant, supposedly anyway.

        But ultimately, everyone is incentivized *away* from security. Any barrier to processing transactions is lost money.

    4. Merchant

      Are you kidding me? The tipping point is when the banks and card associations penalize the merchant? I am starting to believe they have successfully brainwashed the entire American public.

      How about the tipping point where the merchants finally put their foot down and DEMAND a secure card processing infrastructure (from the physical media all the way to settlement) or else we’ll finish what we started with MCX and build our own payments infrastructure.

      Folks memory scraping malware is real. End to end encryption is not a reality. EMV and all that other hooey fooey is worthless. We’re naked and can’t do a damn thing about it until the track data gets encrypted from end to end. We’re fed up and we’ve had enough VISA, force your member banks to build the encryption infrastructure so we can send transactions encrypted end to end. Fix this thing once and for all.

  2. Cosmic

    If this breach overlaps the time period of the Target breach, that leads to some interesting thoughts.

    1. Whoever was running this breach knew not to flood the market, and instead held back until things calmed down from the Target dumps.

    2. Any cards used at PF Chang, and also part of the Target breach, would have to be filtered out, because they would likely have been cancelled already.

    hmmm

  3. Andrew Deichler

    Quick question… an average customer check of $100 seems rather high for a restaurant like PF Chang’s. Did you get that number from the income statement?

    1. doug

      $100 per check sounds about right. Few people eat alone. Most are couples and then groups of 4 and the occasional more.

      When friend and I have dined there (last time over a year ago) the bill was $100 ish. I also spotted for a group of 8 for a celebration and the bill was about $600.

    2. dawn

      You are correct, this is not accurate, the last 10K filed in 2011 the average check per guest is $21.

      1. Joe McDonald

        And a party of 4 would come to $84 not including the tip (which isn’t counted in the average per guest). A 15% tip brings it up to $96. Close enough to $100 for me.

      2. robo_answer

        Yes, but there can be more than one guest per check/bill. To know the average $ per guest, we would also need to know average guests per check/bill to guess the number of credit cards used. And it will always be a guess because there are other payment methods available, including cash and gift card.

        So if the average guests per check/bill is 4 – then Brian is pretty close. If it is under 4, then the likely-hood is a larger possible number of credit cards numbers to be breached.

      3. doug

        The 10k specifies $21 to $22 per guest and includes lunch and bar only customers. It also wouldn’t include sales tax or tip which for me runs about 35%.

        Another factor is cash payers v credit card payers. Cash payers generally have lower bills and are especially more numerous amongst bar only customers. Credit card users are more likely with larger groups because of the bill size. Thus credit card bills approaching $100 (which include tip when posted) seems pretty reasonable. It certainly matched my limited experience.

    3. Regret

      He’s being conservative – if the average ticket was smaller, then there’s a potential the breach had access to a greater number of card numbers.

  4. Len Jaffe

    Disappointingly, this article does not explain how information indicates that the breach started in 2013, as I inferred form the headline, which is why I bothered to read it.

    1. BrianKrebs Post author

      The CAMS alert from Visa said the breach in question ran from Sept. 18, 2013 to June 11, 2013; the alert also listed hundreds of specific cards that bank had issued to customers that Visa believed were impacted in the breach. The bank that received that CAMS alert found all of the cards it had bought in the PFC Chang’s batch on that list.

      Clear?

      1. Len Jaffe

        Yes. Thank you.
        I appreciate your taking the time to follow-up.

      2. Susan

        I was at a Chang’s in March of this year and paid with a MasterCard. I’ve not received any notification about this breach. However, I look at my accounts online every day without fail and have not seen anything out of the ordinary. Is there something else I need to be doing?

  5. A wink

    You obviously have never been to PF Chang’s!! That wasn’t an insult, but an average check of $100 is a pretty big stretch!! Average check of $50 would even be a stretch. I went there all the time, paid for my co-workers a couple times,and the total was less than $60. Very inexpensive place to go to eat. I would estimate with a $50 average check, it is well over a million CC #’s that we’re compromised.

    1. lefse

      He’s making a conservative estimate. (Smaller checks would result in a higher number of card.)

      1. Richard

        Average appetizer costs are 8$, softdrinks/tea $3, meals $12 to $15… with more than two people you can easily exceed $50 and with four $100. I think the point is he is making a conservative estimate.

  6. JC Wylie

    I get the “knucklebuster”, but what good is that? Sounds like even more exposure of another kind. How do the transactions then get processed? Keyed into software manually that could be hacked as well? It seems to me the reality of a secure transaction leads back to dial-up terminals. I’ve not seen any acknowledgement of that at all.

    And then you have the merchant, in this case PF Changs, paying the higher Interchange rate back to the issuer. It seems like a win for them (the issuer) and a tragedy for the merchant.

    1. Andrew

      “I get the “knucklebuster”, but what good is that?”

      It wouldn’t work for me. My credit cards (except for Amex) all are now smooth, in other words there are no hard numbers protruding up from the card to be etched into the carbon paper. Cap One alone for example must have tens of millions of cards that can’t be recorded by a “knucklebuster”.

      1. JC

        Funny, come to think of it, my Chase “chip card” and my wife’s Cap One GMAC are not embossed… I’m embarrassed I didn’t think of that.

        So if I had to rely on point of sale devices I’d have to dust off my Zon JR XL’s, plug them into a copper phone line when I open shop in the morning, unplug them at night. Put them in the trunk of my car and lock the car.

        PCI? Security? Maybe I have a new mouse trap!

        1. Rick Romero

          I’ve never understood why ‘they’ think phone line is better than SSL over Internet for a terminal (not POS system).
          A MITM attack on dial-up is how Mitnik got busted.

          1. ThinkingAboutIT

            “I’ve never understood why ‘they’ think phone line is better than SSL over Internet for a terminal (not POS system).
            A MITM attack on dial-up is how Mitnik got busted.”

            Why would the telephone device need to answer? It only needs to call out to process a transaction. Why can’t SSL over phone line work? One-way initiation of the call equals fewer points of defense. Encrypt it to avoid MITM attacks.

    2. sarah

      When I made this point to PFC, in response to their customer notication on Saturday, I got no response. I think it must be the only thing they could think of to “assure” (read: fool) the less-informed consumer.

    3. SeymourB

      Apparently they’re getting faxed/scanned and transmitted to a central location for processing.

      Still, without the CVV2 and magstrip, the usefulness of this data is quite limited.

      I suppose you could emboss your own credit card with the information and take it to PF Changs…

  7. Dave

    With Pei Wei being the quickie bistro version of P.F. Chang’s, has anything come up that suggests they got compromised too, or are they truly and completely separate?

    1. BrianKrebs Post author

      From the story above:

      “Deanovic added that there no indications that the breach extended to any of its 192 Pei Wei Asian Diner locations across the country.”

      1. JimV

        Doesn’t “no indication” really imply that they simply don’t yet know whether Pei Wei customers may have been compromised, rather than an affirming a solid negative condition based upon thorough and exhaustive forensic investigation?

        1. SeymourB

          This is getting into Flying Spaghetti Monster territory. No indication means there was no indication of a breach. You can choose to believe a breach will be uncovered later, or you can choose to believe a breach won’t be uncovered later, but neither would be based on reality since there’s no indication.

          1. Ji

            What I choose to believe is that statement was far more likely to reflect the PR spokeswoman simply hewing verbatim to a CYA damage-control talking point approved by the corporate legal department for public dissemination until further notice from them, and not a definitive negative technical affirmation based upon that thorough forensic investigation which is still continuing in the background.

            1. outpost99

              This information from a cardholder’s bank is likely just precautionary, however, there are no P.F. Changs within 100 miles, only Pei Wei. Cardholder has never dined at a P.F.Changs. Cardholder frequents Pei Wei often, as it is in close proximity to office. Same cardholder receives a letter from bank with the following statement. “P.F. Changs & Pei Wei Restaurants recently confirmed a data breech of customer credit and debit card information. Please be advised your card number has been identified as one that was exposed to compromise as a result of this event. We were notified that the impacted cards were used at P.F.Changs and Pei Wei Restaurants during the time period between March 1, 2014 and May 31, 2014.” This cardholder was also included in the Target breech and had replaced the card for that event and will now be replacing the card again.

  8. TheBigLie

    Working in the card industry, these breaches are all too common on these platforms. It’s not one particular one, but all of them from Micros to Radiant and everywhere in between. You don’t hear about the multitude of smaller ones, but one of my customers was breached, in 20 days 1500 cards were impacted. The restaurant does $2.5MM per year in volume, so do the math, take out 30% for repeat clients and this is going to be a huge count. The biggest issue for the smaller restaurants is they just don’t know how quickly the breach can stop your business. The above client face $10,000 in fines from each card brand and that is the starting point. They don’t have the resources like these big chains to label this as an acceptable risk. It’s mostly business owners who know how to run a restaurant and higher the least expensive IT people to help them operate their systems, which leads to open ports and so forth. Perhaps if the card industry went to the carrot method instead of the stick, these people would take data security more seriously(?)

  9. al

    At some point, the merchants should be held responsible. Period.
    Identify the person in front of you! All they do is swipe the card – they must / should be held accountable on those transactions that are truly fraud.

    1. SeymourB

      Uh. The fraud being committed wasn’t by purchasing meals at PF Changs. It was by gathering credit card information using PF Changs and then reselling those cards for purchasing other things. Those other things are typically purchased using automatic checkout lanes or the like, where no human sees the card.

  10. TheOreganoRouter.onion.it

    Another interesting article . Keep them coming !

  11. not again

    The fact that they are using manual processing at all stores could be preventative instead of a signal all stores were compromised. Is there further evidence to suggest that all stores were compromised and not just restaurants in the six states that were mentioned initially?

    1. Alex C

      It’s a trust thing. The manual imprinting is highly visible to clients, if highly impractical. This way they get to be proactive in pretty much the only way they can while retaining a business. Refusing plastic would kill them.

  12. EVH

    The number of impacted cards is pure speculation. It’s unclear at this point if the initial intrusion was Sept 13 vs exfil starting that date. It also assumes every location was compromised from that date or that the attack compromised some central point of aggregation for card data flowing thru the network.

    There will never be a “death sentence” for breached companies. The processing fees are too big for the card brands and acquirers to ever do this. There is a small restaurant group in Boston that has been breached 3 separate times years apart in very simple attacks compared to these and they still happily process cards.

    1. BrianKrebs Post author

      Pretty sure the word “assumption” or “assume” shows up several times at the end of the story. I also make clear that I’m speculating on the actual number of cards that may be compromised. In addition, the story is clear to note that PFC has not confirmed the breach window.

      1. not again

        Do you think that restaurants in every state were compromised? (as opposed to just the six states listed in all the early reports on the breach)

  13. Danielle Duclos

    So when are we proactive rather than reactive? I am biased because Bluefin just introduced the first PCI-validated solution for point-to-point encryption (P2PE) in North America. Our solution encrypts cardholder data at the point of entry, swiped or keyed, in a PCI-approved device – which means that no clear-text cardholder data moves to the POS. It is not available in the device, it is not available in the POS. Will this stop a breach? No. But will it stop fraudsters from grabbing card information entered in the POS device? Yes. Is Bluefin’s PCI-validated P2PE the only solution for payment security? No. EMV will secure the card itself, and prevent white-labeling, and tokenization will protect stored data. P2PE, EMV and tokenization are a holistic security approach, which is a better solution than what we have now.

  14. Richard

    I work in an environment where compromised cards have been an issue. I can attest it is very difficult — and a long process — to gain the kind of information necessary to detect and secure breaches. Credit card issuers, card processors, merchant services, and other vendors often report information to merchants which is either so scant or so untimely, that damage has already been done before the merchant is notified. As we move our IT people into action, more cards appear to be compromised (many of these are believed to have been breached in the past but are just now being used). This creates a problem for IT because it’s difficult to know if we have successfully protected cardholders with new actions or if the breach is still live. Moreover, I have found POS vendors to be very defensive and unwilling to come clean about the security of their equipment, software and processes. I hope new, affordable, timely processes develop from these situations that will help those of us who want to run secure businesses quickly identify breaches and secure the situation before it reaches this level. Often it’s not so much the merchant being lazy as it is the merchant having difficulty getting good information that will help us target problem areas. Keep in mind, not everyone is a Target or PF Changs. Many of us are small-town stores trying our best to stay on top of these issues with very little resources. I applaud the Secret Service for being very helpful in my area.

    1. DanielleDuclos

      To your point, Richard, the POS devices in retail today – which you can buy on Ebay – have a huge potential for being compromised. Not to knock the POS devices, we are working with many of the providers, but unless you have a COMPLETE solution in place – embraced by IT (and trained) – that is certified for P2PE, it will be like the Wild West. And it’s not just Target – check the stats, 55% of SMB’s in the U.S. have copped to a breach. SMB’s are the easy target – they are the practice for the big guys.

      1. Kaneda

        You’re just advertising your stuff here, aren’t you?

        1. RobertM

          That may be true but it is on topic and very useful to point out that there are solutions that would limit the massive number of breaches we’ve seen in the last year.

          No disclaimer- no affiliation.

        2. J Robinson

          The main issue I have seen when pitching true P2PE like BlueFin, FreedomPay, etc to larger restaurant groups is that they are priced so thin that they are not interested in the added insurance policy.

          Hopefully this breach and associated fine will help a few of them wake up.

  15. Povl H. Pedersen

    PCI needs to drop magnetic stipes, and demand P2P solutions with chip and pin like used in northern europe. Retailer has no way to get the card data. Now it is the pinpad vendor that will be responsible.

    And retailers can then forget about PCI.

  16. Wombat94

    :::sigh:::

    All of the posts saying “PCI should require this” and “PCI should do that” and “merchants should be forced to do the other thing” miss the reality of the situation.

    The PCI Council is – effectively – the card brands (VISA/MC/Discover/AMEX).

    Everyone must understand this… PCI is not acting in the interest of consumers. Never has and never will – unless the interest of the consumers is determined to be most likely to maximize profits.

    The banks and card brands only make money when credit/debit transactions are processed by merchants.

    Merchants only make money when they can process transactions, but if the total cost of processing those credit card transactions is too high (transaction fees, equipment costs, system integration costs) then merchants won’t push customers toward credit cards – and may drop credit altogether.

    That is the worst case scenario for the card brands.

    But the card brands DO recognize that it is important to move toward more secure credit card processing systems, so they have plans in place to sunset equipment and require merchants to become more secure. These requirements are RARELY hard drop-dead dates because that would cost the card brands business. When more secure equipment becomes available in the market, it is generally 5 to 7 years later before it becomes mandatory – because the amortized cost of new equipment is then a reasonable business expense in the eyes of most merchants.

    P2PE being widely available in the market for credit card readers is about 4 years old, but it is still a fairly fragmented market without standards for interoperability between different vendors equipment.

    Some day, PCI will likely require P2PE, but it is not likely to be any time soon (i.e. before 2018).

    The reality is that the costs of being breached – to the INDUSTRY AS A WHOLE – are lower than the costs of switching out all of the equipment and implementing all of the systems required to support that equipment. Until that math changes because of decreases in equipment or a critical mass of equipment is deployed that COULD HAVE P2PE enabled, then the smart business move is to take the risk that a given merchant will be breached… this is true even taking into account the cost to a brand’s reputation by having been breached.

    So what is a consumer to do until that time?

    I have the same recommendation that I have always had.

    1. Never use a checking-account linked debit card to pay for purchases at a retail point of sale. There is little benefit to doing so, and the risk of having your checking account drained are too high.

    2. Use a limited number of credit cards are retail and monitor them regularly for fraudulent activity. All banks have fraud protection built in to their agreements which will protect the consumer from most of the negative effects of having a card be stolen. Most of the time, checking in each month when your statement arrives to be sure you recognize the purchases is good enough. If it turns out you have used the card at a merchant that is known to have been breached, check more often – and have the bank issue a new card ASAP.

    3. If you follow #1 and #2 above, you can generally disregard the hype about “identity theft”… having a card number stolen and used to purchase goods or services without your permission is NOT identity theft. It is inconvenient, but it doesn’t give the people skimming card numbers and selling them on carder sites access to your other personal info.

    1. Rick Romero

      “PCI is not acting in the interest of consumers.”
      Exactly (re-reading your post, I’m just summarizing what you’re saying :). And it doesn’t have to. Consumers are protected against fraud by Visa/MC regulations. Having your card # reissued is not identity theft. Any problems for the consumer from these exploited merchants is caused by the consumer’s lack of understanding on how they should be using their payment card.
      NEVER use the debit network – ie, enter a pin – your bank account is not protected against fraud. The problem with that quick analogy is the newer credit cards will require a pin, as I understand it.
      And just to be fully clear (because the generalization kinda rubs me the wrong way, but I think you’re aware), PCI doesn’t cover POS devices, that’s PA-DSS. PCI merely covers storing and transmitting credit card numbers.

      1. Wombat94

        Rick,

        We are basically agreeing. I was not implying that the PCI council was supposed to be an advocate for consumers – that is not at all its purpose. It is an industry council that is tasked with acting in the best interests of the payment card industry.

        Your point about PINs is different than my #1 recommendation, though. The issue is not whether you enter a PIN for a debit card transaction – the issue is simply swiping the debit card through the payment terminal at all. I repeat – DON’T DO IT. Use the debit card ONLY for withdrawing cash at an ATM – and if possible only do THAT at bank branches where the ATM machine is inside a secured area… in order to minimize the potential for skimmers being installed in the ATM itself.

        One final clarification – PA-DSS is a subset of the PCI requirements – and one that ONLY applies to either packaged software sold “off the shelf” or “software as a service” that a vendor sells to merchants.

        It specifically does NOT apply to a large percentage of credit card implementations out in the field – especially ones where there is customization of an off-the-shelf package or a completely custom implementation in place.

        The merchants have to be PCI-DSS compliant, the vendors of off-the-shelf payment software have to be PA-DSS compliant. Use of PA-DSS compliant software by a merchant can streamline their PCI compliance, but it is not – in and of itself – enough to make them PCI compliant.

  17. Silemess

    A question: I assume a CAMS alert is issued for each detected breach. If it’s meant to alert banks to potential fraud, why does it exclude the vendor who was compromised?

    It just seems wrong to tell the banks that a series of cards were compromised but leave them hunting for the common thread. Banks may have other cards at risk of exposure that were not covered in the alert. Secrecy seems to be of little benefit when better information would result in better reaction time and thus a shorter window for the cards to be active and valuable to the fraudsters.

  18. W Sanders

    Wait! they switched to manually swiped carbon copies? Now data can be stolen by both hackers and anyone with access to whatever random drawer they toss the receipts into?

    1. Rachael O'Halloran

      I just want to mention that the disposal of the carbon copies was the original issue with using those machines. If they are swiping using carbons, they have left themselves open again for another breach.

  19. FraudGuy

    Given the current rate of occurrence for POC identification of various “mom and pop” liquor store and car wash locations across the country, I have been speculating that perhaps the common thread for these various events is Windows XP based POS systems. The basis of my hypothesis has been that since Microsoft is no longer providing support for XP based systems, there are no longer any security patches available to retailers running that type of POS system. As a result, unpatched systems would be highly vulnerable to attacks similar to the methodology used in the Target event. In researching the theory, I found an interesting article directed at retailers still running XP platforms. Make note of a couple statements within the article…

    “The hackers that target payment systems are well aware of what POS software is likely to be on XP machines and will be targeting those heavily, especially once there is a vulnerability that is discovered after the sunset date passes.”

    “In the unfortunate event that you cannot immediately migrate away from Windows XP, there are a few solutions that can be implemented although they’re by no means ideal. The quickest and cheapest remedy is to remove the card processing functionality from your POS system and utilize traditional stand-alone credit card terminals.” – I find this comment very interesting because this is the exact mitigation step that P.F. Chang’s has deployed (reverting to “knuckle busters”) to address their current compromise situation. Makes me wonder if XP was in play for their breach.

    1. JimV

      XP may not be completely dead or obsolete where POS systems are concerned just yet — the embedded version used for POS systems will apparently still be supported by Microsoft until January 2016, though I’m sure MS is encouraging those legacy users to upgrade their POS software to the embedded Win7 or Win8 versions as quickly as they are able to do so. Whether a particular user is continuing to install the security updates is, of course, an entirely different matter.

  20. Rachael O'Halloran

    The wording of the spokeswoman’s original statement is cryptic at best and possibly can be taken two ways. I put ** for emphasis

    “P.F. Chang’s is aware of a situation **where stolen credit cards used at several of its restaurants ** experienced fraud on them,” states Anne Deanovic, a spokeswoman for the company. “We will provide an update as soon as we have additional information.”

    “experienced fraud on them.” This is odd phrasing in any vernacular. As a notification to the public, the whole sentence is utterly ridiculous.

    Her statement implies that stolen credit cards were used at their restaurants when in fact, the credit card info was stolen from their network, not the other way around.

    Their website http://pfchangs.com/security does not have the same wording:

    “On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants.”

    10. HOW DO I KNOW IF MY CARD WAS INVOLVED OR SHOULD BE CANCELLED?

    Because we are still in the preliminary stages of our investigation, we do not yet know which credit or debit cards may be involved. P.F. Chang’s has notified the credit card companies and is working with them to identify the affected cards. We encourage you to monitor your accounts and to report any suspected fraudulent activity to your card company.

    11. WHERE SHOULD I GO FOR UPDATES?

    We encourage you to check this website for updates. If you have additional questions, you may also call 1-877-412-7152.

    The website hasn’t been updated in quite some time and from what I’ve read here on krebsonsecurity.com and several other sites, this company is not being as truthful as they could be with the public. If it wasn’t for you sleuthing as you did, and posting your findings here, this would have been another breach that just got glossed over.

    The original statement is – if one is hearing or reading it for the first time – is an attempt to downplaying the breach, probably in an effort to save face so that they don’t lose faithful patrons.

    With new information about the breach dating back as far as September 2013, this has the potential to become a rather large breach. Who is to say that it didn’t cross over to their other subsidiaries – Fleming’s and Pei Wei if they all use the same payment center?

    I think this was handled badly and now using manual imprint machines will only leave them open to carbon copy theft. Somewhere, somehow – if a thief wants the info on carbons bad enough, he’ll find a way to get it.

  21. not again

    UPDATE: I used my visa debit card at PF changs twice in the March to May period. (Early May and late May) . I got a letter from my bank (a credit union) last week that visa had alerted them to possible fraudulent activity on my card and that they were issuing me a new card and pin as a precaution. My bank gave me a grace period before they cancelled my card (ie a time period that the old card would still work) and sent me a new card, which I now have. I did not have to do anything but activate the new card. I asked for the old card to be deactivated before the grace period was up since I now have the new card in hand.

    I am from a state that is different than the six states originally listed in the breach, so I am assuming as Brian said in this article that the breach is larger than they are letting on. I never saw any fraudulent activity on my card, but am glad I don’t have to check my balance multiple times a day like I have been for the last several weeks.

    This happened to me with the Target breach in December so this is my second replacement this year.

    Lesson (finally) learned. I will not use a debit card for any pos transactions. Period.

Comments are closed.