Wendy's Says More Than 1,000 Restaurants Affected By Hack

An anonymous reader writes from a report via ABC News: The fast food giant Wendy's has reported today that hackers were able to steal customers' credit and debit card information at 1,025 of its U.S. restaurants. The company said Thursday hackers were able to obtain card numbers, names, expiration dates and codes on the card, beginning in late fall. Some customers' cards were used to make fraudulent purchases at other stores. Wendy's first announced it was investigating a possible hack in January. In May, it found malware in fewer than 300 restaurants; two types of malware were found two months later and the number of restaurants affected was "considerably higher." There are more than 5,700 Wendy's restaurants in the U.S. Customers can check to see which locations were affected via Wendy's website. The company said it is offering free one-year credit monitoring to people who paid with a card at any of those restaurants. In May, Wendy's announced plans to start automating all of its restaurants with self-service ordering kiosks.

New corporate slogan..

[subk]

WaReZ da B33F!!

And this is why I...

[Sir_Eptishous]

pay with cash.
Though I do use my CC sometimes as well.

Re:And this is why I...

[Jhon]

The next generation of hackers will be able to access your bank account with just the serial number of your $20 bill!

(ducks and runs)

Re: And this is why I...

[Sir_Eptishous]

Glad you liked it.

Re:And this is why I...

[RockDoctor]

I continually re-use photocopies of a bill which I picked up from the tips-bowl of a LA brothel 20 years ago. Probably explains why Clinton keeps on getting hacked.

Time for Blockchain?

[Lucas123]

Considering some of the world's top financial services corporations are working on ways to incorporate Blockchain for many types of transactions, perhaps it's time for the retail world to jump onboard too. It could allow consumers and retailers to connect directly and form online networks, removing the need for middlemen and do it securely.

Re:Time for Blockchain?

[allquixotic]

Trying to solve a data integrity and security problem by implementing the solution based on the blockchain is like trying to go to space by digging a hole in the ground.

It's time..........

[JustAnotherOldGuy]

It's time to go back to paying with cash for these kinds of purchases.

Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.

Re:It's time..........

[penguin74]

So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.

Re: It's time..........

[Sloppy]

Didn't Jack Tramiel buy Atari with his?

Re:It's time..........

[nukenerd]

It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card.

If only life were really that simple.

Re:It's time..........

[cciechad]

Thats strange I've been affected by breaches in the past and have had new cards issued by two different banks. On both they did something where they deny all new transactions to the old cc # but allow all of my prescheduled transfers to still go through. In every case the CC company denied the charges instead of letting them go through in the first place so I've never actually had to dispute. Their automatic guess as whether or not a transaction is pretty accurate and generally they send a text that I can reply to authorize a transaction that their system flags as suspicious(but this is so rare I think it's happened two times in 3-4 years).

Re: It's time..........

[Voogru]

If you have enough of them and cash advances... yup.

Re:It's time..........

[zamboni1138]

The Wendy's that I go to was affected by this. I had two different cards stolen in a short period of time, both used at the affected location. At the time I thought it was really rare, but now it makes complete sense. Also, it's a lot longer than a five minute call. It took me a few days just to get someone to call me back. For one bank I had to do a lot of paper work, then *fax* that back in. They sat on the request for a month and it took almost two months to get the money credited back to my account. I had to pay almost $600 to my card company before I got any of it back more than a month later. And it wasn't 24-48 hours for a new card, it was two weeks. Once I get the new cards, I get to spend a bit of time updating vendors with the new number. That's more calls. And because Wendy's didn't really say anything until today, I probably went back to that same affected location with one of the new cards. So it's probably just a matter of time until that card goes south again. Your statement that it isn't a big deal doesn't ring true in my situation.

Re:It's time..........

[BronsCon]

Nobody's using your credit card to open a new line of credit or steal your identity. Then need a fair bit more data than what's encoded on the card's magstripe for that.

Re:It's time..........

[BronsCon]

It's not that simple--when you have multiple monthly, automatic bills paid via the account. You have to go in and change your card details on each of those auto payment accounts

That's still less work (and safer) than writing a check every month.

then in some cases deal with their slow billing systems that still use the old info and charge you fees for returned funds and then for being late.

So you cancel the automatic payment on the old card, set the new one up, and make manual payments on the due date until it kicks in. Still less work (and safer) than writing a check every month.

Re: It's time..........

[EEPROMS]

if you have a black credit card technically your limit is in the millions.

Re:It's time..........

[ezakimak]

then in some cases deal with their slow billing systems that still use the old info and charge you fees for returned funds and then for being late.

So you cancel the automatic payment on the old card, set the new one up, and make manual payments on the due date until it kicks in. Still less work (and safer) than writing a check every month.

If only that actually worked--because that's exactly what I did with DirecTV. When their billing system runs it captures the billing information--even if it's a full two weeks prior to the actual draft date. Within that window you apparently *cannot* successfully alter what it will do--despite attempts to do so, and despite it saying that it *did* and *would* alter its behavior according to your changes. In short, some systems just suck--and the customer suffers (and pays) for it.

Re:It's time..........

[JustAnotherOldGuy]

So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.

Then send me your credit card info and PIN. Let me charge some stuff and, like you said, all you need to do is make a 5 minute call to report the unauthorized charge.

Re:It's time..........

[JustAnotherOldGuy]

Nobody's using your credit card to open a new line of credit or steal your identity. Then need a fair bit more data than what's encoded on the card's magstripe for that.

No, but they can leverage that data to get more information, and then the fun begins. I've seen it happen to people I know.

Re:It's time..........

[BronsCon]

Well that just blows... I work on these systems for a living and I've dropped clients in the past who had systems that were that special kind of "user friendly" because they refused to let me fix the problems. The feels, man... the feels.

Re:It's time..........

[Aaden42]

Use one card for auto payments. Leave the card at home. Never swipe it anywhere. Never use it for any other online charges. Use another card to buy your Baconators. Problem solved.

Re:It's time..........

[drinkypoo]

It's time to go back to paying with cash for these kinds of purchases.

Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.

Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.

The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.

Re: It's time..........

[cdwiegand]

Leave your bank now. There's no excuse for taking that long in this day and age of CC fraud.

Re:It's time..........

[operagost]

If only life were really that simple.

If it's not that simple, dump your bank. I have a card from Citi. There are many things to dislike about that bank, but they called ME when a local business got hacked and someone started making unusual charges to my account. We went over the list of recent transactions on the phone so that I could invalidate the illicit ones, and they sent me text confirmation afterward. They notified the bank where I pay my bills from of the change in number.

Re:It's time..........

[operagost]

That's funny, Todd Davis, but your logic escapes me. No one wants to get hit in the nads either, but I still don't go around with a steel codpiece. It's not worth the inconvenience when I can just keep a safe distance from crazy women and three year old kids.

Re:It's time..........

[JustAnotherOldGuy]

It's time to go back to paying with cash for these kinds of purchases.

Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.

No, I was referring to people in general, not myself specifically.

Personally I almost always pay in cash for minor items or small consumables. For larger items I use a credit card so I can do a chargeback if necessary.

-

The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.

For larger items where I may end up with service issues or need to return it, I always use a card. It gives you major leverage with the store if something goes wrong.

For example, I bought a $300 digital camera from Best Buy and then flew off for vacation the next day. The camera stopped working after 3 days. The country I'd flown to doesn't have Best Buy stores so there was no way for me to return it until after I got back. When I got back and tried to return it for a new one, Best Buy told me they wouldn't take it back as it was several days past the return period. "Sorry, nothing we can do. Have a nice day."

I told them, "Okay, but I'm going contact my credit card company and tell them to charge it back. Then I'll have the camera AND the your money, and then you'll want to talk with me about an exchange." Best Buy refused to budge.

So I charged it back, and sure as shit the next day Best Buy called me up, and they were so very, very nice about asking me to please come in so they could exchange the non-working camera for a new one, "because we want to make sure you're fully satisfied with your Best Buy experience". Lol, yeah, right.

If I'd paid in cash or by debit card they would have told me to fuck off. I know this because that's exactly what they did until I charged the purchase back. Then, suddenly, they were all about me having a "good experience" buying shit from them.

I did go in, I did get a new camera, and then I told the credit card company that Best Buy had made it right so they could cancel the chargeback.

But like I said, it I'd paid in cash I'd have been screwed. Always use a card for larger purchases- it gives you the ultimate leverage in the transaction.

Re:It's time..........

[operagost]

I would stop using that card, and apply for a new one from another bank. If possible, don't cancel the card. Just pay it off, lock it up at home, and don't use it. That's better for your credit rating.

Re:It's time..........

[JustAnotherOldGuy]

That's funny, Todd Davis, but your logic escapes me.

Todd Davis?? The football player?

Did I miss a reference, or...?

Re:It's time..........

[MBGMorden]

I've had cards compromised 2 or 3 times - it's never been more complicated than that.

Besides the card companies are getting pretty good at pattern recognition these days. I was travelling last week and used my card to withdraw cash at an ATM quite a few states away from my residence. The transaction was refused and I immediately got a text on my phone saying my account had been flagged for suspicious activity. It was a false alarm, but I was able to respond to the text and open it up immediately.

Re:It's time..........

[MBGMorden]

Virtually all of my automatic "bill" payments (ie, mortgage, water, cable, power, car, boat) are setup to draft by checking account # rather than a credit/debit card. I don't generally write checks at all but by setting those up that way I basically never have to worry about changing the card information.

Anything charging by card # is something much less critical. I mean you have to change them every now and then anyways - credit cards have expiration dates.

Re:It's time..........

[tlhIngan]

The Wendy's that I go to was affected by this. I had two different cards stolen in a short period of time, both used at the affected location. At the time I thought it was really rare, but now it makes complete sense. Also, it's a lot longer than a five minute call. It took me a few days just to get someone to call me back. For one bank I had to do a lot of paper work, then *fax* that back in. They sat on the request for a month and it took almost two months to get the money credited back to my account. I had to pay almost $600 to my card company before I got any of it back more than a month later. And it wasn't 24-48 hours for a new card, it was two weeks. Once I get the new cards, I get to spend a bit of time updating vendors with the new number. That's more calls. And because Wendy's didn't really say anything until today, I probably went back to that same affected location with one of the new cards. So it's probably just a matter of time until that card goes south again. Your statement that it isn't a big deal doesn't ring true in my situation.

Use a different company, NOW.

No credit card company wanting business does things these days now. Not even banks.

In fact, usually my bank calls me about weird charges - a few from Kickstarter (but I told them those were OK) and a couple from an Asian online store. Though a few times they also said they saw some fraud charges that were real and I said yes, they were not mine. They immediately cancelled the card and issued me a new one, asking if I wanted it overnighted (for free!).

And one time, a store I shopped at had their processor breached. I called my bank, 5 minutes later old card was cancelled, new card was issued and arrived the next day.

And when I needed to chargeback (order never arrived, after a month of waiting) I called them up, and money was back 5 minutes later.

If your card is abusing you by making you do loads of paperwork and faxes and paying money, leave.

And don't go for the combined debit/credit cards - those things are just a hassle - as debit cards are. First, if it's a debit transaction, things take longer because the bank won't refund your money until they get it back (with a credit card, it's their money so they can simply capture it). Second, merchants may make the wrong choice - if you want credit they may pick debit and vice-versa.

But if that's the hassle you go through, be aware you're th exception - the rule for most other credit card issuers is a phone call and you're done. Remember, they make money when you're spending, so any friction to that means less money to them.

Re:It's time..........

[phorm]

Why?
Carry lots of cash, and I can be mugged, it can be lost, etc.
They can overcharge me, or screw up my order and respond to my complaint "meh"

Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.

Re:It's time..........

[JustAnotherOldGuy]

Carry lots of cash, and I can be mugged, it can be lost, etc.

Are you saying that $100 is "lots of cash"? I don't know of a single zip code in the entire US where $100 is considered "lots of cash".

-

Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.

Did you even read what I wrote? If you did, could you please tell me what kind of head injury you have? Because here's what I wrote:

Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.

What part of "I'll use a credit or debit card" sounded like "I won't use a credit or debit card"?

Why??

[friesofdoom]

Why do any of these companies store your CC information? Surely it's only needed to authorize the transaction, do they need it for more than that?

Re:Why??

[subk]

It's unclear from reading the article, but it sounds like the malware steals it from the POS application at the time of swipe, hence the need to infect the machines at individual restaurants. This is not the same as breaking into a big database and plucking a list of "stored" card info.

Re:Why??

[vux984]

Why do any of these companies store your CC information? Surely it's only needed to authorize the transaction, do they need it for more than that?

There is no evidence they were storing your CC information. The POS system was infected with malware that skimmed it from the system when you swiped the card.

The malware was persistently installed over several months, so it got a lot of people. It wasn't a quick hack where someone went in, grabbed a database, and got out.

Re:Why??

[Luthair]

I said this back at the Home Depot breach, the real question is why do these PoS machines have the ability to talk to anything other than the payment server? There is literally zero reason for them to be contacted or to contact anything but the payment server.

Re:Why??

[DogDude]

Almost all POS applications these days are Internet based.

Re:Why??

[Yvan256]

POS application indeed.

Re:Why??

Same goes for point of sale applications.

Re:Why??

[wolrahnaes]

How does that change anything? It's pretty trivial to lock something down to only communicate with approved endpoints, I do it all the time. My hosted PBX customers' phones can connect to two subnets; my primary location and my secondary. The rest of the internet may as well not exist as far as they're concerned.

For something like this where a few milliseconds of added latency isn't a big deal you could put the POS systems on an isolated network that only connects out over VPNs and has no access to the actual internet at all.

Re:Why??

[tlhIngan]

I said this back at the Home Depot breach, the real question is why do these PoS machines have the ability to talk to anything other than the payment server? There is literally zero reason for them to be contacted or to contact anything but the payment server.

Well, you talk to the back end server for inventory and sales tracking, and they talk to the headquarters to monitor sales of their franchises.

Short of the new self-configuring cloud-based IT gear like Meraki, having all the restaurants IT set up properly is a huge challenge. Chances are, it's just whatever the ISP installed router supports - which is basically just a home router configured with an access point for "free" wifi, and a couple of network ports for the LAN. (And if you priced Meraki gear...).

The new chip stuff can't be integrated with a POS anymore other than the POS transferring the transaction amount to the PIN pad - the PIN pad is doing the challenge-response to the bank's server directly, something the POS terminal cannot do.

Re:Why??

[JustAnotherOldGuy]

Why do any of these companies store your CC information?

That's a damn good question. But if I read the article right, I think they're skimming this stuff at the POS terminal and capturing in in transit.

Personally, I've been running web sites for ~15 years that sell stuff online, and I never store any credit card data. Why should I? All it brings you is headaches.

Customers use the credit card gateway, make their purchase, and they're done. I store nothing but a name and address, maybe a phone number but I don't store any credit card info, period. I don't even store what kind of card it was. As a result, it's dead easy for me to pass the yearly PCI compliance test.

To be honest, I'm not sure why I'd want to store their CC details. In my application(s) there's really nothing in it for me, no benefit.

Re:Why??

[mrbester]

Except TFS mentions codes as well as numbers. That sounds like the CVV2 on the back which is not meant to be stored anywhere but the issuing bank for Cardholder Not Present transactions. Why did Wendy's have that information?

Re:Why??

[quetwo]

Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and that is the way out.

It's not always that easy, unless you follow the best rules and have everything physically separate -- but then again that costs more money and adds a lot more complexity.

Re:Why??

[fnj]

There is no evidence they were storing your CC information. The POS system was infected with malware that skimmed it from the system when you swiped the card.

Challenge/response chip and PIN, goddamit. For Christ sake, when is the US going to catch up to the REST OF THE FUCKING WORLD? With challenge/response chip and PIN, the POS system never even sees enough data momentarily to permit theft. Somebody would have to somehow steal your physical card. There is nothing useful to skim.

Every credit card already comes with a chip, so all these credit card apes have to do is give everybody PINs and make everybody do it right. I have yet to see anybody contort a scenario where this doesn't solve the problem. Not here in this discussion, and not anywhere else.

Re:Why??

[wolrahnaes]

Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and that is the way out.

It's not always that easy, unless you follow the best rules and have everything physically separate -- but then again that costs more money and adds a lot more complexity.

Why the hell would your POS system need to talk to the same subnet the HVAC does?

VLANs aren't exactly rocket science. Firewall and switches enforce a logical separation between the devices. Boss' PC is allowed to connect to admin address(es) on both POS and HVAC subnets, only traffic on expected ports is allowed. Bonus points for logging and alerting on traffic that shouldn't be, say the HVAC system attempting to connect to the POS system or either attempting to connect to hosts outside of their approved list. Yes it's still possible to do something with those kinds of restrictions, say if the HVAC system used a web interface and the boss had an outdated or zero-dayed browser/plugin, but it's a lot more complicated than having them on the same subnet able to directly talk.

Re:Why??

[quetwo]

Didn't say they did. The boss has one computer, which has access to both networks to do administrative functions on both.

Re:Why??

[quetwo]

VLANs aren't hard to do, but when you are talking about a Wendy's that may have, at most, one computer, it becomes a bit much to have 5 subnets for the 4 devices that are connected to the network.

Is it the right way to set things up? Yes. It is practical in every case? Probably not. Remember, there is no IT department for these types of stores -- so everything gets outsourced, and while security is important, it's often not as important as things just working, according to those that use the systems.

Re:Why??

[wolrahnaes]

It's a formulaic corporate environment. It'd be trivial for Wendy's to have a standard corporate configuration that any idiot can plug in.

Fines Please

[BlueCoder]

When if the FTC going to start imposing fines so that these companies take the security of peoples personal and financial info seriously?

As far the the kiosks.. we have seen a lot of those pop up here and there across LA here. They have all died to be taken away to a junk yard.

For kiosks to succeed they better be built into every table and have smartphone integration. Possibly with siri or cortana to take my order.

Re:Fines Please

[Chewbacon]

I agree. Look at healthcare. If you're negligent, you get slapped with massive fines if you aren't held criminally liable. This is really no different.

Re:Fines Please

[AK+Marc]

The free market should fix it. In an ideal world, they'll lose PCI certification, and be unable to take cards. Though the free market wants money more than punishment, so VIsa (the merchant banks, the processors, etc, but the card brand is easier to say) won't care that Wendy's is insecure and will still allow them to take cards.

Re:Fines Please

[quetwo]

This is already happening. As of last month, companies that refused to implement CHIP+PIN (or at least CHIP+Signature) readers were charged a larger % on the transactions. A company like a Wendy's franchiser was already paying between 2.5% and 3.5%, now they are paying 3% to 4%.

Which is pretty silly, since Wendy's corporate has been going around replacing POS terminals across the country over the last 6 months -- and they decided to not put in the chip+pin readers (opting for swipe terminals ONLY). I can only assume that they decided that the cost of the higher percentages was worth the speed of swiping the card.

Re:Fines Please

[AK+Marc]

Chips take no longer than swipes (presuming you have a connection). I have no idea what dial-up chip transactions are like, but the terminal time for a transaction is almost the same. So low on the milisecond scale that even over Wal-Mart scale (millions of transactions) it doesn't add up to more than a few seconds.

Re:Fines Please

[AK+Marc]

The total time for the transaction doesn't change. What happens is that you have to leave the card in until it's "approved" while with a swipe transaction, you swipe, and put your card away. If you used swipe and PIN, then the total transaction time is identical. You are comparing PIN to sign, and complaining that PIN is longer, but blaming it on the chip.

Re:Fines Please

[Blaskowicz]

Dial-up is fast. I think I read it's done at 300 bauds, and it isn't a joke : slow negociation and handshake are avoided, and perhaps whatever is done to encabulate your data is reduced.

Uh, I am at a loss figuring out how US ATMs work if all you have is a swipe card. Do you sign, and if so, where? A piece of paper comes out, which you sign and throw away on the curb?

Re:Fines Please

[operagost]

ATMs, of course, use a PIN. They have always used a PIN.

Re:Fines Please

[AK+Marc]

ATMs around the world work the same. You insert the card. You put in a PIN, you complete your transaction, the card comes back out. The time to transaction is the same whether chip or swipe. The ATM can do either.

Re:Fines Please

[quetwo]

2400 baud, but who's counting ;)

ATMs are usually connected by an ISDN-BRI, GSM, or for regional banks, a Metro-E or MPLS service. They have always used PINs, but they don't use the CHIP in the card for encryption (they use the mag strip).

it's a feature, not a bug

[Thud457]

Minimum wage register jockies can only steal from one customer at a time.
Replace them with automatation because minimum wage went up, and now haxxors can steal from ALL YOUR CUSTOMERS!

Still better than eating at Chipolte.

Re:it's a feature, not a bug

[Joe_Dragon]

and no will be there to stop someone from installing a skimmer on the auto POS station

Chip

[Songilly]

Wasn't this past the liability deadline for Chip transactions? I'm guessing Wendy's and not the Bank will be responsible for any fraudulent transactions due to this hack?

Re:Chip

[DogDude]

The only thing that stupid chip does is make merchants liable for if they don't work with those chips, and they somebody uses a fake credit card with a stolen number, without a chip. So no, the chip thing is irrelevant in this case.

Re:Chip

[sexconker]

My local store, which I went to once because I happened to be in a hurry and it was nearby, lists the dates as being from January to June of this year.

Re:Chip

[hawaiian717]

The liability shift places liability on the merchant where the fraudulent purchase occurred.

Consider this scenario: Someone swipes a card at Wendy's and that data was captured and used to create a fake card and the fake card is used at Safeway, which hasn't enabled their chip card readers.

If the original card had a chip, Safeway is liable. If the original card didn't have a chip, then the bank that issued the card is liable.

Re:Garçon

The fly is organic and locally sourced.

Creating business

[TheMadTopher]

I wonder if credit monitoring companies secretly fund these hacks.

Re:Garçon

[Archangel+Michael]

Additionally, they are found to be Gluten Free and nonGMO !

Re:Garçon

[Yvan256]

Don't worry sir, the spider in your salad will take care of it.

Re:But "dipping" solved everything?

[Stormy+Dragon]

I only know once place near me that actually uses the chips. Everyone else has the scanners for the chips, but they're not hooked up and can't actually be used.

Private industry doing it better than government

[smooth+wombat]

How many times have we heard about tens of thousands, millions, of people having their data stolen/purloined/misappropriated/whatever because of private industry? Anyone remember the millions who were affected by the Target fiasco? How about T.J. Maxx? Barely a murmur is heard.

Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.

Based on the evidence it appears government is doing substantially better than private industry in protecting our data.

Re:Private industry doing it better than governmen

[bill_mcgonigle]

Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.

Based on the evidence it appears government is doing substantially better than private industry in protecting our data.

I might need a new debit card. What a pain. If you have government clearance, thanks to the OPM breach, the Chinese have all of your biometric data. Game over.

The Wendy's breach can be fixed with a bunch of new cards. The government breach cannot be fixed.

That is why people were apoplectic.

Thoughts and Prayers

[ThatsNotPudding]

"One year of free credit monitoring" is the corporate equivalent to the "Thoughts and Prayers" fecal spray from gutless politicians after every gun-driven US mass murder.

Re:But "dipping" solved everything?

[hawaiian717]

So what happened in October 2015 was a liability shift. Prior to that, banks would reimburse merchants for fraudulent purchases. With the liability shift, banks stopped reimbursing merchants if the bank had issued a chip card but the merchant continued to swipe cards. There's been delays in merchants getting their chip solutions developed and certified, that's why you see places with chip readers that don't work.

So today chip cards can still be cloned and used at places that are still swiping. As more places enable chip readers, swiping will become rarer and cloned cards will become harder to use, and the fraudsters will have to look to other things.

Because america is in the dark ages...

[n3r0.m4dski11z]

I went to america earlier this year and was shocked that there was virtually no implementation of chip and pin. It felt like i went back in time.

I am honestly surprised a day goes by where there is not massive credit card fraud in the US. I swiped my card everywhere and the only check on that was my signature! the merchant is not protected at all!

These kinds of skimming breaches are a direct result of not having chip and pin everywhere. Sure they can install a camera to grab your pin, but that is a bit more involved then simply skimming credit cards. Most POS with chip and pin is end to end encrypted as well and has only the most basic of interaction. The hardware chip in the pinpad does all the encrypt and decrypt stuff. Don't you guys have to do that for PCI compliance anyway?

I'm sure you have chip and pin on debit cards, so why all the fuss about credit card implementation? All the posts thus far are saying things like "thats why i pay with cash" which is completely backwards in mentality. Jesus cash? who carries cash?? next thing you tell me is you walk around with a pocket full of change like its the 1970s!

Unless your buying drugs, or doing craigslist deals, i fail to see the point of cash transactions. Change and cash gets lost or spent way easier than a debit card. Well for me anyway.

Re:Because america is in the dark ages...

[fnj]

You got that right. Signature is no protection whatsoever. Every US credit card I've seen since a while has had a chip, but none has a PIN. Talk about "not getting it"! My debit card has a chip (FINALLY), and it has a PIN, but still every place I've seen still wants me to swipe instead of use the PIN.

Re:Because america is in the dark ages...

[ginoledesma]

Better late than never, I suppose, but some big players like Walmart and Home Depot are trying to get chip and PIN, albeit in a round-about way by suing the networks.

If only there were some way to mitigate this risk

[DrXym]

Oh there is. It's called chip and pin. There is no requirement for any retailer to hold credit card information for over the counter transactions.

Re:Private industry doing it better than governmen

Yet let a few thousand people have their data swiped through a government breach

The OPM breach affected 21.5 million people and it included social security numbers, names, addresses, dates of birth, fingerprints, and security clearance details.

Why would anyone..

[The_Revelation]

..buy an icecream with a credit card? I mean, Wendy's has only two products: soft service ice-cream and hot-dogs, and I'm pretty sure I'm the only person on the planet who buys their hotdogs. Something is very fishy about this story. Also, why are we calling these 'restaurants' now? They are a kiosk at most.

Re:Why would anyone..

[fnj]

..buy an icecream with a credit card? I mean, Wendy's has only two products: soft service ice-cream and hot-dogs

What the hell? What planet are you from? Yes, Wendy's is a RESTAURANT. There are TABLES in there. You can sit at them. You can order from at least 10 offerings of hamburgers and cheeseburgers, 9 offerings of chicken sandwiches, 6 offerings of chicken nuggets, 8 offerings of "frostys", whatever they are, a cod fillet sandwich, numerous salads, numerous combos, and probably other stuff. I never saw any hot dogs there though.

Just click on Menus. Sheesh. Oh, wait. Let me guess. I bet you are in Australia, right mate? Well, the REAL Wendy's is wendys.com, not wendys.com.au. I'm sure you can get to the internet, as long as you haven't left Walkabout Creek to trek through Crocodile Dundee's outback.

Relax, it's all in good fun. We're both just regular guys, separated by living in completely separate plants.

Re:Why would anyone..

[drinkypoo]

They make some pretty yummy chicken sandwiches too. And chili.

Let me see if I can remember how this works. Patties come out of the freezer and sit on the slack rack if you need them soon or go into the fridge if you don't. They go on the grill for four flips (I forget the timing) and then they're a burger. They stay on the grill for two more flips and then they go in a plastic drawer and if the restaurant is in a hurry, then any ones in there not too dried out get made into burgers. When the chili is made, the drawer is raided and any additional needed meat is cooked off fresh.

mmmm, old meat

They make a big deal about making it on site, but that's the only work they do. The rest of it comes out of a can. If you want beans, get them from Mexicans. They will actually have cooked them.

You know what I love?

[sootman]

CASH. For trivial, small-amount transactions that will not be returned (i.e., fast food), I LOVE CASH. I never get charged twice for the same thing. Never a problem with the tip amount, etc. And no exposure for hacks like this.

Granted, I haven't had many problems with credit card transactions, but I've had ZERO problems with cash.

Re:Private industry doing it better than governmen

[operagost]

Your love of government is at odds with your sig.

Who pays?

[TheCastro1689]

I've never understood this part of it all, the credit card holder doesn't have to pay, the retailer often keeps the money, so it's a loss for the credit card company, but they never seem to concerned by the losses they take, or at least I never see anyone going into it on the internet or news.

Re:Who pays?

[rwise2112]

I've never understood this part of it all, the credit card holder doesn't have to pay, the retailer often keeps the money, so it's a loss for the credit card company, but they never seem to concerned by the losses they take, or at least I never see anyone going into it on the internet or news.

We all pay through the interest rates on the cards.

Assholes

[Jawnn]

Either they lied about it for months, or were still clueless about the actual extent FOR MONTHS, after being made aware that they'd been pwned. I'm not sure which is worse, but either way... aslholes.

Re:Private industry doing it better than governmen

[WallyL]

I was quite impressed with the site sharing which locations were affected. I understand security is the mitigation of risk, not the absolute prevention of risk, and I appreciate their attempts to be so open with their customers. I suppose that due to all the other breaches everywhere else in the world, I have enough credit monitoring for quite a while, so I don't need this one too.

Someone's playing Hack-Man

[iq145]

Sometimes it's beneficial http://www.newser.com/story/21...