Slashdot Mirror

← Back to Stories (view on slashdot.org)

Arby's Probes Possible Data Breach Affecting 355,000 Credit Cards (krebsonsecurity.com)

Posted by BeauHD on from the chip-and-chili dept.

Brian Krebs is reporting that Arby's "recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide." The breach is said to only affect some corporate stores and not franchised restaurant locations. While there is no exact number of those affected, it's possible that more than 355,000 credit and debit cards issued by PCSU members banks may have been compromised. Krebs On Security reports: The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions. The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks. Arby's declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017. Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

5 of 49 comments (clear)

  1. Re:What is it with these guys? by ArchieBunker · · Score: 2, Informative

    It probably depends on if the restaurant is a franchise or not. There is a Popeye's close by that is absolutely terrible and has had constant negative reviews for years. You'd think corporate would want to improve things? Nope. Same deal for Steak N Shake. Worst service I've ever had in restaurant and constant complaints. Drive 30 minutes away and the next one is the complete opposite

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  2. ARBY'S by the_skywise · · Score: 5, Insightful

    WE HAVE THE MALWARE!

    Can we at least see a list of stores that were affected so I'd know if I need to take action?
    Is that too much to ask?!

  3. How the hell is this still a problem? by tempest69 · · Score: 2

    Yes, CC and banks are dragging their heels. But the whole system is just bad. First, why does Arby's have Normal CC information?? Once it passes, the deal is done. I get having corporate accounts on file, but this is silly. Second, the damn machines shouldn't be giving Arbys any information, other than transaction time/amount/ and some transaction code(needed for refunding cash). Third, The cards should be sophisticated enough to handle a secure chip/pin system (not the sad version of today, but one that is legit)

    1. Re:How the hell is this still a problem? by plover · · Score: 2

      No, the whole point of Chip and PIN is the use of symetric key cryptography to generate a one time transaction with no need to share account details to the terminal. Basically the same thing as Apply Pay/etc. do, but embedded in a passive chip instead of requiring an active device.

      This is not correct. Chip cards use cryptography only to produce a "cryptogram" called the ARQC. This is a Message Authentication Code, a checksum-like number that authenticates the card containing the secret key produced the message. By adding a PIN, the card can also fold the PIN into the cryptogram, authenticating the user, too. However, the card data, including the PAN is still sent in the clear for authorizing. The chip does not encrypt the card data.

      Also, the chip is not passive. The chip contains a CPU and performs lots of cryptography, including validating the certificate presented by the terminal, the selection of various applications, protocol negotiations, etc. (And because that chip runs Java, every card issued gets to tithe Oracle for the privilege.)

      But because of stupid, we use a crippled system that still allows that system to be bypassed with simple swipes and no crypto between the card and the terminal.

      For the most part the data does not need to be encrypted. The payment terminal is responsible for rejecting a swipe that has a Service Code indicating that a chip is present, so you can't just bypass the chip. The skimmer only sees the data flow past, but has no way of computing valid ARQC because the secret key remains embedded securely in the chip. As long as the user doesn't have to also enter the CVV2 from the back of the card, there's not enough information to abuse the card. (Any web page that accepts an account number without requiring the CVV2 is out of compliance with PCI requirements, and is liable for any fraud committed with that card number.)

      However, if the payment terminal doesn't encrypt the data before sending it to the store's payment gateway (let alone from the terminal to the cash register), that's still plenty of stupid.

      --
      John
  4. But by Dunbal · · Score: 3, Insightful

    Since there are absolutely no legal consequences, this kind of stuff is just going to keep happening.

    --
    Seven puppies were harmed during the making of this post.