Eating out – no longer safe if you pay by card

Untitled designRestaurants were not avoided by hackers in 2016, and the reason why is quite obvious: big restaurant chains run their business in many locations, there is virtually zero IT security expertise on these sites, and most importantly, there is a big cash flow and a significant number of transactions going on every day.

How restaurants can be hacked

Cybercriminals use social engineering techniques to get the custom software installed on computers tied to the POS systems. To do that, they find out information about employees or contractors, then call in and get someone on the site to install software on a particular computer.

The malware itself does not have a known signature and does not exhibit malicious behavior, so it eludes the basic anti-virus protection available on the endpoints. However, it is able to tap into the data passing from the POS to the payment servers and extract credit card information.

Next, credit card information is uploaded to hackers’ terminals and sold on the black market. Crooks then use this information to create fake credit cards which in turn are used to make payments.

infographic22The top restaurant chains breached in 2016

Wendy’s suffered a significant breach, exposing credit card information from persons using this payment method at over 1000 locations. The data was exposed between the end of October 2015 and the beginning of February 2016, with dates varying with the site. Wendy’s published a list of locations and the periods of interest on their website, as well notices for their customers.

Noodles & Company reported a data breach exposing credit card information in multiple locations, taking place between February and June 2016.

Cici’s Pizza is another well-known restaurant chain experiencing credit card information theft at over 100 of their locations. The breach was presumably going on since 2015 at some locations and was discovered July 2016.

Other breaches occurred in 2016 at Fuzzy’s Taco Shop and  Landry’s Restaurants having a similar attack pattern.

Time to detect is surprisingly long

The data breaches are worrying as incidents, but what is even more worrying is the fact that it takes few to several months to discover the breach and take corrective measures. The reason for this happening is the lack of enough security on the computers manipulating critical cardholder information. These assets are not usually secured beyond basic anti-virus protection. In spite of security standards like PCI DSS, there is little effort put into making sure that the customers’ payment information is safe.

What can be done?

In case you used a credit card to pay at one of the restaurants listed as being affected by data breaches, you should monitor your transactions and report the invalid ones. In case you have not been eating at those restaurants yet, you might consider paying by cash next time.

How we can help

TEMASOFT FileMonitor, our file monitoring software, delivers file access auditing technology which provides information on how data is being accessed on a computer system, and by who. Such information can be used to detect unauthorized access to critical files such as POS transaction logs and may significantly reduce the time to detect a data breach similar to the ones experienced by the top restaurant chains.

TEMASOFT offers this functionality for FREE for up to two workstation PCs, for personal use.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

2 replies
  1. Mihai Gherman
    Mihai Gherman says:

    I don’t think that Wendy’s is quite considered a restaurant, also Cici’s Pizza it’s not a restaurants. ..in my opinion. Target got screwed last year I think, and that was big and scarry.
    I still think that paying with credit card it’s much better for the consumers cause you don’t pay with your money. You pay with the credit card $$, that you need to pay back at the end of the month. It’s harder to dispute a charge if you paid with a debit card, and the bank is not that interested to recover debit card $, but from a credit card they will. You can the victim of fraudulent charges on both cases. All you need to do is to monitor your self every week your transactions. That’s my 2 cents on this

    • Calin Ghibu
      Calin Ghibu says:

      Thank you for your feedback Mihai! Indeed monitoring the transactions is the healthiest thing consumers can do in order to control this phenomenon. In the end, if your data is compromised, it is still a headache to go through the entire process of reporting, getting the money back and resetting your cardholder information. So I believe that besides regularly checking transactions, a good attitude would be to also have more expectations regarding how payment operators handle our cardholder information, hoping that things will improve on their end too.

Comments are closed.