Slashdot Mirror

← Back to Stories (view on slashdot.org)

CiCi's Pizza May Have Been Hacked (krebsonsecurity.com)

Posted by EditorDavid on from the extra-cheesy dept.

An anonymous reader writes:Security expert Brian Krebs says more than half a dozen financial institutions contacted him, "all asking if I had any information about a possible credit card breach. Every one of these banking industry sources said the same thing: They'd detected a pattern of fraud on cards that all had one thing in common: They'd all been used in the last few months at various CiCi's Pizza locations... The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company's point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang."

The pizza chain referred Krebs to an outside firm managing their restaurants, who referred him to an outside PR firm, so he eventually just contacted the chain's point-of-sale provider, Datapoint. They confirmed that the Secret Service was investigating several different point-of-sale vendors in "one particular franchise... All of these attacks have been traced to social engineering/Team Viewer breaches because stores from several POS vendors let supposed techs in to conduct 'support'."

34 comments

  1. Obvious headline is obvious by Anonymous Coward · · Score: 5, Funny

    CiCi's lost CCs.

  2. Cheap pizza, cheat IT... by Anonymous Coward · · Score: 1

    Not surprising. Not good pizza either.

    1. Re:Cheap pizza, cheat IT... by BenJeremy · · Score: 1

      Shudder...

      Worst. Pizza. Ever.

      Even my boys hate the place, with a hot, burning passion. Cardboard, topped with a few teaspoons of bland sauce, barely covered with cheese, next to such lovely items as stale breadsticks and mac and cheese... did I say cheese? More like cloudy water.

      The only place I've eaten that was worse would be a couple of short lived places on Yonge Street in Toronto in the 90s (UFO Pizza and some non-descript chinese buffet)

    2. Re:Cheap pizza, cheat IT... by Anonymous Coward · · Score: 0

      It is really pretty bad. The main part is that they really skimp on sauce, which makes the whole thing a lot drier than it should be. The crust part of the pizza isn't bad as bread, but it's just to doughy for good pizza. I do like the cracker crust they put in their "Pizza Olé", and their thin-crust "Rustic" pizza, neither of which has doughy crust. And the salad bar isn't too bad.

      Having first eaten at Cici's since back in the '90s, I can say that the only time they were any good was right after they raised the price from $2.99. I guess they actually had some margin in the budget then.

    3. Re:Cheap pizza, cheat IT... by JustAnotherOldGuy · · Score: 1

      Shudder...Worst. Pizza. Ever.

      CiCi's is rivaled only by Chuck E. Cheese in terms of "non-edible items masquerading as pizza".

      --
      Just cruising through this digital world at 33 1/3 rpm...
    4. Re:Cheap pizza, cheat IT... by Not-a-Neg · · Score: 1

      I'm probably the only person on Slashdot that remembers Bullwinkle's in Santa Clara, CA (they closed in 1996). They would remove the plastic wrapper off their frozen pizza right before your eyes and stick it in the oven to be heated. A thin piece of cardboard, thin veneer of ketchup, a few sprinkles of chalky mozarella and a couple slices of the thinnest pepperoni on Earth. The animatronic show preceded by a dancing water fountain was worth it though.

      --
      -==- Buy a Mac and leave me alone!
  3. I've heard of CiCi by OzPeter · · Score: 4, Insightful

    But I hand't heard they made pizza. I just though there were a cardboard tile store.

    --
    I am Slashdot. Are you Slashdot as well?
  4. NOOOOOOO! by Gravis+Zero · · Score: 0

    I didn't say anything when various stores, banks and social media sites were getting hacked because I knew that networked computers came a price. But now YOU DO THIS TO PIZZA?! DAMN YOU! DAMN YOU ALL TO HELL!

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:NOOOOOOO! by Anonymous Coward · · Score: 0

      That's not pizza, friend. -PCP

  5. American Italian Anti-Defamation League by Anonymous Coward · · Score: 0

    The American Italian Anti-Defamation League issues the following statement, "You'll shutup about this if you know what's good for ya."

    1. Re:American Italian Anti-Defamation League by Anonymous Coward · · Score: 1

      I think they should be more concerned about what is being sold under the name "pizza".

  6. People that eat that horrible pizza... by Anonymous Coward · · Score: 0

    deserve what they get.

    1. Re:People that eat that horrible pizza... by Anonymous Coward · · Score: 0

      Plus they're typically horrible people in the first place. My father is a cop, and every Friday and Saturday night they go to CiCis at least once. They look through the names on the POS, and usually find someone that has an arrest warrant. The stupid thing is that the criminals don't leave when they see the cops enter plus the fact that they go out in the first place and use a credit card!

    2. Re: People that eat that horrible pizza... by Anonymous Coward · · Score: 0

      What percentage has tattoos? The city I work in IT for, it's over 99%!

    3. Re: People that eat that horrible pizza... by Anonymous Coward · · Score: 0

      My mother works for our county jail. She says it's only about 90%.

    4. Re: People that eat that horrible pizza... by Anonymous Coward · · Score: 0

      I work as a contract security at a local jail, there's not many programming jobs around here, and I easily believe that over 90% of the criminals have tattoos.

    5. Re:People that eat that horrible pizza... by Anonymous Coward · · Score: 1

      My father is a cop, and every Friday and Saturday night they go to CiCis at least once. They look through the names on the POS, and usually find someone that has an arrest warrant.

      Nice to know that CiCi's is willing to let the cops rifle through their business records weekly without a warrant.

  7. Hello this is Microsoft calling... by Anonymous Coward · · Score: 0

    All of these attacks have been traced to social engineering/Team Viewer breaches because stores from several POS vendors let supposed techs in to conduct 'support'.

    I can understand someone's 82-year-old grandmother being victimized by this scam, but there's no excuse for employees of a software vendor to be falling for this shit. The POS manufacturers need to get named and shamed here.

    1. Re:Hello this is Microsoft calling... by MobSwatter · · Score: 2

      POS vendors should not be trying to service 10k+ deployments with a skeleton crew either. POS has for the most part been a pretty dirty business but has been made worse by economic conditions, pay scales falling and honest techs are in short supply under those circumstances, skilled techs are getting pretty rare. I've also noted a number of in-house jobs on restaurants on part of their employees as well. This whole thing is being produced by a failing economy, exactly why everyone should have the right to go crap on Rothschild's driveway.

  8. we've sure been getting a lot of stories by Black+Parrot · · Score: 1

    about something that "might happen" or "might have happened" lately. Isn't there enough news about stuff that definitely did happen?

    --
    Sheesh, evil *and* a jerk. -- Jade
    1. Re:we've sure been getting a lot of stories by DamonHD · · Score: 1

      You're old enough to understand by now that /. is not the place to be if you want complete certainty. Maybe go browse the NTSB 'completely unambiguously solved cases' PDF stack if you want that. Oh, wait...

      Rgds

      Damon

      --
      http://m.earth.org.uk/
  9. Datapoint? by Anonymous Coward · · Score: 0

    https://en.wikipedia.org/wiki/...

  10. I don't think it was the POS manufacturer by infernalC · · Score: 3, Informative

    I am a senior developer at a POS software company, but not the one related to this story. My take from TFA is that the criminals impersonated support folks from the POS vendor, but didn't actually compromise the vendor's network. The PCI DSS has all sorts of requirements for merchants to follow that would have prevented this. For example, the merchants should not let computers in their cardholder data environment have unfettered access to the Internet, all remote access to the CDE must be multi-factor authenticated, and vendor accounts have to be enabled on an as-needed-only basis.

    This is probably a case of a criminal calling CiCi's store 2348, getting a franchisee-trained manager on the phone, and telling her "Hi, I'm from ACME POS, your POS vendor. We are calling to install updates to make the chip readers you aren't using yet work later on... and we need access to the workstation in the back of the store. Can you please open a browser and go to www.getmein.com?...". I doubt the defacing of the POS vendor's website has squat to do with it.

    Of course, the franchisee is running a consumer-grade router with no outbound filtering on it whatsoever... because they are in a low-margin business and they needed something cheap. The computer died in the back about 6 months ago, so they dropped in a replacement PC from Wal-Mart and promptly disabled UAC, etc.

    The manager isn't knowledgeable enough to notice that the domain he is being asked to go to is wrong, the caller ID is wrong, etc. He or she needs to worry about the 73 kids in the restaurant who are dropping pizza on the floor that the new guy isn't cleaning fast enough, the 8 pizzas on the stuck upper belt in the oven, and the bathroom with the overflowing commode. Not to mention the health inspector waiting up front. Trough-style kid's restaurants are a nightmare.

    I wish POS software could be handled completely as a service and reside in a VPC managed by the POS vendor. In reality though, the Internet is just not reliable enough for that in many (most) most places, and controlling POS peripherals from a cloud app is not really feasible.

    1. Re:I don't think it was the POS manufacturer by luther349 · · Score: 1

      coming from pizza hut from years are pos system is linux based. few scammers know anything when it comes to linux. if the workstation in the back dies we cant drop in another from Walmart we have to wait for them to come out in person and replace it.

    2. Re: I don't think it was the POS manufacturer by Anonymous Coward · · Score: 0

      You mean like Square?

    3. Re:I don't think it was the POS manufacturer by theurge14 · · Score: 1

      This is why restaurant franchises hire managed services companies to handle all of this.

  11. Easy Way to Secure Data by Anonymous Coward · · Score: 0

    Anything that Cici's doesn't want anyone to find, should just be put in a directory called "cici's pizza recipes".

  12. it wuz haxx0rz!!11! by Anonymous Coward · · Score: 0

    No, it's just krebs being f'n useless... as usual.

  13. Pizza Chains by Anonymous Coward · · Score: 0

    Anyone been to a Blaze pizza. Went to one in Williamsburg, Va and it was awesome for fast casual pizza. I wish they were as common as CiCi's pizza.

  14. POS security by Anonymous Coward · · Score: 0

    Fuck mushroom, fuck pepperoni, fuck crust, fuck sauce, fuck cheese, and FUCK YOU!!!!!

  15. Do they accept cards? by Anonymous Coward · · Score: 0

    I thought they only accepted cash and checks. Do they accept cards?

  16. Ugh. by jtownatpunk.net · · Score: 1

    I ate there once just to try it. Yech. If I had to choose between identity theft and eating there again, it would be a tough choice. Exactly how much would I have to eat?

  17. Their pizza is TFUJ! by Anonymous Coward · · Score: 0

    It's cheap and it tastes even cheaper.

  18. How they were caught by jsh1972 · · Score: 2

    The hack was detected because the hackers altered the recipes stored on the computer. Customers and employees were shocked when actual pizzas started coming out of the oven, that's when management determined someone had hacked the system.