Chipotle Says 'Most' of Its Restaurants Were Infected With Credit Card Stealing Malware

Earlier this year, Chipotle announced that the their payment processing system was hacked. Today, the company has released more information about the hack, identifying the malware that was responsible and releasing a new tool to help customers check whether the restaurant they visited was involved. The company did not say how many restaurants were affected, but it did tell The Verge that "most" locations nationwide may have been involved. The Verge reports: "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in a statement. "There is no indication that other customer information was affected." We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) Chipotle noted that not all locations have been identified, but it's a starting guide to check whether your visit lines up with the breached period.

Well

[Plumpaquatsch]

At least their food wasn't infected,

Re:Well

[sunderland56]

At least their food wasn't infected

Who knows? Maybe people who ate there and charged it came away the victims of *two* different meanings of the word "virus".

Re:Well

[JonBoy47]

Given the issues Chipotle has had in recent months with regard to food safety, this is actually not unlikely!

Re:Well

[GrumpySteen]

No, they got that out of the way last year

Re:Well

[LifesABeach]

Mostly.

Chipoltaway

[s1d3track3D]

You're going to need your credit card when you go buy more underwear after eating Chipotle. (south park)

What malware?

[phantomfive]

I can't find the malware, or how the hack happened. Does anyone have real information about this hack?

Re:What malware?

[Aighearach]

2 malware infections.

1) You eat the food
2) The bugs grow in your intestines
3) You spend lots of time in the bathroom with Moderate To Severe Gastrointestinal Distress

Other one,

1) Credit card processing is controlled by computer connected to corporate network
2) Corporate network is p0wned and hostile
3) Refuse to accept delivery of items you didn't order and your fraud complaint will be less painful. But you are going to need a new card.

Re:What malware?

Management cooperated in an identity-stealing scheme to recover the lost profits from poisoning their customers.

Re:What malware?

[rtb61]

Heh, heh, both sound like 'insider', jobs.

Pay Cash, Don't Care

Seriously the only reason not to pay cash for food is to pay with a corporate expense account. If you're paying with an expense account, you deserve to be murdered and shredded and fed to dogs while your unearned wealth is redistributed to needy people.

Re: Pay Cash, Don't Care

A puff of the vape and a tip of the fedora to you, Sir Edgy!

Re:Pay Cash, Don't Care

Well, in most first world, civilized, countries the reason to pay with card (debit, credit, doesn't matter) is twofold: less paper, force companies to declare all earnings (transaction traceability... follow the money baby, follow the money... it's easy to have it on paper and every odd receipt be a dud, hard to explain money flowing from one account to the other directly to the company's account and not being theirs and not matching their tax declaration). But then again, that's in first world, civilized, countries.

Re:Pay Cash, Don't Care

[OrangeTide]

Cash? So I have to go to a bank periodically (once a week?) and wait in line to withdraw paper currency. So your solution is I should have yet another chore in my life.

Re:Pay Cash, Don't Care

Cash? So I have to go to a bank periodically (once a week?) and wait in line to withdraw paper currency. So your solution is I should have yet another chore in my life.

The AC probably only accepts cash as payment and may well not even have a bank account.

Re:Pay Cash, Don't Care

Yeah ATMs are really crowded and they take forever to give you cash. Like I mean you might have to wait up to five minutes in your air conditioned or heated car while inserting a card, punching a few numbers, and grabbing that dough. And those fees! $3 just to get cash once a week. Really terrible. It's almost like it's nothing but it feels like thousands of dollars in fees.

Re:Pay Cash, Don't Care

[hawguy]

Yeah ATMs are really crowded and they take forever to give you cash. Like I mean you might have to wait up to five minutes in your air conditioned or heated car while inserting a card, punching a few numbers, and grabbing that dough. And those fees! $3 just to get cash once a week. Really terrible. It's almost like it's nothing but it feels like thousands of dollars in fees.

$150/year is "nothing" to you? Yet you also consider that your time has no value either since you don't mind spending an extra 5 - 10 minutes/week driving to the bank to retrieve cash (that's 4 - 8 hours/year).

Re: Pay Cash, Don't Care

I can't consider your statement relevant until you've completely documented the micro optimization of your life

Re:Pay Cash, Don't Care

[Teckla]

Cash?

That's what I do. I do my best to use only cash at restaurants, including fast food and sit down restaurants. For multiple reasons.

One, computer security is truly deep in the dark ages these days. Both of the Chipotle restaurants I frequent were included in the hack, so I just saved myself a bunch of trouble getting a new card, changing some of my automatic payments for things like Netflix, etc.

Two, I don't have to wait for the server to pick up my credit card, process it, and return it.

Three, I'm pretty sure last year a server skimmed my card on purpose.

Four, it helps keep my spending down. I visit the bank once a month for that month's "fun money". If I spend it all, it's gone. Helps keep me on budget.

Re:Pay Cash, Don't Care

[OrangeTide]

But an ATM could have the same malware problems. Best not to use those either.

(you probably won't get E. Coli from the ATM, so it has that going for it)

Re:Pay Cash, Don't Care

[Archfeld]

No per diem ? I don't have to present receipts for basic food and lodging provided I stay under the companies estimated costs for the market area I am working in. X amount of dollars per day for food and a basic lodging rate. If something exceeds that limit I either call and get authorization or retain and file the receipts. Most of my lodgings are arranged ahead of time and paid for by corporate accounting and I don't even have to do a thing besides show ID and sleep.

Re: Pay Cash, Don't Care

[OrangeTide]

Avoiding paying $3 to a machine is not a micro optimization, it's more of not wanting to pay a lot for what seems like a trivial service on their end.
An ATM business is what, load money into a busy machine once a day and collect $500? Pay $3 seems steep compared to their effort.

Re: Pay Cash, Don't Care

obviously if you're running an ATM business but are using another company for the processing, then the interchange fees are being set by the processing company and they're the ones making the most money in this. Like most other businesses, the best option is to be the bank.

Re: Pay Cash, Don't Care

You've been conned. Here in the U.K. people refused this and the banks gave up, leaving most of out ATMs free. The banks make money in plenty of other ways, but giving you access to your own cash should be free.

Re: Pay Cash, Don't Care

[OrangeTide]

The banks and the networks doing the processing are separate. Many people here pay two fees, one at the ATM that is split by the processing company and machine owner, and another fee their bank secretly charges. My bank charges me $5 a month if i use any out-of-network ATMs that month, rather sneaky.

To fix this in the US, I think we'd have to restructure our networks to eliminate the need for these interchange networks. Putting an entire industry out of business is politically difficult, especially in a nation primarily ran by lobbyists.

As individuals we don't get to refuse fees, we can refuse to use the service entirely, but that is mighty difficult and not really effective. I'm not calling you a liar, but I don't think grousing about issues is normally how problems are solved.

Re: Pay Cash, Don't Care

[hawguy]

I can't consider your statement relevant until you've completely documented the micro optimization of your life

I don't want to waste 5 minutes at an ATM every week, I'm certainly not going to write a detailed thesis on my life's micro optimizations so an Anonymous Coward too lazy to create or log in to a Slashdot account will consider my statement relevant. But I'll tell you another of my micro optimizations - I don't waste 10 - 15 minutes every week driving to the gas station to buy gas.

Re:Pay Cash, Don't Care

^^This^^
Plus anonymity.

Cash is king.

Re: Pay Cash, Don't Care

$150/year is "nothing" to you?

Yep. I make a decent living.

Maybe you should go back to school?

Re: Pay Cash, Don't Care

[aardvarkjoe]

Banks want your money because they use it to make more money.

If you're paying somebody to store or access your money, you're doing something wrong. Drop whatever lousy excuse for a bank you're using and find one that won't charge you.

Re: Pay Cash, Don't Care

[hawguy]

$150/year is "nothing" to you?

Yep. I make a decent living.

Maybe you should go back to school?

Then why would you pay hundreds of dollars to spend hours in line at the bank each year? Did you learn that in school?

Re: Pay Cash, Don't Care

FYI o sheltered manchildren, servers (the human kind, who manually cater to your every gastronomical whim) like cash tips. They get to take it home at the end of the night and tip out the indentured cooks under the table.

Re: Pay Cash, Don't Care

[OrangeTide]

Banks want your money because they use it to make more money.

If you're paying somebody to store or access your money, you're doing something wrong. Drop whatever lousy excuse for a bank you're using and find one that won't charge you.

They don't exist in the US.

Re: Pay Cash, Don't Care

[aardvarkjoe]

If you're paying somebody to store or access your money, you're doing something wrong. Drop whatever lousy excuse for a bank you're using and find one that won't charge you.

They don't exist in the US.

You're talking utter nonsense. If you actually believe this, then you've obviously never compared financial institutions.

Re:Pay Cash, Don't Care

[OrangeTide]

I use credit cards at restaurants and get reimbursed when someone steals from me. It's a 20 minute phone call the my credit card company and hasn't happened to me in 3 years. But it couldn't be simpler, assuming you like to review your monthly statements as part of tracking your personal budget.

Don't use an ATM/Debit card for anything, banks are a huge pain in the ass about fraud and it will take about 90 days to get your money back into your account.

My "fun money" is also my lunch money, and I can't really go without lunch for weeks.

E. coli malware

[turkeydance]

new tool: don't eat there again.

Good thing I can't stand Chipotle.

[Chas]

I can avoid diarrhea AND credit card fraud!

Re:Good thing I can't stand Chipotle.

[ChromeAeonium]

I don't eat there because of their anti-GMO marketing. If you're going to use science denialism as a marketing tool and cater to a dangerous hysteria that makes the world a worse place, then meh, I'll go somewhere else.

Re: Good thing I can't stand Chipotle.

It's not that the GMO food itself is unsafe (though we really won't know until a generation or two has passed), it's that the GMO food allows them to use more chemicals (pesticides mostly) on them that ARE unsafe.

Re:Good thing I can't stand Chipotle.

Republicans are not anti-GMO so when you agree with Republicans, you should revisit your beliefs.

Re: Good thing I can't stand Chipotle.

This. Republicans love them so thinking people should hate them.

Re: Good thing I can't stand Chipotle.

Republicans love anything that increases profits for the medical cartel.

Re: Good thing I can't stand Chipotle.

GMO food requires LESS pesticides because it can be modified to be more robust yet less appealing to insects.

Re: Good thing I can't stand Chipotle.

It can be modified that way, but it was cheaper to make it resistant to roundup poison and then drench it in that.

Except McDs potatoes, which were engineered to make the poison internally, so they don't need to spray the soil to get to it....

I oppose modern GMO , vs selective breeding, because the companies involved are fucking shady as hell and externalize the costs/risks onto the public of cross contamination.

Grow that shit in a sealed greenhouse, not where pollen can blow across public and private lands, or insects can get to it. I don't want some mistake by Monsanto leading to a modern equivalent of the Irish potato famine. That leads to more desperate people who listen to whack job religious nut leaders.

Re:Good thing I can't stand Chipotle.

[Ogive17]

Do they have "anti-GMO" marketing or do they simply advertise their products as non-GMO and the meats from animals that were not fed growth hormones?

I've never seen an ad taking a stance, which is what you imply, simply ads talking about what they offer.

Re: Good thing I can't stand Chipotle.

[ChromeAeonium]

This post is the exact type of misinformation I'm taking about. GE crops aren't made to be 'drenched in' Round-Up, they're designed to tolerate it so it can be used in place of other weed control methods, which typically include a series of much worse herbicides.

Yes, there were potatoes that were engineered to produce a type of insecticide, They were called NewLeaf, and are no longer on the market. But you know what, all potatoes produce their own insecticides, notably solanine. If you want potatoes with no insecticides, you beter not eat any plants, because chemical defenses are how they evolved to cope with pests. Don't like that being altered? What do you think happens when we breed a new pest resistant variety without genetic engineering?

As for cross pollination, all plants do that. Reproduction is what life has been fine tuned to do since day one. If you are going to hold GE crops to an unreasonable double standard, then of course they're going to fail. But I could apply that same argument to non-GE crops. Crops with different traits will cross pollinate and result in different progeny, which can cause issues in some instances. Arbitrarily declaring one thing be grown in greenhouses while giving everything else a free pass makes no sense.

Your post shows exactly why I hate anti-GMO marketing so much. It preys on an ignorance of modern agricultural methods, genetics, and basic botany, all while fostering opposition to a technology that society should be embracing.

Re: Good thing I can't stand Chipotle.

GMO feeds more people which is terrible for the environment.

Re: Good thing I can't stand Chipotle.

[Aighearach]

Look up which ones are grown on farms and sold as foods, ones that are designed to survive being drenched in RoundUp, or happy joy-joy hippie ones that are better for you. You could have guessed which it is by the fact that the hippies don't eat GMO.

Re:Good thing I can't stand Chipotle.

most of the GMO related marketing I seem to remember is they think it tastes better, which is subjective.

Re: Good thing I can't stand Chipotle.

[nitehawk214]

Because hippies eat something, it is better for you?

Re: Good thing I can't stand Chipotle.

For someone who is anti-Elsevier your pro-GMO stance is pretty interesting.
GMO and in particular the licensing and patenting aspect is pure evil. Why are you upset when a publisher paywalls articles, but ok with the practice of "paywalling" crops.

GMO corporations prey on farmers and is a technology that should be banned.

Re: Good thing I can't stand Chipotle.

[phantomfive]

Being anti-Elsevier is being pro-science.

Re: Good thing I can't stand Chipotle.

[Chas]

Just so you know. Whether you've known it or not, you've been eating RoundUp resistant crops for over a decade now.

And, likely, NONE of the farmed food you have ever eaten is unmodified by the hand of man over the last several centuries.

Re: Good thing I can't stand Chipotle.

[Chas]

Again with the "drenched in".

Christ, did you join an anti-GMO CULT?

Again, these crops are made resistant to RoundUp, which has minimal update, ultra-low toxicity and and can be used in far smaller quantities than other FAR more toxic "natural" herbicides which destroys greater portions of crops.

Oats. Oats have a relatively high uptake of RoundUp. So, a product like Cheerios has something like 1100 parts per billion of one of RoundUp's active ingredients.

Know how much you'd have to eat?

By the EU standard, which caps at about 1/3rd of the US standard, you'd have to eat over 750 1-cup servings A DAY, EVERY DAY, FOREVER before you'd hit levels the EU considers "possibly harmful". And at that level, your body's eliminating it from your system as fast as you're taking it in.

Quite simply, YOU CANNOT EAT THAT MUCH. 1 cup of cheerios weighs in at about 36-37 grams. 750 cups is 27-ish kilograms (60 lbs). Again, YOU CANNOT EAT THAT MUCH REALISTICALLY.

After a point, you'd die of hypervitaminosis or dehydration as trying to shovel in that much food would likely trip your gag reflex and bring most of it back up. The rest, assuming you didn't constipate yourself with that much oats, you'd be shitting oat bricks continuously.

Re: Good thing I can't stand Chipotle.

[Chas]

Uh no. You're conflating two arguments.

GMO itself is a good thing for the planet.
It allows us to unlock more potential in our foods. More hardy, faster growing, more productive, more nutritious, more resistant to pests and herbicides.

I will agree with you that the licensing structure is fairly evil and counterproductive. But these companies DO deserve to be renumerated for the costs involved in developing these crops and their growing ecosystem.

I could understand you wanting to ban because you thought the crops unhealthy.
But banning the crops because you dislike their licensing model? That's just brain-damaged.

Re: Good thing I can't stand Chipotle.

[K10W]

This post is the exact type of misinformation I'm taking about. GE crops aren't made to be 'drenched in' Round-Up, they're designed to tolerate it so it can be used in place of other weed control methods, which typically include a series of much worse herbicides.

Yes, there were potatoes that were engineered to produce a type of insecticide, They were called NewLeaf, and are no longer on the market. But you know what, all potatoes produce their own insecticides, notably solanine. If you want potatoes with no insecticides, you beter not eat any plants, because chemical defenses are how they evolved to cope with pests. Don't like that being altered? What do you think happens when we breed a new pest resistant variety without genetic engineering?

As for cross pollination, all plants do that. Reproduction is what life has been fine tuned to do since day one. If you are going to hold GE crops to an unreasonable double standard, then of course they're going to fail. But I could apply that same argument to non-GE crops. Crops with different traits will cross pollinate and result in different progeny, which can cause issues in some instances. Arbitrarily declaring one thing be grown in greenhouses while giving everything else a free pass makes no sense.

Your post shows exactly why I hate anti-GMO marketing so much. It preys on an ignorance of modern agricultural methods, genetics, and basic botany, all while fostering opposition to a technology that society should be embracing.

I hate both sides personally because they are both lying to some degree, just the anti GMO crowd tend to be very uneducated in what they are campaigning about so oft more full of it. There is sometimes truth in what they say though. For instance the RoundUp tolerant thing, they DO actually drench SOME things such as wheat even though it isn't designed for that per se. It has a secondary effect in that it acts as a dessicant so they often use more than they are supposed to. The problem is the noise on both sides drowns out these things. For the record I am pro some GMO and anti others and the same goes for most friends all of whom with degree and career backgrounds in biochemistry (save 1 molec bio and 1 in microbio careers). A lot of the rice mods are very favourable, and the gene subtraction things make me laugh when they say they are frankenstein foods and when do they stop becoming a tomato etc etc when it is 100% tomato genetically, just lacking an enzyme to break down pectinase for instance (although that mod turned out different to intended in use it is obviously harmless).

Re: Good thing I can't stand Chipotle.

[K10W]

100% tomato genetically, just lacking an enzyme to break down pectinase for instance (although that mod turned out different to intended in use it is obviously harmless).

meant break down pectin sorry, I forget the exact pectinase they chopped out for that one. There were some other tomato mods which I don't like more on the basis of negative effect to taste than health risks so I sometimes disagree on those grounds but that isn't a gmo issue.

Re: Good thing I can't stand Chipotle.

[GWXerog]

I don't think most *sane* people have an issue with GMO/GE crops cross-pollinating. I think they have an issue with the patent on those crops being used to sue the ever loving shit out of the poor farmer who ended up with somebody's intellectual property growing in his field. I also understand that there are sterile GMO seeds being produced as well, ones that can't reproduce at all without a farmer having to buy more. All in the name of protecting intellectual property

Re: Good thing I can't stand Chipotle.

[Aighearach]

Hippies are into healthy stuff. It might not be better for you, but you can be confident that they believe it to be better for you.

In the 90s when NPR was running a story about "Golden Rice" and how in the future food will be engineered to be healthier, a lot of hippies said things like, "Sounds nice, but I doubt they're really going to use the technology that way." And they were right. Almost everything modified that is in a food product in the store is modified solely to withstand broad-spectrum herbicides that would naturally kill them. That's all the farmers are interested in even trying.

It explains why the food labeled "organic" in the store is so much higher quality than the "conventional" stuff. Organic produce should actually look worse; if that was the only difference, it would be smaller and lower quality. But there is a huge difference in the type of farmer who grows one or the other. The hippie farmers are way more willing to take the time and risk of growing higher quality food.

Re: Good thing I can't stand Chipotle.

[Aighearach]

You've obviously never applied RoundUp. You have to "drench" the leaves of the plant you want to kill. That is how it is applied. You spray it over the exposed leaf surfaces.

You can write, but I doubt you're able to read. Oh, you clearly know how, you're not illiterate; merely aliterate.

BTW, fear of eating the RoundUp isn't why people are opposed to using it on everything you fucking tool, and you've been told that before! . My goodness man, you're even more ignorant than if you were illiterate!

Who fucking cares how much is still in your food?! Is that the only item on the list of complaints? Oh, you'd don't know because you're aliterate!

Kudos for honesty!

Nice web tool to see if you were at risk - I was able to confirm from my cc records that i didn't use it there on any of the at-risk dates. Thanks to their doing the right thing, I can relax. (If I there was a hit I would have replaced my CC.)

Too many companies either cover up this stuff, or don't give you the info needed to act. I'm looking at you Target, T J Max, ...

Re:Kudos for honesty!

[TWX]

If they're doing the right thing, I should receive notice from my financial institution that Chipotle contacted them and paid for the cost to issue me new plastic.

Re:Kudos for honesty!

As poster of the parent Kudos, I fully agree. Step 1 is the honesty in notification that I "kudoed." Step 2 is indeed automatic reissue of CCs and paying for that. (Such costs are now CC overhead passed on to all CC holders covertly via CC fees paid by the merchant.)

If such costs were charged to the leakers, the beancounters might be more willing to pay for security.

Compensation?

So they are seriously just saying "our bad", call the credit bureaus and place fraud alerts on your credit reports? Many of the places I've had this happen offer free credit monitoring. I get that credit monitoring is pretty worthless, but at least they aren't just walking away "scott free".

Really?!

Is there any kind of virus, bacteria or alike, analog or digital, that chipotle doesn't get infected with?!

Chip vs. Strip?

[AdamThor]

Is Chipotle on the chip, or are their readers still strip based? My cards have chips these days, but I usually don't watch to see who uses which scan technology. Chip tech is supposed to combat this sort of thing, isn't it?

How'd that work out?

Re:Chip vs. Strip?

[avandesande]

Lots of cards still don't have chips and stores will still let you swipe them... so it's not a binary situation.

Re:Chip vs. Strip?

[AdamThor]

So the company announcement says that the malware stole data from magnetic strip reads.

"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device."

I didn't see anything specifically state that chip-based interactions were immune. What percentage of payments were strip vs. chip based?

Re:Chip vs. Strip?

I've never seen a register at a Chipotle that takes chips. It's all swipe.

Re:Chip vs. Strip?

[dustman81]

Chipotle has stated that they absolutely refuse to use the EMV chip, and only will do swipe, citing speed over security. https://www.scmagazine.com/chi...

Re:Chip vs. Strip?

[robertchin]

100% of them since Chipotle in 2015 announced that they were not upgrading their POS systems to use EMV since they claimed that magnetic swipe is faster and would speed up their lines.

Re:Chip vs. Strip?

[dustman81]

Wonder if after this if they continue using swipe only? Fraud gravitates towards the weakest link.

Re:Chip vs. Strip?

[sphealey]

= = = has stated that they absolutely refuse to use the EMV chip, and only will do swipe, citing speed over security = = =

I'm surprised that more high-volume retail locations haven't done the same: the chip is painfully slow compared to the swipe strip, and if you are processing 100s per hour it can really put a crimp in customer flow.

Re:Chip vs. Strip?

[ZorinLynx]

Stupidity like this is why card issuers are simply going to have to make EMV mandatory. Same deal with gas stations; yes I realize EMV readers are expensive but it's cost of doing business. Deal with it and upgrade your shit.

Re:Chip vs. Strip?

[AdamThor]

I wondered if this would be the case. Since chip tech exists, you'd only target malware at people who weren't using it...

Re: Chip vs. Strip?

They just need to get a fast one. There's a grocery store chain here that has chip readers that are just as fast as swiping. Everywhere else is stupid slow.

Re:Chip vs. Strip?

The idea behind chips is to prevent fraudsters from using cloned cards by making the vendor responsible for the loss if they accept a cloned card. In this case, Chipotle was accepting real cards, but the info on the mag stripes was being siphoned off to create clones, which could then be used elsewhere (potentially including Chipotle).

Basically, C made a business decision that getting people through the line faster is more important than the potential financial loss of accepting a cloned card, and for a fast-order vendor of their scale, where the average transaction value is probably around $10, that's probably the right decision, at least up until the point their POS terminals got pwned. Now they have to deal with the PR hit, and considering they're still recovering from the E.Coli debacle (which last I heard, still hadn't been conclusively nailed down because the strain involved isn't naturally occurring, implying possible sabotage), might change that calculation.

Re:Chip vs. Strip?

[ColdWetDog]

Puts a new take on the phrase 'fast food'.

Re:Chip vs. Strip?

That's only because the US completely botched the adoption of EMV, although things seem to be getting better now.

Compare to a country like the UK or Australia where it's been done properly and there's "tap and go"... you tap your card on a reader and it beeps and the transaction is complete. It's faster than a swiping a card.

Re:Chip vs. Strip?

[hawguy]

100% of them since Chipotle in 2015 announced that they were not upgrading their POS systems to use EMV since they claimed that magnetic swipe is faster and would speed up their lines.

All they'd have to do to speed up Chip transactions is program their systems so while one customer is waiting for the chip transaction to complete, the next customer in line can be placing his order. Most small CC transactions don't even require a signature.

Re:Chip vs. Strip?

[jader3rd]

Stupidity like this is why card issuers are simply going to have to make EMV mandatory

The issuers aren't going to be doing anything for a while. Because at the moment, the vendor who gets hacked is now responsible for all mag stripe fraud.

Re:Chip vs. Strip?

Is Chipotle on the chip, or are their readers still strip based? My cards have chips these days, but I usually don't watch to see who uses which scan technology. Chip tech is supposed to combat this sort of thing, isn't it?

How'd that work out?

A merchant who takes a stripe swipe when the card has a chip assumes 100% of the fraud risk in the US.

Re:Chip vs. Strip?

NFC-enabled cards can pay in about a fifth of a second with a tap.

Swipes are a little slower than that.

Chip dips take longer.

Re:Chip vs. Strip?

[radarskiy]

We in the US should be ashamed that the godless communists in Europe are more efficient at separating consumers from their money.

Re:Chip vs. Strip?

[bugs2squash]

100% of the risk to him. 100% of the $10 transaction which is no big deal to C. I don't see them accepting 100% of the risk to the customer or even the bank.

Re:Chip vs. Strip?

[petermgreen]

Basically the banks have said that if a card has a chip and a merchant doesn't use it then the merchant gets to eat the fraud cost. So chip tech reduces the amount of fraud the banks have to eat the cost of.

But there are still a lot of non-chip transactions (e.g. card not present, merchants that refuse to upgrade) which are still as insecure as ever. While the merchant gets to eat the bill the customer and bank still have to deal with the rigmarole of identifying the fraudulent transactions and replacing the card.

Re:Chip vs. Strip?

[dfenstrate]

= = = has stated that they absolutely refuse to use the EMV chip, and only will do swipe, citing speed over security = = =

I'm surprised that more high-volume retail locations haven't done the same: the chip is painfully slow compared to the swipe strip, and if you are processing 100s per hour it can really put a crimp in customer flow.

I have seen precisely one POS terminal that read a chip as fast as a swipe. It's possible. Unfortunately I don't recall where.

Re:Chip vs. Strip?

[Tablizer]

the chip is painfully slow compared to the swipe strip

Because oligopolies control the payment market. Break them up and you'll get faster systems.

Re:Chip vs. Strip?

[avandesande]

That makes them 100% liable for any losses due this leak. No chip and the vendor is responsible.

Re: Chip vs. Strip?

[ian_billyboy_morris]

The US seems quite backwards in its credit card technology, here in the UK we have had chip & pin basically exclusively for a decade and are now using Rfid for low value touch based transactions (less than £30)

Re:Chip vs. Strip?

[konohitowa]

Have you never been to Chipotle? Multiple people are ordering while someone is paying.

Re:Chip vs. Strip?

Using the chip is so 2008. Seriously. USA is 10 years behind Europe.

I expected the USA to adopt contactless cards primarily, but I when I visited it a few weeks ago, they only had MSR or chip readers. So I guess contactless cards will really make a debut in the US in 8 years from now?

Re:Chip vs. Strip?

[WaxlyMolding]

I work for a McD's franchisee as the technical person. We moved to chip and pin this year, even in our drive thrus. Processing time is less than 4 seconds for chip and pin. Chipolte was way stupid for doing this. They are responsible for all these fraudulent charges because of the liability changes last year.

Re:Chip vs. Strip?

[Imrik]

Which is why the banks didn't bother optimizing the way the chips work to make them fast, the fewer businesses that adopt the chip, the better for them.

Re:Chip vs. Strip?

[trawg]

I have seen precisely one POS terminal that read a chip as fast as a swipe. It's possible. Unfortunately I don't recall where.

literally everywhere in Europe & Australia maybe :D

It is staggeringly rare to see swipe at all now.

Putin and Kushner Sitting in a Tree

F-u-c-k-i-n-g

He goin down muthafuckaz!

we have good new and bad news...

the good news is, we didn't food poison you.

Food already infected

Fortunately the food is already infected to the point of supersaturation with cilantro; so I have no worries.

And this is why I carry cash

[BLToday]

My wife complains that I'm always carrying cash so my wallet is always bulky and I'm missing out on credit card rewards.

Re:And this is why I carry cash

[hawguy]

My wife complains that I'm always carrying cash so my wallet is always bulky and I'm missing out on credit card rewards.

You carry around a bulky wallet full of cash all of the time because you don't want the mild inconvenience of having a credit card number stolen?

I've had 2 CC numbers stolen -- with one, I didn't realize it until I got a fedex envelope from the bank with a replacement card, with the other, it took 10 minutes online to complete a fraud report and flag fraudulent transactions, then I had to sign and return a paper that I received with the replacement card.

Re:And this is why I carry cash

[Luthair]

So what you're saying is that you'd rather be mugged at gunpoint than having your credit card skimmed.

Re:And this is why I carry cash

[mjwx]

So what you're saying is that you'd rather be mugged at gunpoint than having your credit card skimmed.

Yes, because:

1. I live in a country where you simply dont get mugged at gunpoint.
2. I know enough self defence that I can reliably beat most attackers unarmed.
3. Thanks to contactless, my cards are just as valuable to a mugger as cash.

Due to points 1 and 2, I don't worry about being mugged, due to point 3, after a long hiatus in the UK, mugging and pick pocketing is making a comeback. If a mugger gets my wallet, they only get whats in the wallet (I've disabled contactless on all of my cards, but a mugger doesn't know that), if a fraudulent party gets my card numbers, they can charge a hell of a lot more than what is in my wallet.

So there is no additional risk to carrying cash and a lowered risk from not sticking your card everywhere. The average person loses US$300 when their card is compromised. Card users also have to wear the cost of fraud even if their cards aren't compromised. This is done via fees.

"But I dont pay any fees", wrong again buck-knob. You pay fees, via the merchant who has to pay the bank to accept your card. These fees are passed onto you via higher prices. So by using cash, I'm doing my part to help prevent things from becoming more expensive.

Re:And this is why I carry cash

You've only had two stolen? Either you're the luckiest guy on earth or I'm extremely unlucky. I've never had a credit card expire due to age. On average I have a credit card stolen about every 14 months. My last one was January. I was effected by this one, I'm wondering if I should call my bank now and request a replacement preemptively or actually wait for fraudulent charges to show up.

If you're in the States it hardly matters

[rsilvergun]

by law you can't be held liable for more than $50 bucks of fraud and I've never seen anyone held for that (maybe on the really crappy cards you use to rebuild credit after a messy divorce?). As long as you read your statement once a month the one who's gonna lose out here is Chipotle. Especially since they're not doing chip 'n pin.

Re:If you're in the States it hardly matters

Chip and pin? That's not what the US went for.

We went for stupid chip-and-discarded-signature unless the merchant can tell it's a debit card, and then they go for pin so they can save on transaction fees by running it as debit instead of credit.

Goddamnit

[JustAnotherOldGuy]

"Earlier this year, Chipotle announced that the their payment processing system was hacked."

Jesus fuckin' christ, will shit ever end? Is there one god damn business that can secure their shit to keep their customer's information safe?

I am SO glad that I never ate at Chipotle, but that's just down to pure luck more than anything else. If I had, and my credit card info had been hacked, I would pissed off beyond beyond all reason.

Fucking clowns. After you hear about the 1,000th data breach you start to realize that none of these fucking companies give a shit about security. They couldn't program their way out of a wet paper bag with a chainsaw in each hand. For fuck's sake.

Re:Goddamnit

[Teckla]

Jesus fuckin' christ, will shit ever end? Is there one god damn business that can secure their shit to keep their customer's information safe?

We're currently deep in the Dark Ages of computer security, and I'm not 100% sure it's the fault of your typical companies that get hacked.

If 999,999 out of 1,000,000 of your customers somehow use your tool wrong, and cut off their hands, the real problem might be the tool...

Humans can't seem to secure anything (e.g., Windows, credit card machines, servers, etc.) because the whole process in incredibly error prone and ridiculously complex.

I would like to know...

I would like to know when are consumers going to had they have and enough of this crap and burn the business to the ground?

Just wondering...

Chipotle, out in front again

[Applehu+Akbar]

Chipotle researchers have found a way to imprint the giardia genome into customers' credit card strips. This can cause it to jump to rival restaurants.

Most stores affected == management collusion

No other explanation worthy of consideration. Never go there.

so not only do you

shit your brains out after eating
but now
it sucks your wallet dry..

is that a Shit n Blow??

Yay

My location was not affected, or so the website says.

Experienced Hacker

This Turkey American hacker by the name WILLIAM HOLLIS saved me. He helped change my driving records and clear some implicating records i had online. This is no joke, i tried it and it has worked for me. If you are in need of a professional hacker, William is the man for the job. Other services he offers are below::
-Tracking calls
-Facebook,whatsapp,twitter,gmail hack
-Cloning of phones
-Clearing criminal records without leaving traces
-Changing school grades without leaving traces
-Website hack
-Retrieval of lost or hacked social media accounts and so many other services not mentioned here.

Contact us @ willtrusthack830@fastservice.com OR trusthacker830@gmail.com
Call +1 (201) 719-5274
WhatsApp +1 (847) 497-0407
ICQ: 704422091

Thank me later

Please ensure to tell him Peter Blom referred you. Good luck. you won't be disappointed, cheap and fast

Hence we need Apple Pay and Android Pay

[MtViewGuy]

Chipotle's latest problem is why restaurant and retailers need to offer Android Pay and Apple Pay support.

Why? Because under Android Pay and Apple Pay, you transact using a specially encrypted code that is not anywhere close to your credit card number. As such, there's no such thing as "skimming for card number," and it's extremely difficult--even if the hacker could intercept the data stream--to use it for credit card fraud.

Re:Hence we need Apple Pay and Android Pay

[ebvwfbw]

Or bring the American cards up to European standards. They could have done that with the last switchout. In fact they *COULD* have made it more secure than the European standard. But no. Too hard or some such bullshit excuse.

Probably take them 20 years to decide to upgrade again unless there's a really big problem.

Android pay, apple pay - I was using that. In the case of Android they changed something so it didn't work anymore. So I had to get a new version of their pay, which doesn't want to work with the terminals anymore. It works, if you're patient. Apple has been spotty. Some places it just works, others it works sometimes. It's such a pain that I simply still use the credit card. I'm out of there sooner.

Experienced Hacker

This Turkey American hacker by the name WILLIAM HOLLIS saved me. He helped change my driving records and clear some implicating records i had online. This is no joke, i tried it and it has worked for me. If you are in need of a professional hacker, William is the man for the job. Other services he offers are below::
-Tracking calls
-Facebook,whatsapp,twitter,gmail hack
-Cloning of phones
-Clearing criminal records without leaving traces
-Changing school grades without leaving traces
-Website hack
-Retrieval of lost or hacked social media accounts and so many other services not mentioned here.

Contact us @ willtrusthack830 at fastservice dot com OR trusthacker830 at gmail dot com
Call +1 (201) 719-5274
Skype: +1 (847) 497-0407
ICQ: 704422091

Thank me later

Please ensure to tell him Peter blom referred you. Good luck. you won't be disappointed, cheap and fast