Wendy's Says More Than 1,000 Restaurants Affected By Hack (go.com)

← Back to Stories (view on slashdot.org)

Wendy's Says More Than 1,000 Restaurants Affected By Hack (go.com)

Posted by BeauHD on Thursday July 7, 2016 @08:55AM from the burgers-on-a-budget dept.

An anonymous reader writes from a report via ABC News: The fast food giant Wendy's has reported today that hackers were able to steal customers' credit and debit card information at 1,025 of its U.S. restaurants. The company said Thursday hackers were able to obtain card numbers, names, expiration dates and codes on the card, beginning in late fall. Some customers' cards were used to make fraudulent purchases at other stores. Wendy's first announced it was investigating a possible hack in January. In May, it found malware in fewer than 300 restaurants; two types of malware were found two months later and the number of restaurants affected was "considerably higher." There are more than 5,700 Wendy's restaurants in the U.S. Customers can check to see which locations were affected via Wendy's website. The company said it is offering free one-year credit monitoring to people who paid with a card at any of those restaurants. In May, Wendy's announced plans to start automating all of its restaurants with self-service ordering kiosks.

134 comments

Min score:

Reason:

Sort:

JFG! by Anonymous Coward · 2016-07-07 08:58 · Score: 0

Just f*cking great. Just what we needed. Another breach.
Garçon by Anonymous Coward · 2016-07-07 09:01 · Score: 0

There's a fly on my soup!
1. Re:Garçon by Anonymous Coward · 2016-07-07 09:07 · Score: 0
  
  And a finger in my chili!
2. Re:Garçon by Anonymous Coward · 2016-07-07 09:20 · Score: 1
  
  The fly is organic and locally sourced.
3. Re:Garçon by Archangel+Michael · 2016-07-07 09:29 · Score: 1
  
  Additionally, they are found to be Gluten Free and nonGMO !
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
4. Re:Garçon by Yvan256 · 2016-07-07 09:34 · Score: 1
  
  Don't worry sir, the spider in your salad will take care of it.
New corporate slogan.. by subk · 2016-07-07 09:04 · Score: 5, Funny

WaReZ da B33F!!

--
Now, if you'll excuse me, I have backups to corrupt.
And this is why I... by Sir_Eptishous · 2016-07-07 09:09 · Score: 1, Insightful

pay with cash.
Though I do use my CC sometimes as well.

--
We play the game with the bravery of being out of range
1. Re:And this is why I... by Jhon · 2016-07-07 10:31 · Score: 2
  
  The next generation of hackers will be able to access your bank account with just the serial number of your $20 bill!
  (ducks and runs)
2. Re:And this is why I... by Anonymous Coward · 2016-07-07 10:50 · Score: 0
  
  What if someone steals your cash?
  I always pay with a credit card. Do you know why? Because I'm not the credit card company.
3. Re: And this is why I... by Anonymous Coward · 2016-07-07 11:27 · Score: 0
  
  Bullshit. They will use the baked in wifi chip. Stop scaremongering with your old fashioned bar code hacks Dad.
4. Re: And this is why I... by Anonymous Coward · 2016-07-07 17:47 · Score: 0
  
  That's a cool fucking story, bro.
5. Re: And this is why I... by Sir_Eptishous · 2016-07-08 02:19 · Score: 1
  
  Glad you liked it.
  
  --
  We play the game with the bravery of being out of range
6. Re:And this is why I... by RockDoctor · 2016-07-10 23:09 · Score: 1
  
  I continually re-use photocopies of a bill which I picked up from the tips-bowl of a LA brothel 20 years ago. Probably explains why Clinton keeps on getting hacked.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Time for Blockchain? by Lucas123 · 2016-07-07 09:11 · Score: 1

Considering some of the world's top financial services corporations are working on ways to incorporate Blockchain for many types of transactions, perhaps it's time for the retail world to jump onboard too. It could allow consumers and retailers to connect directly and form online networks, removing the need for middlemen and do it securely.
1. Re:Time for Blockchain? by Anonymous Coward · 2016-07-07 11:51 · Score: 0
  
  You spelled bitcoin wrong.
2. Re:Time for Blockchain? by allquixotic · 2016-07-08 04:38 · Score: 1
  
  Trying to solve a data integrity and security problem by implementing the solution based on the blockchain is like trying to go to space by digging a hole in the ground.
It's time.......... by JustAnotherOldGuy · 2016-07-07 09:14 · Score: 2, Insightful

It's time to go back to paying with cash for these kinds of purchases.
Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re: It's time.......... by Anonymous Coward · 2016-07-07 09:30 · Score: 0
  
  Been this way for me for years. Too many security breaches. So cc just for amazon and rare online purchases. In real life, carry cash.
2. Re: It's time.......... by Anonymous Coward · 2016-07-07 09:39 · Score: 0
  
  You buy houses with your credit cards? Wow that's some credit line you have there.
3. Re: It's time.......... by Anonymous Coward · 2016-07-07 09:57 · Score: 0
  
  You buy houses with your credit cards? Wow that's some credit line you have there.
  Or a cheap house.
4. Re:It's time.......... by penguin74 · 2016-07-07 10:01 · Score: 2
  
  So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.
5. Re: It's time.......... by Sloppy · 2016-07-07 10:10 · Score: 1
  
  Didn't Jack Tramiel buy Atari with his?
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
6. Re:It's time.......... by JustAnotherOldGuy · 2016-07-07 10:12 · Score: 0
  
  So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.
  Unless they use it to open up new lines of credit or steal your identity, in which case it can get pretty messy. But that's a complex concept that numptys like you can't fathom. Now go finish your Lunchable and piss off.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
7. Re: It's time.......... by Anonymous Coward · 2016-07-07 10:23 · Score: 0
  
  Nice try Mr Mugger, nice try!
8. Re:It's time.......... by nukenerd · 2016-07-07 10:28 · Score: 1
  
  It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card.
  If only life were really that simple.
9. Re:It's time.......... by Anonymous Coward · 2016-07-07 10:47 · Score: 0
  
  Easier to just have a second back account with minimal funds for use with random debit purchases.
10. Re:It's time.......... by Anonymous Coward · 2016-07-07 11:02 · Score: 0
  
  It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card.
  If only life were really that simple.
  And it is that simple, never once got stuck with a fraudulent charge and they're pretty rare to begin with.
11. Re:It's time.......... by Anonymous Coward · 2016-07-07 11:21 · Score: 0
  
  It's not that simple--when you have multiple monthly, automatic bills paid via the account. You have to go in and change your card details on each of those auto payment accounts--then in some cases deal with their slow billing systems that still use the old info and charge you fees for returned funds and then for being late. (DirecTV did this to me last time this *exact* thing happened on my card--because their billing system is so stupid it wouldn't let me make a one-time payment before it was already late--since it retried my card twice--and showed 'paid' the whole time until it gave up--only after the due date. Their broken billing system cost me $70 in NSF fees, returned payment fees, and late fees--and they *never* responded to the claim I filed about it).
12. Re:It's time.......... by cciechad · 2016-07-07 11:45 · Score: 1
  
  Thats strange I've been affected by breaches in the past and have had new cards issued by two different banks. On both they did something where they deny all new transactions to the old cc # but allow all of my prescheduled transfers to still go through. In every case the CC company denied the charges instead of letting them go through in the first place so I've never actually had to dispute. Their automatic guess as whether or not a transaction is pretty accurate and generally they send a text that I can reply to authorize a transaction that their system flags as suspicious(but this is so rare I think it's happened two times in 3-4 years).
  
  --
  https://www.fsf.org/associate/support_freedom
13. Re: It's time.......... by Voogru · 2016-07-07 11:52 · Score: 1
  
  If you have enough of them and cash advances... yup.
14. Re:It's time.......... by zamboni1138 · 2016-07-07 11:57 · Score: 1
  
  The Wendy's that I go to was affected by this. I had two different cards stolen in a short period of time, both used at the affected location. At the time I thought it was really rare, but now it makes complete sense. Also, it's a lot longer than a five minute call. It took me a few days just to get someone to call me back. For one bank I had to do a lot of paper work, then *fax* that back in. They sat on the request for a month and it took almost two months to get the money credited back to my account. I had to pay almost $600 to my card company before I got any of it back more than a month later. And it wasn't 24-48 hours for a new card, it was two weeks. Once I get the new cards, I get to spend a bit of time updating vendors with the new number. That's more calls. And because Wendy's didn't really say anything until today, I probably went back to that same affected location with one of the new cards. So it's probably just a matter of time until that card goes south again. Your statement that it isn't a big deal doesn't ring true in my situation.
15. Re:It's time.......... by BronsCon · 2016-07-07 12:16 · Score: 2
  
  Nobody's using your credit card to open a new line of credit or steal your identity. Then need a fair bit more data than what's encoded on the card's magstripe for that.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
16. Re:It's time.......... by BronsCon · 2016-07-07 12:18 · Score: 2
  
  It's not that simple--when you have multiple monthly, automatic bills paid via the account. You have to go in and change your card details on each of those auto payment accounts
  That's still less work (and safer) than writing a check every month.
  
  then in some cases deal with their slow billing systems that still use the old info and charge you fees for returned funds and then for being late.
  So you cancel the automatic payment on the old card, set the new one up, and make manual payments on the due date until it kicks in. Still less work (and safer) than writing a check every month.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
17. Re: It's time.......... by EEPROMS · 2016-07-07 12:31 · Score: 1
  
  if you have a black credit card technically your limit is in the millions.
18. Re:It's time.......... by ezakimak · 2016-07-07 12:46 · Score: 1
  
  then in some cases deal with their slow billing systems that still use the old info and charge you fees for returned funds and then for being late.
  So you cancel the automatic payment on the old card, set the new one up, and make manual payments on the due date until it kicks in. Still less work (and safer) than writing a check every month.
  If only that actually worked--because that's exactly what I did with DirecTV. When their billing system runs it captures the billing information--even if it's a full two weeks prior to the actual draft date. Within that window you apparently *cannot* successfully alter what it will do--despite attempts to do so, and despite it saying that it *did* and *would* alter its behavior according to your changes. In short, some systems just suck--and the customer suffers (and pays) for it.
19. Re:It's time.......... by JustAnotherOldGuy · 2016-07-07 13:12 · Score: 1
  
  So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.
  Then send me your credit card info and PIN. Let me charge some stuff and, like you said, all you need to do is make a 5 minute call to report the unauthorized charge.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
20. Re:It's time.......... by JustAnotherOldGuy · 2016-07-07 13:13 · Score: 1
  
  Nobody's using your credit card to open a new line of credit or steal your identity. Then need a fair bit more data than what's encoded on the card's magstripe for that.
  No, but they can leverage that data to get more information, and then the fun begins. I've seen it happen to people I know.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
21. Re:It's time.......... by Anonymous Coward · 2016-07-07 16:06 · Score: 0
  
  If someone steals your cash, you have no recourse for compensation unless the thief was caught with the cash in his hands (and perhaps not even then).
  If your credit card is stolen you can easily challenge the charges getting the money back immediately.
22. Re:It's time.......... by BronsCon · 2016-07-07 16:37 · Score: 1
  
  Well that just blows... I work on these systems for a living and I've dropped clients in the past who had systems that were that special kind of "user friendly" because they refused to let me fix the problems. The feels, man... the feels.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
23. Re:It's time.......... by Anonymous Coward · 2016-07-08 00:52 · Score: 0
  
  No, no you haven't. You don't know how any of this works, do you? And that makes you scared. Rather than spend a couple minutes learning about it, you just hate it. Pathetic.
24. Re:It's time.......... by Anonymous Coward · 2016-07-08 01:06 · Score: 0
  
  I had one compromised a few years ago under similar circumstances. I went to the website and noticed some fraudulent charges. I clicked "Report fraudulent charge" for each of them. Two days later I received a new card. And that was it. The whole "it took almost two months to get the money credited back to my account" part makes me think you were using a debit instead of a credit. Either that or you have an exceptionally shitty card provider. Either way, there are much better alternatives out there.
25. Re:It's time.......... by Anonymous Coward · 2016-07-08 01:13 · Score: 0
  
  What point are you trying to make, exactly? I can think of many, many inconveniences that would only take a few minutes to rectify. In each and every one of those cases, I would prefer the alternative of not facing the inconvenience at all. If farting directly into your face doesn't kill anyone, why don't you let me do it? What incredibly bizarre logic. I can also think of a few things that take MORE than 5 minutes. Like standing in line at the bank to withdraw cash. Or pulling out the check book and writing a check. Or driving to an ATM. Or disputing charges on my debit card after the ATM is compromised.
26. Re:It's time.......... by Aaden42 · 2016-07-08 01:31 · Score: 1
  
  Use one card for auto payments. Leave the card at home. Never swipe it anywhere. Never use it for any other online charges. Use another card to buy your Baconators. Problem solved.
27. Re:It's time.......... by drinkypoo · 2016-07-08 02:11 · Score: 1
  
  It's time to go back to paying with cash for these kinds of purchases.
  Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.
  
  Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.
  The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
28. Re: It's time.......... by cdwiegand · 2016-07-08 02:14 · Score: 1
  
  Leave your bank now. There's no excuse for taking that long in this day and age of CC fraud.
  
  --
  . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
29. Re:It's time.......... by operagost · 2016-07-08 02:19 · Score: 1
  
  If only life were really that simple.
  
  If it's not that simple, dump your bank. I have a card from Citi. There are many things to dislike about that bank, but they called ME when a local business got hacked and someone started making unusual charges to my account. We went over the list of recent transactions on the phone so that I could invalidate the illicit ones, and they sent me text confirmation afterward. They notified the bank where I pay my bills from of the change in number.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
30. Re:It's time.......... by operagost · 2016-07-08 02:27 · Score: 1
  
  That's funny, Todd Davis, but your logic escapes me. No one wants to get hit in the nads either, but I still don't go around with a steel codpiece. It's not worth the inconvenience when I can just keep a safe distance from crazy women and three year old kids.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
31. Re:It's time.......... by JustAnotherOldGuy · 2016-07-08 02:44 · Score: 1
  
  It's time to go back to paying with cash for these kinds of purchases.
  Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.
  No, I was referring to people in general, not myself specifically.
  Personally I almost always pay in cash for minor items or small consumables. For larger items I use a credit card so I can do a chargeback if necessary.
  -
  
  The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.
  For larger items where I may end up with service issues or need to return it, I always use a card. It gives you major leverage with the store if something goes wrong.
  For example, I bought a $300 digital camera from Best Buy and then flew off for vacation the next day. The camera stopped working after 3 days. The country I'd flown to doesn't have Best Buy stores so there was no way for me to return it until after I got back. When I got back and tried to return it for a new one, Best Buy told me they wouldn't take it back as it was several days past the return period. "Sorry, nothing we can do. Have a nice day."
  I told them, "Okay, but I'm going contact my credit card company and tell them to charge it back. Then I'll have the camera AND the your money, and then you'll want to talk with me about an exchange." Best Buy refused to budge.
  So I charged it back, and sure as shit the next day Best Buy called me up, and they were so very, very nice about asking me to please come in so they could exchange the non-working camera for a new one, "because we want to make sure you're fully satisfied with your Best Buy experience". Lol, yeah, right.
  If I'd paid in cash or by debit card they would have told me to fuck off. I know this because that's exactly what they did until I charged the purchase back. Then, suddenly, they were all about me having a "good experience" buying shit from them.
  I did go in, I did get a new camera, and then I told the credit card company that Best Buy had made it right so they could cancel the chargeback.
  But like I said, it I'd paid in cash I'd have been screwed. Always use a card for larger purchases- it gives you the ultimate leverage in the transaction.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
32. Re:It's time.......... by operagost · 2016-07-08 02:45 · Score: 1
  
  I would stop using that card, and apply for a new one from another bank. If possible, don't cancel the card. Just pay it off, lock it up at home, and don't use it. That's better for your credit rating.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
33. Re:It's time.......... by JustAnotherOldGuy · 2016-07-08 02:47 · Score: 1
  
  That's funny, Todd Davis, but your logic escapes me.
  
  Todd Davis?? The football player?
  Did I miss a reference, or...?
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
34. Re:It's time.......... by MBGMorden · 2016-07-08 03:05 · Score: 1
  
  I've had cards compromised 2 or 3 times - it's never been more complicated than that.
  Besides the card companies are getting pretty good at pattern recognition these days. I was travelling last week and used my card to withdraw cash at an ATM quite a few states away from my residence. The transaction was refused and I immediately got a text on my phone saying my account had been flagged for suspicious activity. It was a false alarm, but I was able to respond to the text and open it up immediately.
  
  --
  "People who think they know everything are very annoying to those of us who do."-Mark Twain
35. Re:It's time.......... by MBGMorden · 2016-07-08 03:09 · Score: 1
  
  Virtually all of my automatic "bill" payments (ie, mortgage, water, cable, power, car, boat) are setup to draft by checking account # rather than a credit/debit card. I don't generally write checks at all but by setting those up that way I basically never have to worry about changing the card information.
  Anything charging by card # is something much less critical. I mean you have to change them every now and then anyways - credit cards have expiration dates.
  
  --
  "People who think they know everything are very annoying to those of us who do."-Mark Twain
36. Re:It's time.......... by tlhIngan · 2016-07-08 04:34 · Score: 1
  
  The Wendy's that I go to was affected by this. I had two different cards stolen in a short period of time, both used at the affected location. At the time I thought it was really rare, but now it makes complete sense. Also, it's a lot longer than a five minute call. It took me a few days just to get someone to call me back. For one bank I had to do a lot of paper work, then *fax* that back in. They sat on the request for a month and it took almost two months to get the money credited back to my account. I had to pay almost $600 to my card company before I got any of it back more than a month later. And it wasn't 24-48 hours for a new card, it was two weeks. Once I get the new cards, I get to spend a bit of time updating vendors with the new number. That's more calls. And because Wendy's didn't really say anything until today, I probably went back to that same affected location with one of the new cards. So it's probably just a matter of time until that card goes south again. Your statement that it isn't a big deal doesn't ring true in my situation.
  Use a different company, NOW.
  No credit card company wanting business does things these days now. Not even banks.
  In fact, usually my bank calls me about weird charges - a few from Kickstarter (but I told them those were OK) and a couple from an Asian online store. Though a few times they also said they saw some fraud charges that were real and I said yes, they were not mine. They immediately cancelled the card and issued me a new one, asking if I wanted it overnighted (for free!).
  And one time, a store I shopped at had their processor breached. I called my bank, 5 minutes later old card was cancelled, new card was issued and arrived the next day.
  And when I needed to chargeback (order never arrived, after a month of waiting) I called them up, and money was back 5 minutes later.
  If your card is abusing you by making you do loads of paperwork and faxes and paying money, leave.
  And don't go for the combined debit/credit cards - those things are just a hassle - as debit cards are. First, if it's a debit transaction, things take longer because the bank won't refund your money until they get it back (with a credit card, it's their money so they can simply capture it). Second, merchants may make the wrong choice - if you want credit they may pick debit and vice-versa.
  But if that's the hassle you go through, be aware you're th exception - the rule for most other credit card issuers is a phone call and you're done. Remember, they make money when you're spending, so any friction to that means less money to them.
37. Re:It's time.......... by stolidobserver · 2016-07-08 04:48 · Score: 0
  
  Yeah, it's cash time right up until you get hit with a skimmer at the ATM.
38. Re:It's time.......... by phorm · 2016-07-08 06:56 · Score: 1
  
  Why?
  Carry lots of cash, and I can be mugged, it can be lost, etc.
  They can overcharge me, or screw up my order and respond to my complaint "meh"
  Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.
39. Re:It's time.......... by JustAnotherOldGuy · 2016-07-08 08:56 · Score: 1
  
  Carry lots of cash, and I can be mugged, it can be lost, etc.
  Are you saying that $100 is "lots of cash"? I don't know of a single zip code in the entire US where $100 is considered "lots of cash".
  -
  
  Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.
  Did you even read what I wrote? If you did, could you please tell me what kind of head injury you have? Because here's what I wrote:
  Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.
  What part of "I'll use a credit or debit card" sounded like "I won't use a credit or debit card"?
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
40. Re: It's time.......... by Anonymous Coward · 2016-07-08 22:08 · Score: 0
  
  This sounds like discrimination againsts white credit cards.
Why?? by friesofdoom · 2016-07-07 09:14 · Score: 1

Why do any of these companies store your CC information? Surely it's only needed to authorize the transaction, do they need it for more than that?
1. Re:Why?? by subk · 2016-07-07 09:18 · Score: 3, Informative
  
  It's unclear from reading the article, but it sounds like the malware steals it from the POS application at the time of swipe, hence the need to infect the machines at individual restaurants. This is not the same as breaking into a big database and plucking a list of "stored" card info.
  
  --
  Now, if you'll excuse me, I have backups to corrupt.
2. Re:Why?? by vux984 · 2016-07-07 09:18 · Score: 5, Informative
  
  Why do any of these companies store your CC information? Surely it's only needed to authorize the transaction, do they need it for more than that?
  There is no evidence they were storing your CC information. The POS system was infected with malware that skimmed it from the system when you swiped the card.
  The malware was persistently installed over several months, so it got a lot of people. It wasn't a quick hack where someone went in, grabbed a database, and got out.
3. Re:Why?? by Luthair · 2016-07-07 09:24 · Score: 1
  
  I said this back at the Home Depot breach, the real question is why do these PoS machines have the ability to talk to anything other than the payment server? There is literally zero reason for them to be contacted or to contact anything but the payment server.
4. Re:Why?? by DogDude · 2016-07-07 09:29 · Score: 1
  
  Almost all POS applications these days are Internet based.
  
  --
  I don't respond to AC's.
5. Re:Why?? by Yvan256 · 2016-07-07 09:35 · Score: 1
  
  POS application indeed.
6. Re:Why?? by Anonymous Coward · 2016-07-07 09:39 · Score: 2, Funny
  
  Same goes for point of sale applications.
7. Re:Why?? by wolrahnaes · 2016-07-07 09:44 · Score: 1
  
  How does that change anything? It's pretty trivial to lock something down to only communicate with approved endpoints, I do it all the time. My hosted PBX customers' phones can connect to two subnets; my primary location and my secondary. The rest of the internet may as well not exist as far as they're concerned.
  For something like this where a few milliseconds of added latency isn't a big deal you could put the POS systems on an isolated network that only connects out over VPNs and has no access to the actual internet at all.
  
  --
  I used to get high on life, but I developed a tolerance. Now I need something stronger.
8. Re:Why?? by tlhIngan · 2016-07-07 10:03 · Score: 1
  
  I said this back at the Home Depot breach, the real question is why do these PoS machines have the ability to talk to anything other than the payment server? There is literally zero reason for them to be contacted or to contact anything but the payment server.
  Well, you talk to the back end server for inventory and sales tracking, and they talk to the headquarters to monitor sales of their franchises.
  Short of the new self-configuring cloud-based IT gear like Meraki, having all the restaurants IT set up properly is a huge challenge. Chances are, it's just whatever the ISP installed router supports - which is basically just a home router configured with an access point for "free" wifi, and a couple of network ports for the LAN. (And if you priced Meraki gear...).
  The new chip stuff can't be integrated with a POS anymore other than the POS transferring the transaction amount to the PIN pad - the PIN pad is doing the challenge-response to the bank's server directly, something the POS terminal cannot do.
9. Re:Why?? by JustAnotherOldGuy · 2016-07-07 10:06 · Score: 1
  
  Why do any of these companies store your CC information?
  That's a damn good question. But if I read the article right, I think they're skimming this stuff at the POS terminal and capturing in in transit.
  Personally, I've been running web sites for ~15 years that sell stuff online, and I never store any credit card data. Why should I? All it brings you is headaches.
  Customers use the credit card gateway, make their purchase, and they're done. I store nothing but a name and address, maybe a phone number but I don't store any credit card info, period. I don't even store what kind of card it was. As a result, it's dead easy for me to pass the yearly PCI compliance test.
  To be honest, I'm not sure why I'd want to store their CC details. In my application(s) there's really nothing in it for me, no benefit.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
10. Re:Why?? by mrbester · 2016-07-07 10:11 · Score: 1
  
  Except TFS mentions codes as well as numbers. That sounds like the CVV2 on the back which is not meant to be stored anywhere but the issuing bank for Cardholder Not Present transactions. Why did Wendy's have that information?
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
11. Re:Why?? by quetwo · 2016-07-07 10:22 · Score: 1
  
  Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and that is the way out.
  It's not always that easy, unless you follow the best rules and have everything physically separate -- but then again that costs more money and adds a lot more complexity.
12. Re:Why?? by Anonymous Coward · 2016-07-07 10:23 · Score: 0
  
  I'm more amazed that these POS terminals have writable+executable storage.
  What happened to the good ol' days of 3.5" FD software distribution?
13. Re:Why?? by Anonymous Coward · 2016-07-07 10:58 · Score: 0
  
  Sure the boss needs to admin the HVAC system... but the boss wouldn't be doing it from a point-of-sale device.
14. Re:Why?? by fnj · 2016-07-07 20:51 · Score: 1
  
  There is no evidence they were storing your CC information. The POS system was infected with malware that skimmed it from the system when you swiped the card.
  Challenge/response chip and PIN, goddamit. For Christ sake, when is the US going to catch up to the REST OF THE FUCKING WORLD? With challenge/response chip and PIN, the POS system never even sees enough data momentarily to permit theft. Somebody would have to somehow steal your physical card. There is nothing useful to skim.
  Every credit card already comes with a chip, so all these credit card apes have to do is give everybody PINs and make everybody do it right. I have yet to see anybody contort a scenario where this doesn't solve the problem. Not here in this discussion, and not anywhere else.
15. Re:Why?? by wolrahnaes · 2016-07-08 14:02 · Score: 1
  
  Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and that is the way out.
  It's not always that easy, unless you follow the best rules and have everything physically separate -- but then again that costs more money and adds a lot more complexity.
  Why the hell would your POS system need to talk to the same subnet the HVAC does?
  VLANs aren't exactly rocket science. Firewall and switches enforce a logical separation between the devices. Boss' PC is allowed to connect to admin address(es) on both POS and HVAC subnets, only traffic on expected ports is allowed. Bonus points for logging and alerting on traffic that shouldn't be, say the HVAC system attempting to connect to the POS system or either attempting to connect to hosts outside of their approved list. Yes it's still possible to do something with those kinds of restrictions, say if the HVAC system used a web interface and the boss had an outdated or zero-dayed browser/plugin, but it's a lot more complicated than having them on the same subnet able to directly talk.
  
  --
  I used to get high on life, but I developed a tolerance. Now I need something stronger.
16. Re:Why?? by quetwo · 2016-07-09 14:34 · Score: 1
  
  Didn't say they did. The boss has one computer, which has access to both networks to do administrative functions on both.
17. Re:Why?? by quetwo · 2016-07-09 14:38 · Score: 1
  
  VLANs aren't hard to do, but when you are talking about a Wendy's that may have, at most, one computer, it becomes a bit much to have 5 subnets for the 4 devices that are connected to the network.
  Is it the right way to set things up? Yes. It is practical in every case? Probably not. Remember, there is no IT department for these types of stores -- so everything gets outsourced, and while security is important, it's often not as important as things just working, according to those that use the systems.
18. Re:Why?? by wolrahnaes · 2016-07-14 11:55 · Score: 1
  
  It's a formulaic corporate environment. It'd be trivial for Wendy's to have a standard corporate configuration that any idiot can plug in.
  
  --
  I used to get high on life, but I developed a tolerance. Now I need something stronger.
Fines Please by BlueCoder · 2016-07-07 09:15 · Score: 1

When if the FTC going to start imposing fines so that these companies take the security of peoples personal and financial info seriously?
As far the the kiosks.. we have seen a lot of those pop up here and there across LA here. They have all died to be taken away to a junk yard.
For kiosks to succeed they better be built into every table and have smartphone integration. Possibly with siri or cortana to take my order.
1. Re:Fines Please by Chewbacon · 2016-07-07 09:38 · Score: 1
  
  I agree. Look at healthcare. If you're negligent, you get slapped with massive fines if you aren't held criminally liable. This is really no different.
  
  --
  Chewbacon
  The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
2. Re:Fines Please by AK+Marc · 2016-07-07 09:50 · Score: 1
  
  The free market should fix it. In an ideal world, they'll lose PCI certification, and be unable to take cards. Though the free market wants money more than punishment, so VIsa (the merchant banks, the processors, etc, but the card brand is easier to say) won't care that Wendy's is insecure and will still allow them to take cards.
  
  --
  Learn to love Alaska
3. Re:Fines Please by Anonymous Coward · 2016-07-07 09:59 · Score: 0
  
  The free market will fix this. Wendy's (or the individual stores?) will be forced to pay a higher transaction fee. That is, until a hungrier merchant services provider offers them a lower fee to gain their business.
  "Fixed".
4. Re:Fines Please by quetwo · 2016-07-07 10:27 · Score: 1
  
  This is already happening. As of last month, companies that refused to implement CHIP+PIN (or at least CHIP+Signature) readers were charged a larger % on the transactions. A company like a Wendy's franchiser was already paying between 2.5% and 3.5%, now they are paying 3% to 4%.
  Which is pretty silly, since Wendy's corporate has been going around replacing POS terminals across the country over the last 6 months -- and they decided to not put in the chip+pin readers (opting for swipe terminals ONLY). I can only assume that they decided that the cost of the higher percentages was worth the speed of swiping the card.
5. Re:Fines Please by AK+Marc · 2016-07-07 11:54 · Score: 1
  
  Chips take no longer than swipes (presuming you have a connection). I have no idea what dial-up chip transactions are like, but the terminal time for a transaction is almost the same. So low on the milisecond scale that even over Wal-Mart scale (millions of transactions) it doesn't add up to more than a few seconds.
  
  --
  Learn to love Alaska
6. Re:Fines Please by Anonymous Coward · 2016-07-07 12:51 · Score: 0
  
  Take Target, walmart, menards, home depot around here They all take 15-20s to process a credit card that has been inserted. You get the constant flashing of 'don't remove card' 'don't remove card' 'don't remove card. Whereas, with the swipe, by the time you swipe and put the card in your wallet, you are done. It may be safer or better (don't really care) but it certainly slows down lines when the transaction itself only takes 10-15s to scan all your items and then you wait another 15-20s for the card, and then another 10-15 for the checkout person to give you a receipt.
7. Re:Fines Please by AK+Marc · 2016-07-07 15:36 · Score: 1
  
  The total time for the transaction doesn't change. What happens is that you have to leave the card in until it's "approved" while with a swipe transaction, you swipe, and put your card away. If you used swipe and PIN, then the total transaction time is identical. You are comparing PIN to sign, and complaining that PIN is longer, but blaming it on the chip.
  
  --
  Learn to love Alaska
8. Re: Fines Please by Anonymous Coward · 2016-07-07 15:54 · Score: 0
  
  The rfid chip is faster. Harder to copy too.
9. Re:Fines Please by Blaskowicz · 2016-07-07 23:02 · Score: 1
  
  Dial-up is fast. I think I read it's done at 300 bauds, and it isn't a joke : slow negociation and handshake are avoided, and perhaps whatever is done to encabulate your data is reduced.
  Uh, I am at a loss figuring out how US ATMs work if all you have is a swipe card. Do you sign, and if so, where? A piece of paper comes out, which you sign and throw away on the curb?
10. Re:Fines Please by operagost · 2016-07-08 02:33 · Score: 1
  
  ATMs, of course, use a PIN. They have always used a PIN.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
11. Re: Fines Please by Anonymous Coward · 2016-07-08 05:59 · Score: 0
  
  Easier to read as decryption happens in the card reader. Easier to steal as well.
12. Re:Fines Please by AK+Marc · 2016-07-08 08:00 · Score: 1
  
  ATMs around the world work the same. You insert the card. You put in a PIN, you complete your transaction, the card comes back out. The time to transaction is the same whether chip or swipe. The ATM can do either.
  
  --
  Learn to love Alaska
13. Re:Fines Please by quetwo · 2016-07-09 14:40 · Score: 1
  
  2400 baud, but who's counting ;)
  ATMs are usually connected by an ISDN-BRI, GSM, or for regional banks, a Metro-E or MPLS service. They have always used PINs, but they don't use the CHIP in the card for encryption (they use the mag strip).
But "dipping" solved everything? by Anonymous Coward · 2016-07-07 09:16 · Score: 0

Back around October 15, 2015, the credit card industry was pushing for all credit card issuers to provide cards with a chip embedded (called EMV credit cards) and merchants to switch to using equipment to read the chip. Since the card is inserted into the unit instead of swiped passed a magnetic reader, the new method of providing the credit card for a transaction is called dipping. There was a bunch of claims being thrown around about the amount of reduction in fraud would result.
So, if these hacks happened after October of last year, why is this still an issue? Where exactly are we with the grand shift to the wonderful sluggish world of dipping?
1. Re:But "dipping" solved everything? by Stormy+Dragon · 2016-07-07 09:37 · Score: 2
  
  I only know once place near me that actually uses the chips. Everyone else has the scanners for the chips, but they're not hooked up and can't actually be used.
2. Re: But "dipping" solved everything? by Anonymous Coward · 2016-07-07 09:50 · Score: 0
  
  We've had this technology in Canada for 5-7 years. Both debit and credit require either chip transactions most places. It's been that way for years. The one that bothers me is the NFC, aka tap and pay.
3. Re:But "dipping" solved everything? by hawaiian717 · 2016-07-07 10:39 · Score: 1
  
  So what happened in October 2015 was a liability shift. Prior to that, banks would reimburse merchants for fraudulent purchases. With the liability shift, banks stopped reimbursing merchants if the bank had issued a chip card but the merchant continued to swipe cards. There's been delays in merchants getting their chip solutions developed and certified, that's why you see places with chip readers that don't work.
  So today chip cards can still be cloned and used at places that are still swiping. As more places enable chip readers, swiping will become rarer and cloned cards will become harder to use, and the fraudsters will have to look to other things.
  
  --
  End of Line.
4. Re: But "dipping" solved everything? by Anonymous Coward · 2016-07-07 16:07 · Score: 0
  
  Tap and pray (that your funds are not siphooned by the bloke next to you with a strange looking briefcase sporting an antenna)?
5. Re: But "dipping" solved everything? by Anonymous Coward · 2016-07-07 23:18 · Score: 0
  
  We've had that tech in France for at least 20 years, so most people never saw a chip-less card.
  The tap to pay thing, though? We've got that, they put a wifi-like symbol on the corner of regular banking cards. But no idea how that works exactly. Since every one knows how to do the regular transaction with PIN and we've never needed to "upgrade" the way of doing things, I've never seen anyone use it and if people want to talk for a few seconds that'll be about the weather, some random thing that happened or to sexually harass a cashier, not to ask about the wireless payment, is it supported, what should I do with the card.
  (there were security upgrades to the chips etc., but that's something done in the background as cards expire after a few years, etc.)
it's a feature, not a bug by Thud457 · 2016-07-07 09:17 · Score: 1

Minimum wage register jockies can only steal from one customer at a time.
Replace them with automatation because minimum wage went up, and now haxxors can steal from ALL YOUR CUSTOMERS!

Still better than eating at Chipolte.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
1. Re: it's a feature, not a bug by Anonymous Coward · 2016-07-07 09:43 · Score: 0
  
  You only say that because you don't know about Chipotle-away!
2. Re:it's a feature, not a bug by Joe_Dragon · 2016-07-07 10:49 · Score: 1
  
  and no will be there to stop someone from installing a skimmer on the auto POS station
Chip by Songilly · 2016-07-07 09:19 · Score: 1

Wasn't this past the liability deadline for Chip transactions? I'm guessing Wendy's and not the Bank will be responsible for any fraudulent transactions due to this hack?
1. Re:Chip by DogDude · 2016-07-07 09:40 · Score: 1
  
  The only thing that stupid chip does is make merchants liable for if they don't work with those chips, and they somebody uses a fake credit card with a stolen number, without a chip. So no, the chip thing is irrelevant in this case.
  
  --
  I don't respond to AC's.
2. Re:Chip by Anonymous Coward · 2016-07-07 09:54 · Score: 0
  
  Since this breach was disclosed in Jan 2016, my guess is most of the fraud occurred in 2015. However, I bet there were still people using unchipped cards for the first half of this year. I just got a new debit card with a chip last month. My credit card with chip was issued in Feb. The banks and credit unions have been slow to roll these out as well.
3. Re:Chip by sexconker · 2016-07-07 10:06 · Score: 1
  
  My local store, which I went to once because I happened to be in a hurry and it was nearby, lists the dates as being from January to June of this year.
4. Re:Chip by hawaiian717 · 2016-07-07 10:33 · Score: 1
  
  The liability shift places liability on the merchant where the fraudulent purchase occurred.
  Consider this scenario: Someone swipes a card at Wendy's and that data was captured and used to create a fake card and the fake card is used at Safeway, which hasn't enabled their chip card readers.
  If the original card had a chip, Safeway is liable. If the original card didn't have a chip, then the bank that issued the card is liable.
  
  --
  End of Line.
Creating business by TheMadTopher · 2016-07-07 09:25 · Score: 4, Interesting

I wonder if credit monitoring companies secretly fund these hacks.
old news by Anonymous Coward · 2016-07-07 09:45 · Score: 0

I think this was already reported a few months ago... nice job ABC News... what's next? LinkedIn suffered a data breach? or is it MySpace?
Private industry doing it better than government by smooth+wombat · 2016-07-07 09:55 · Score: 1

How many times have we heard about tens of thousands, millions, of people having their data stolen/purloined/misappropriated/whatever because of private industry? Anyone remember the millions who were affected by the Target fiasco? How about T.J. Maxx? Barely a murmur is heard.
Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.
Based on the evidence it appears government is doing substantially better than private industry in protecting our data.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Re:Private industry doing it better than governmen by bill_mcgonigle · 2016-07-07 10:05 · Score: 3, Informative

Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.
Based on the evidence it appears government is doing substantially better than private industry in protecting our data.
I might need a new debit card. What a pain. If you have government clearance, thanks to the OPM breach, the Chinese have all of your biometric data. Game over.
The Wendy's breach can be fixed with a bunch of new cards. The government breach cannot be fixed.
That is why people were apoplectic.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Thoughts and Prayers by ThatsNotPudding · 2016-07-07 10:10 · Score: 1

"One year of free credit monitoring" is the corporate equivalent to the "Thoughts and Prayers" fecal spray from gutless politicians after every gun-driven US mass murder.
Fuck "dipping" by Anonymous Coward · 2016-07-07 10:23 · Score: 0

"Dipping" is a stupid fucking term that only Americans could come up with, and only because Americans are so averse to change and need a cute term to lessen their fear.
The rest of the world is fine with inserting their cards like they've been doing for years. If an American ever tells me to dip my card, I'll tell them rightly to fuck off.
That doesn't compute by Anonymous Coward · 2016-07-07 11:14 · Score: 0

Surely it was 1024 restaurants.
Because america is in the dark ages... by n3r0.m4dski11z · 2016-07-07 12:49 · Score: 1

I went to america earlier this year and was shocked that there was virtually no implementation of chip and pin. It felt like i went back in time.
I am honestly surprised a day goes by where there is not massive credit card fraud in the US. I swiped my card everywhere and the only check on that was my signature! the merchant is not protected at all!
These kinds of skimming breaches are a direct result of not having chip and pin everywhere. Sure they can install a camera to grab your pin, but that is a bit more involved then simply skimming credit cards. Most POS with chip and pin is end to end encrypted as well and has only the most basic of interaction. The hardware chip in the pinpad does all the encrypt and decrypt stuff. Don't you guys have to do that for PCI compliance anyway?
I'm sure you have chip and pin on debit cards, so why all the fuss about credit card implementation? All the posts thus far are saying things like "thats why i pay with cash" which is completely backwards in mentality. Jesus cash? who carries cash?? next thing you tell me is you walk around with a pocket full of change like its the 1970s!
Unless your buying drugs, or doing craigslist deals, i fail to see the point of cash transactions. Change and cash gets lost or spent way easier than a debit card. Well for me anyway.

--
-
1. Re:Because america is in the dark ages... by fnj · 2016-07-07 21:29 · Score: 1
  
  You got that right. Signature is no protection whatsoever. Every US credit card I've seen since a while has had a chip, but none has a PIN. Talk about "not getting it"! My debit card has a chip (FINALLY), and it has a PIN, but still every place I've seen still wants me to swipe instead of use the PIN.
2. Re:Because america is in the dark ages... by Anonymous Coward · 2016-07-07 23:51 · Score: 0
  
  Part of the reason PIN and Chip happened is that handling of the PIN in Europe was so bad. I used to work at a place in the late '90s that had to deal with credit and debit card equipment, and the PIN keypads themselves were potted and had a unique encryption key (and the firmware) for each keypad injected into RAM by the clearinghouse people. (Yes, even our test account units for software development.) The PIN was encrypted by the terminal (your card number was also sent to the keypad as part of salting the encryption), and not decrypted until it hit the back end office. If you wanted a debit terminal, it had to be physically secure like that, period. In Europe, PINs were apparently transmitted with little or no encryption, and interception was happening all the time.
3. Re:Because america is in the dark ages... by Anonymous Coward · 2016-07-08 00:33 · Score: 0
  
  FYI I'm referring to how debit PINs were handled in the US, if you haven't guessed already.
4. Re:Because america is in the dark ages... by ginoledesma · 2016-07-08 03:57 · Score: 1
  
  Better late than never, I suppose, but some big players like Walmart and Home Depot are trying to get chip and PIN, albeit in a round-about way by suing the networks.
If only there were some way to mitigate this risk by DrXym · 2016-07-07 12:51 · Score: 1

Oh there is. It's called chip and pin. There is no requirement for any retailer to hold credit card information for over the counter transactions.
Meaningless reporting is meaningless by Anonymous Coward · 2016-07-07 13:29 · Score: 0

As long as you keep hiding behind your "cyber" bogeymen, there'll be no real security in computing.
Re:Private industry doing it better than governmen by Anonymous Coward · 2016-07-07 13:36 · Score: 1

Yet let a few thousand people have their data swiped through a government breach
The OPM breach affected 21.5 million people and it included social security numbers, names, addresses, dates of birth, fingerprints, and security clearance details.
Why would anyone.. by The_Revelation · 2016-07-07 14:17 · Score: 1

..buy an icecream with a credit card? I mean, Wendy's has only two products: soft service ice-cream and hot-dogs, and I'm pretty sure I'm the only person on the planet who buys their hotdogs. Something is very fishy about this story. Also, why are we calling these 'restaurants' now? They are a kiosk at most.
1. Re:Why would anyone.. by fnj · 2016-07-07 21:18 · Score: 1
  
  ..buy an icecream with a credit card? I mean, Wendy's has only two products: soft service ice-cream and hot-dogs
  What the hell? What planet are you from? Yes, Wendy's is a RESTAURANT. There are TABLES in there. You can sit at them. You can order from at least 10 offerings of hamburgers and cheeseburgers, 9 offerings of chicken sandwiches, 6 offerings of chicken nuggets, 8 offerings of "frostys", whatever they are, a cod fillet sandwich, numerous salads, numerous combos, and probably other stuff. I never saw any hot dogs there though.
  Just click on Menus. Sheesh. Oh, wait. Let me guess. I bet you are in Australia, right mate? Well, the REAL Wendy's is wendys.com, not wendys.com.au. I'm sure you can get to the internet, as long as you haven't left Walkabout Creek to trek through Crocodile Dundee's outback.
  Relax, it's all in good fun. We're both just regular guys, separated by living in completely separate plants.
2. Re:Why would anyone.. by Anonymous Coward · 2016-07-08 00:51 · Score: 0
  
  They make some pretty yummy chicken sandwiches too. And chili.
3. Re:Why would anyone.. by drinkypoo · 2016-07-08 02:14 · Score: 1
  
  They make some pretty yummy chicken sandwiches too. And chili.
  Let me see if I can remember how this works. Patties come out of the freezer and sit on the slack rack if you need them soon or go into the fridge if you don't. They go on the grill for four flips (I forget the timing) and then they're a burger. They stay on the grill for two more flips and then they go in a plastic drawer and if the restaurant is in a hurry, then any ones in there not too dried out get made into burgers. When the chili is made, the drawer is raided and any additional needed meat is cooked off fresh.
  mmmm, old meat
  They make a big deal about making it on site, but that's the only work they do. The rest of it comes out of a can. If you want beans, get them from Mexicans. They will actually have cooked them.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You know what I love? by sootman · 2016-07-07 17:02 · Score: 1

CASH. For trivial, small-amount transactions that will not be returned (i.e., fast food), I LOVE CASH. I never get charged twice for the same thing. Never a problem with the tip amount, etc. And no exposure for hacks like this.
Granted, I haven't had many problems with credit card transactions, but I've had ZERO problems with cash.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Wendy's Commitment to Fixing Incident is a Fraud by Anonymous Coward · 2016-07-08 01:59 · Score: 0

I just called Wendy's hotline as my local restaurant was hacked. During the time the location was vulnerable and I had been a customer, I had two attempts at fraudulent charges and one actual incident. My bank issued new credit cards after each and waived the charges of the third incident. My current credit card was used at Wendy's during the store's period of vulnerability but has not been used fraudulently, yet. I called to obtain the one year of complimentary fraud consultation and identity restoration services. As with past companies (Target, Vudu) I have done business with who had been hacked and offered some remediation, I received one year of free credit monitoring. Wendy's is not offering that. They will offer consultation and identity restoration services should your identity be stolen AND you are a victim of such fraud. They are relying on their victimized customers to be vigilant and deal directly with their credit card issuers for all fraudulent charges. These are not their problems. You must be a verified victim of the crime of identity theft, with in one year of Wendy's compromise, before they will lift a finger. If someone used my credit card information, stolen while in the possession of Wendy's, at anytime in the future Wendy's will not accept responsibility and will leave me exposed to the outcome of an investigation by my credit card issuer.
How's that for a Wendy's hot and juicy?
Wand by Anonymous Coward · 2016-07-08 02:07 · Score: 0

I used to work for Wand Corporation (POS in every sense of the word), and several wendy's stores that I know used their system are on the list of sites that had a breach.
This comes as no surprise to me.
When I worked there many years ago storing credit card numbers in log files was standard practice, social security numbers of employees were also stored in plain text in an access database, the security for those system was laughable.
After I quit I found my access was still enabled months later when I went to remove their VPN client from my machine.
They also had a "Store and forward" feature for processing credit cards when the internet was down, so credit card information could be captured, and then processed when the connection was back up.
They have a history of pushing out untested patches and updates, and once took the credit card processing for nearly every Wendy's store they used down in one fell swoop, took the support center the better part of two days to get the systems all back up.
They used remote access software that was freeware, and hadn't been updated for a decade. They were hit hard by blaster and sasser because they didn't have and sort of firewall enabled, and when windows XP SP2 turned on the firewall by default they advised people turn it off because it was causing issues with their software...
Re:Private industry doing it better than governmen by operagost · 2016-07-08 02:38 · Score: 1

Your love of government is at odds with your sig.

--

Gamingmuseum.com: Give your 3D accelerator a rest.
Who pays? by TheCastro1689 · 2016-07-08 02:48 · Score: 1

I've never understood this part of it all, the credit card holder doesn't have to pay, the retailer often keeps the money, so it's a loss for the credit card company, but they never seem to concerned by the losses they take, or at least I never see anyone going into it on the internet or news.
1. Re:Who pays? by rwise2112 · 2016-07-08 05:22 · Score: 1
  
  I've never understood this part of it all, the credit card holder doesn't have to pay, the retailer often keeps the money, so it's a loss for the credit card company, but they never seem to concerned by the losses they take, or at least I never see anyone going into it on the internet or news.
  We all pay through the interest rates on the cards.
  
  --
  
  "For every expert, there is an equal and opposite expert"
Assholes by Jawnn · 2016-07-08 03:23 · Score: 1

Either they lied about it for months, or were still clueless about the actual extent FOR MONTHS, after being made aware that they'd been pwned. I'm not sure which is worse, but either way... aslholes.
Re:Private industry doing it better than governmen by WallyL · 2016-07-08 04:33 · Score: 1

I was quite impressed with the site sharing which locations were affected. I understand security is the mitigation of risk, not the absolute prevention of risk, and I appreciate their attempts to be so open with their customers. I suppose that due to all the other breaches everywhere else in the world, I have enough credit monitoring for quite a while, so I don't need this one too.
Here's what I think: by stolidobserver · 2016-07-08 05:06 · Score: 0

All of these breaches are being publicized and outed by the companies because they can then offload responsibility back to you to have your cards changed and account numbers changed, etc, without having to put out much in revenue to mitigate the issue. The corporations are still shifting the onus onto the customer. While they make take some action, they are all attempting to mitigate the fallout with these revelations. As such, they are all waiting until the breaches occur and then doing something rather than taking preemptive steps to stop the problem from occurring in the first place. They still need to be punished properly each and every time to make this behavior disappear.
Someone's playing Hack-Man by iq145 · 2016-07-12 12:21 · Score: 1

Sometimes it's beneficial http://www.newser.com/story/21...