Slashdot Mirror

← Back to Stories (view on slashdot.org)

Arby's Probes Possible Data Breach Affecting 355,000 Credit Cards (krebsonsecurity.com)

Posted by BeauHD on from the chip-and-chili dept.

Brian Krebs is reporting that Arby's "recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide." The breach is said to only affect some corporate stores and not franchised restaurant locations. While there is no exact number of those affected, it's possible that more than 355,000 credit and debit cards issued by PCSU members banks may have been compromised. Krebs On Security reports: The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions. The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks. Arby's declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017. Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

49 comments

  1. Bitcoin. by ASDFnz · · Score: 0

    Should have used bitcoin.

    1. Re:Bitcoin. by Anonymous Coward · · Score: 0

      just give it time. It'll be hacked/stolen by someone.

    2. Re:Bitcoin. by ASDFnz · · Score: 1

      Yep, it is a recurring theme with credit cards isn't it?

  2. What is it with these guys? by istartedi · · Score: 1

    Last night on the news there was also a story about some Arby's being picketed because they hadn't paid their employees. Are these guys asleep at the switch or something?

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    1. Re:What is it with these guys? by ArchieBunker · · Score: 2, Informative

      It probably depends on if the restaurant is a franchise or not. There is a Popeye's close by that is absolutely terrible and has had constant negative reviews for years. You'd think corporate would want to improve things? Nope. Same deal for Steak N Shake. Worst service I've ever had in restaurant and constant complaints. Drive 30 minutes away and the next one is the complete opposite

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:What is it with these guys? by Anonymous Coward · · Score: 0

      All of these stores are usually f**k'd. http://www.smh.com.au/interact...

      7-11 is not the only one doing. I remember growing up all of the corp mcdonalds were awesome the owner operated ones were hit or miss. They are all OO now.

      So here is the tl'dr version:
      Dude decides to buy a store from conglomerate.
      Dude gets loan to manage store. Conglomerate will help facilitate this.
      Dude signs contract to pay 60-70% of before taxes gross profit to conglomerate.
      Dude now needs to pay employees, vendors (usually overpriced wholly owned by conglomerate), store rental (again the conglomerate), and taxes (full amount including taxes on the 60-70% already paid). In the states that can include health insurance.
      Dude realizes they are fucked and starts cutting hours or OT'ing people with little or no pay. Many times they will hire illegals or visa immigrants. As working in the store is against the visa or illegal. So they can bully the employees to working as much as they want for a small pittance of money. Conglomerate liaison shows them how to do this 'off the record' of course.
      Employee decides to narc them out. No biggie to the dude. He cops out and folds out the business and no one gets paid. He walks away with lots of debt and cuts his losses.
      Conglomerate wants to keep the store going. Finds new sucker dude original dude comes out slightly ahead. The farce goes on.

    3. Re:What is it with these guys? by The+New+Guy+2.0 · · Score: 1

      McD's OO/Corp. status is regional... In New England they're all owned by the corp.

  3. Credit card fraud? I'm thinking Arby's! by Anonymous Coward · · Score: 0

    Sorry, couldn't resist. :-

    1. Re: Credit card fraud? I'm thinking Arby's! by Anonymous Coward · · Score: 0

      How does it only effect ards issued by one bank.if it was malware on the PoS machines?

  4. The beef! by Anonymous Coward · · Score: 0

    Here it is!

  5. Arby's? who would? by turkeydance · · Score: 1

    the simpson's said it best: https://www.youtube.com/watch?...

  6. Re:Credit card fraud? I'm thinking Arby's! by ajparr · · Score: 1

    We have THE BREACH!!
    ...also couldn't resist...

  7. ARBY'S by the_skywise · · Score: 5, Insightful

    WE HAVE THE MALWARE!

    Can we at least see a list of stores that were affected so I'd know if I need to take action?
    Is that too much to ask?!

    1. Re:ARBY'S by plover · · Score: 1

      A breach that impacted 355,000 member cards is huge, indicating it was deployed to a large percentage of their chain, if not the whole chain. Since their breach "ended" on January 19 and it still took them 3 weeks to produce the list of affected cards, that tells me that Arby's response time is pretty damn poor, and that they may not be very good at tracking what's going on. Some senior VP said that "not all [of their 1000] corporate restaurants [out of 4000] were affected", but with news this bad combined with such a poor response time, it's hard to trust that they have a complete handle on the problem.

      So, IF YOU ATE THE MEATS, it's a pretty good bet that your card got eaten too. Watch your statements.

      Now that Arby's has submitted their list of impacted cards to the card associations, Visa or Mastercard will soon contact your bank. Your bank will then send you a letter saying "haxx0rs! Too bad, here's a new card, and if you want to sign up for a year of free credit monitoring, contact ohshitwewerebreached.com and tell them R.B sent you."

      --
      John
  8. How the hell is this still a problem? by tempest69 · · Score: 2

    Yes, CC and banks are dragging their heels. But the whole system is just bad. First, why does Arby's have Normal CC information?? Once it passes, the deal is done. I get having corporate accounts on file, but this is silly. Second, the damn machines shouldn't be giving Arbys any information, other than transaction time/amount/ and some transaction code(needed for refunding cash). Third, The cards should be sophisticated enough to handle a secure chip/pin system (not the sad version of today, but one that is legit)

    1. Re:How the hell is this still a problem? by starblazer · · Score: 1

      gotta transmit the account number sometime. This could be along the lines of the target hack... when it was in the register.

    2. Re:How the hell is this still a problem? by Anonymous Coward · · Score: 0

      No, the whole point of Chip and PIN is the use of symetric key cryptography to generate a one time transaction with no need to share account details to the terminal. Basically the same thing as Apply Pay/etc. do, but embedded in a passive chip instead of requiring an active device.

      But because of stupid, we use a crippled system that still allows that system to be bypassed with simple swipes and no crypto between the card and the terminal.

    3. Re: How the hell is this still a problem? by mmell · · Score: 1
      Knowledgeable hacker takes job at Arby's running a register or slicing meat. Hacker waits until he can get unsupervised physical access to store system (a Windows PC, presumably). Hacker arranges off-site access to system. Hacker quits job, accesses system remotely and has his way with them.

      Why only one particular card issuer? Only a guess - the system should immediately encrypt the CC data and immediately delete the clear data. Only encrypted data should ever be used when communicating with card issuer. Perhaps this particular issuer's encryption didn't work and the system was configured to work with clear data for their CC's?

    4. Re:How the hell is this still a problem? by Anonymous Coward · · Score: 0

      You clearly have zero idea how POS systems work, nationwide.

    5. Re: How the hell is this still a problem? by Anonymous Coward · · Score: 0

      No, retailers and banks should bloody implement Chip+PIN correctly and stop allowing the storing of CC numbers all together.

    6. Re: How the hell is this still a problem? by Mr.+Shotgun · · Score: 1

      Knowledgeable hacker takes job at Arby's running a register or slicing meat. Hacker waits until he can get unsupervised physical access to store system (a Windows PC, presumably). Hacker arranges off-site access to system. Hacker quits job, accesses system remotely and has his way with them.

      That is an interesting scenario but I am betting it will be another case of the attackers compromising a third party vendor and then working their way into the system like the Target breach, the Wendy's breach, etc. A business can have the most robust security system in the world, but if their business partners are lax it is all for nothing.

      --
      Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
    7. Re:How the hell is this still a problem? by Luthair · · Score: 1

      To me the real question is why point of sale systems have any ability to communicate to anything but the payment processor? This, much like the Home Depot breach only occur because of incompetence.

    8. Re:How the hell is this still a problem? by plover · · Score: 2

      No, the whole point of Chip and PIN is the use of symetric key cryptography to generate a one time transaction with no need to share account details to the terminal. Basically the same thing as Apply Pay/etc. do, but embedded in a passive chip instead of requiring an active device.

      This is not correct. Chip cards use cryptography only to produce a "cryptogram" called the ARQC. This is a Message Authentication Code, a checksum-like number that authenticates the card containing the secret key produced the message. By adding a PIN, the card can also fold the PIN into the cryptogram, authenticating the user, too. However, the card data, including the PAN is still sent in the clear for authorizing. The chip does not encrypt the card data.

      Also, the chip is not passive. The chip contains a CPU and performs lots of cryptography, including validating the certificate presented by the terminal, the selection of various applications, protocol negotiations, etc. (And because that chip runs Java, every card issued gets to tithe Oracle for the privilege.)

      But because of stupid, we use a crippled system that still allows that system to be bypassed with simple swipes and no crypto between the card and the terminal.

      For the most part the data does not need to be encrypted. The payment terminal is responsible for rejecting a swipe that has a Service Code indicating that a chip is present, so you can't just bypass the chip. The skimmer only sees the data flow past, but has no way of computing valid ARQC because the secret key remains embedded securely in the chip. As long as the user doesn't have to also enter the CVV2 from the back of the card, there's not enough information to abuse the card. (Any web page that accepts an account number without requiring the CVV2 is out of compliance with PCI requirements, and is liable for any fraud committed with that card number.)

      However, if the payment terminal doesn't encrypt the data before sending it to the store's payment gateway (let alone from the terminal to the cash register), that's still plenty of stupid.

      --
      John
    9. Re:How the hell is this still a problem? by radarskiy · · Score: 1

      a) Inventory tracking and ordering
      b) Fast-food specific: send order to kitchen

    10. Re:How the hell is this still a problem? by Anonymous Coward · · Score: 0

      You're totally right. They should put you in charge of updating 3,000 terminals and 1,000 fileservers. It's a pretty easy process, all you have to do is replace anything that doesn't meet the minimum software/ hardware requirements (probably half the stores based on the age of the concept), install the EMV equipment, roll out a POS update to the latest version (I know Arby's uses Micros, and Aloha but there might be more), install the new processing software that handles encrypted transactions, replace any network equipment that can't handle latency demands, and get each site inspected to start using EMV. Oh and to pass the inspection you'll need to make sure your CC traffic is isolated from the rest of the network and is routed through a compliant firewall.
      When you're all finished with that don't forget to check up on your franchisee's stores to make sure they're compliant too! Also during your rollout keep up with the yearly SAQ and security audits that are now required by your cc processor for each site. Hopefully by the time you're wrapping up the EMV requirements won't have changed too much.

    11. Re: How the hell is this still a problem? by Anonymous Coward · · Score: 0

      If by knowledgeable hacker you mean any kid able to google 'credit card skimmer' or if they get really fancy 'credit card shimmer'

  9. A list of locations would be nice... by Anonymous Coward · · Score: 0

    to know if we're affected. Too much of the media's reporting is based on sensationalizing stories rather than reporting facts.

  10. Be VERY careful by Anonymous Coward · · Score: 1

    Not completely unrelated, but... Arby's charged me $87.80 for an $8.78. I noticed the incorrect charge a few days too late to dispute with my credit card company. I called the local store to find out THEY MANUALLY ENTER THE TOTALS in their credit card machines. Probably fat fingered the total. It's also common practice these days to withhold receipts (hence why I didn't notice right away). The GM and DM both acknowledge the problem, but 3 weeks after my first call I have yet to see a dime.

    It's crazy these days that online shopping is a safer place to use your credit card than brick-and-mortar retailers and restaurants.

    1. Re:Be VERY careful by Anonymous Coward · · Score: 0

      You didn't notice the charge when you signed/pinned/authenticated your card? Forgot how to count? Didn't calculate the tip? Didn't think that 80+ dollars was a bit much for a sandwich?
        Are you 12? ... Ah -- no you have a card, but you are an idiot.

    2. Re:Be VERY careful by Anonymous Coward · · Score: 0

      When is the last time you signed for a purchase under $20. And when was the last time that you saw a receipt at one of the fast food joints (like Arby's or McD's or Wendy's) that had a tip line. 9 times out of 10, they swipe the card and then throw the receipt in the bag with your greasy fries. If you are lucky, it will be on top, but sometimes it may be on the bottom of the bag in a nice pool of congealed goo.

    3. Re: Be VERY careful by Anonymous Coward · · Score: 0

      That would be a franchise location using a verifone keypad not connected to the POS system in any way. Corporate locations, which were affected in this breach, use aloha, which you cannot enter in an amount manually (I manage an Arby's).

    4. Re: Be VERY careful by Anonymous Coward · · Score: 0

      Which I should point out does not use any kind of Chip and Pin. Just a reader attached to the terminal at my location. Some locations the customer can swipe their own card. I don't know how any networking stuff works, but I do know everything connected to the network passes through a sonic wall, which I assumed would stop hackers from getting any credit card information.

  11. But by Dunbal · · Score: 3, Insightful

    Since there are absolutely no legal consequences, this kind of stuff is just going to keep happening.

    --
    Seven puppies were harmed during the making of this post.
  12. This is why I got a new card on Monday by Anonymous Coward · · Score: 0

    Makes sense as to why someone tried to charge 2k to my mastercard on Monday morning. We almost never go to Arbys but we did in early January one time...

  13. Not too much trouble.. by Vegan+Cyclist · · Score: 1

    It's probably the same 8 people who made all those transactions. Surprised that they even had that many sales! ;)

  14. Arbys? by Rick+Schumann · · Score: 0

    I was under the impression that anyone that eats at Arbys probably doesn't own a computer or knows how to operate one, so why would any of us care about this?

    1. Re:Arbys? by Anonymous Coward · · Score: 0

      I'm just impressed that there are 355,000 people who eat at Arby's

    2. Re:Arbys? by bkmoore · · Score: 1

      I'm just impressed that there are 355,000 people who eat at Arby's

      It's probably a money laundering scheme. I used to be sort of a regular at an Italian restaurant that never seemed to have many customers. The food wasn't bad at all and the staff actually spoke Italian. It was kind of fun to think that syndicate bosses were meeting behind the kitchen, but that would have probably been too much of a cliche, even for the mob. They probably run an Arby's instead.

    3. Re:Arbys? by Rick+Schumann · · Score: 1

      Rememeber Breaking Bad? One of the biggest drug cartels in the world was run out of the back room of "Los Pollos Hermanos", a Mexican fast-food chain.

  15. Chip Cards by The+New+Guy+2.0 · · Score: 1

    Chip-based cards will solve this kind of problem... the chip only surrenders enough data to process one transaction, so repeated transactions without the card present is impossible... would be nice if they rolled this out to the Internet too.

    1. Re:Chip Cards by Anonymous Coward · · Score: 0

      EMV does not encrypt CHD data. Google: Does EMV protect against sniffing PAN data from untrusted network? That will take you to an article that describes what is encrypted on the card. It is not your primary account number, name, or PIN. EMV improperly implemented will give thieves information to use your data in card not present environments or at stores still using magnetic swipes. You cannot clone and EMV enabled card and use it in a retail location with EMV enabled terminals only. If a merchant hasn't upgraded to EMV terminals, then they are liable for that fraudulent transaction. Your card data is not any safer. It can still be used even if stolen from an EMV environment for online purchases.

    2. Re:Chip Cards by Anonymous Coward · · Score: 0

      Yes, that all nice and well if that's actually how it worked or was implemented.

    3. Re:Chip Cards by Anonymous Coward · · Score: 0

      Paying by cash will solve this problem, too.

  16. We Have the Meats.. by Anonymous Coward · · Score: 0

    .. and a major hole in our credit card network.

  17. Oh, no they've got me....... by Anonymous Coward · · Score: 0

    Already received an email at 3:30pm eastern time from my bank telling me that my card may have been compromised and they will be sending me a new one and to expect receipt of it in 3 to 5 days....

    1. Re:Oh, no they've got me....... by Narcocide · · Score: 1

      Which Arby's?

  18. Re: Credit card fraud? I'm thinking Arby's! by plover · · Score: 1

    How does it only effect ards issued by one bank.if it was malware on the PoS machines?

    The thieves likely stole numbers from any and all cards that ran through their infected payment terminals.

    PCSU isn't a single bank, it's an association of about 800 credit unions. Arby's didn't report the number above, that came from PCSU's count of impacted member cards. They said 355,000 cards were impacted, a figure that does not include any other cards issued by any other banks. If those 800 member banks represent 10% of all cardholders (I don't know that for sure, that's just a rough guess to demonstrate the math), it's possible that this breach could impact a total of about 3 million cardholders.

    --
    John
  19. This makes me sick by Anonymous Coward · · Score: 0

    and the data breach is bad, too.