Slashdot Mirror

← Back to Stories (view on slashdot.org)

Arby's Probes Possible Data Breach Affecting 355,000 Credit Cards (krebsonsecurity.com)

Posted by BeauHD on from the chip-and-chili dept.

Brian Krebs is reporting that Arby's "recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide." The breach is said to only affect some corporate stores and not franchised restaurant locations. While there is no exact number of those affected, it's possible that more than 355,000 credit and debit cards issued by PCSU members banks may have been compromised. Krebs On Security reports: The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions. The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks. Arby's declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017. Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

23 of 49 comments (clear)

  1. What is it with these guys? by istartedi · · Score: 1

    Last night on the news there was also a story about some Arby's being picketed because they hadn't paid their employees. Are these guys asleep at the switch or something?

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    1. Re:What is it with these guys? by ArchieBunker · · Score: 2, Informative

      It probably depends on if the restaurant is a franchise or not. There is a Popeye's close by that is absolutely terrible and has had constant negative reviews for years. You'd think corporate would want to improve things? Nope. Same deal for Steak N Shake. Worst service I've ever had in restaurant and constant complaints. Drive 30 minutes away and the next one is the complete opposite

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:What is it with these guys? by The+New+Guy+2.0 · · Score: 1

      McD's OO/Corp. status is regional... In New England they're all owned by the corp.

  2. Arby's? who would? by turkeydance · · Score: 1

    the simpson's said it best: https://www.youtube.com/watch?...

  3. Re:Credit card fraud? I'm thinking Arby's! by ajparr · · Score: 1

    We have THE BREACH!!
    ...also couldn't resist...

  4. ARBY'S by the_skywise · · Score: 5, Insightful

    WE HAVE THE MALWARE!

    Can we at least see a list of stores that were affected so I'd know if I need to take action?
    Is that too much to ask?!

    1. Re:ARBY'S by plover · · Score: 1

      A breach that impacted 355,000 member cards is huge, indicating it was deployed to a large percentage of their chain, if not the whole chain. Since their breach "ended" on January 19 and it still took them 3 weeks to produce the list of affected cards, that tells me that Arby's response time is pretty damn poor, and that they may not be very good at tracking what's going on. Some senior VP said that "not all [of their 1000] corporate restaurants [out of 4000] were affected", but with news this bad combined with such a poor response time, it's hard to trust that they have a complete handle on the problem.

      So, IF YOU ATE THE MEATS, it's a pretty good bet that your card got eaten too. Watch your statements.

      Now that Arby's has submitted their list of impacted cards to the card associations, Visa or Mastercard will soon contact your bank. Your bank will then send you a letter saying "haxx0rs! Too bad, here's a new card, and if you want to sign up for a year of free credit monitoring, contact ohshitwewerebreached.com and tell them R.B sent you."

      --
      John
  5. How the hell is this still a problem? by tempest69 · · Score: 2

    Yes, CC and banks are dragging their heels. But the whole system is just bad. First, why does Arby's have Normal CC information?? Once it passes, the deal is done. I get having corporate accounts on file, but this is silly. Second, the damn machines shouldn't be giving Arbys any information, other than transaction time/amount/ and some transaction code(needed for refunding cash). Third, The cards should be sophisticated enough to handle a secure chip/pin system (not the sad version of today, but one that is legit)

    1. Re:How the hell is this still a problem? by starblazer · · Score: 1

      gotta transmit the account number sometime. This could be along the lines of the target hack... when it was in the register.

    2. Re: How the hell is this still a problem? by mmell · · Score: 1
      Knowledgeable hacker takes job at Arby's running a register or slicing meat. Hacker waits until he can get unsupervised physical access to store system (a Windows PC, presumably). Hacker arranges off-site access to system. Hacker quits job, accesses system remotely and has his way with them.

      Why only one particular card issuer? Only a guess - the system should immediately encrypt the CC data and immediately delete the clear data. Only encrypted data should ever be used when communicating with card issuer. Perhaps this particular issuer's encryption didn't work and the system was configured to work with clear data for their CC's?

    3. Re: How the hell is this still a problem? by Mr.+Shotgun · · Score: 1

      Knowledgeable hacker takes job at Arby's running a register or slicing meat. Hacker waits until he can get unsupervised physical access to store system (a Windows PC, presumably). Hacker arranges off-site access to system. Hacker quits job, accesses system remotely and has his way with them.

      That is an interesting scenario but I am betting it will be another case of the attackers compromising a third party vendor and then working their way into the system like the Target breach, the Wendy's breach, etc. A business can have the most robust security system in the world, but if their business partners are lax it is all for nothing.

      --
      Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
    4. Re:How the hell is this still a problem? by Luthair · · Score: 1

      To me the real question is why point of sale systems have any ability to communicate to anything but the payment processor? This, much like the Home Depot breach only occur because of incompetence.

    5. Re:How the hell is this still a problem? by plover · · Score: 2

      No, the whole point of Chip and PIN is the use of symetric key cryptography to generate a one time transaction with no need to share account details to the terminal. Basically the same thing as Apply Pay/etc. do, but embedded in a passive chip instead of requiring an active device.

      This is not correct. Chip cards use cryptography only to produce a "cryptogram" called the ARQC. This is a Message Authentication Code, a checksum-like number that authenticates the card containing the secret key produced the message. By adding a PIN, the card can also fold the PIN into the cryptogram, authenticating the user, too. However, the card data, including the PAN is still sent in the clear for authorizing. The chip does not encrypt the card data.

      Also, the chip is not passive. The chip contains a CPU and performs lots of cryptography, including validating the certificate presented by the terminal, the selection of various applications, protocol negotiations, etc. (And because that chip runs Java, every card issued gets to tithe Oracle for the privilege.)

      But because of stupid, we use a crippled system that still allows that system to be bypassed with simple swipes and no crypto between the card and the terminal.

      For the most part the data does not need to be encrypted. The payment terminal is responsible for rejecting a swipe that has a Service Code indicating that a chip is present, so you can't just bypass the chip. The skimmer only sees the data flow past, but has no way of computing valid ARQC because the secret key remains embedded securely in the chip. As long as the user doesn't have to also enter the CVV2 from the back of the card, there's not enough information to abuse the card. (Any web page that accepts an account number without requiring the CVV2 is out of compliance with PCI requirements, and is liable for any fraud committed with that card number.)

      However, if the payment terminal doesn't encrypt the data before sending it to the store's payment gateway (let alone from the terminal to the cash register), that's still plenty of stupid.

      --
      John
    6. Re:How the hell is this still a problem? by radarskiy · · Score: 1

      a) Inventory tracking and ordering
      b) Fast-food specific: send order to kitchen

  6. Be VERY careful by Anonymous Coward · · Score: 1

    Not completely unrelated, but... Arby's charged me $87.80 for an $8.78. I noticed the incorrect charge a few days too late to dispute with my credit card company. I called the local store to find out THEY MANUALLY ENTER THE TOTALS in their credit card machines. Probably fat fingered the total. It's also common practice these days to withhold receipts (hence why I didn't notice right away). The GM and DM both acknowledge the problem, but 3 weeks after my first call I have yet to see a dime.

    It's crazy these days that online shopping is a safer place to use your credit card than brick-and-mortar retailers and restaurants.

  7. Re:Bitcoin. by ASDFnz · · Score: 1

    Yep, it is a recurring theme with credit cards isn't it?

  8. But by Dunbal · · Score: 3, Insightful

    Since there are absolutely no legal consequences, this kind of stuff is just going to keep happening.

    --
    Seven puppies were harmed during the making of this post.
  9. Not too much trouble.. by Vegan+Cyclist · · Score: 1

    It's probably the same 8 people who made all those transactions. Surprised that they even had that many sales! ;)

  10. Chip Cards by The+New+Guy+2.0 · · Score: 1

    Chip-based cards will solve this kind of problem... the chip only surrenders enough data to process one transaction, so repeated transactions without the card present is impossible... would be nice if they rolled this out to the Internet too.

  11. Re:Oh, no they've got me....... by Narcocide · · Score: 1

    Which Arby's?

  12. Re: Credit card fraud? I'm thinking Arby's! by plover · · Score: 1

    How does it only effect ards issued by one bank.if it was malware on the PoS machines?

    The thieves likely stole numbers from any and all cards that ran through their infected payment terminals.

    PCSU isn't a single bank, it's an association of about 800 credit unions. Arby's didn't report the number above, that came from PCSU's count of impacted member cards. They said 355,000 cards were impacted, a figure that does not include any other cards issued by any other banks. If those 800 member banks represent 10% of all cardholders (I don't know that for sure, that's just a rough guess to demonstrate the math), it's possible that this breach could impact a total of about 3 million cardholders.

    --
    John
  13. Re:Arbys? by bkmoore · · Score: 1

    I'm just impressed that there are 355,000 people who eat at Arby's

    It's probably a money laundering scheme. I used to be sort of a regular at an Italian restaurant that never seemed to have many customers. The food wasn't bad at all and the staff actually spoke Italian. It was kind of fun to think that syndicate bosses were meeting behind the kitchen, but that would have probably been too much of a cliche, even for the mob. They probably run an Arby's instead.

  14. Re:Arbys? by Rick+Schumann · · Score: 1

    Rememeber Breaking Bad? One of the biggest drug cartels in the world was run out of the back room of "Los Pollos Hermanos", a Mexican fast-food chain.