back to article Ice cream headache as black hat hacks sack Dairy Queen

Ice cream mogul Dairy Queen appears to have been breached with hackers likely stealing credit cards from some of its many US stores. The chilling news comes from sources within the US banking sector who separately told cyber-crime prober Brian Krebs that fraudulent transactions on credit cards appeared to have stemmed from a …

  1. Anonymous Coward
    Joke

    "US Secret Service had been in touch after initial waffle"

    Can't expect them starting the day without some grub first...

    1. Anonymous Blowhard

      Re: "US Secret Service had been in touch after initial waffle"

      The article doesn't say what flavour ice cream they had on their waffle.

      1. Anonymous Coward
        Anonymous Coward

        Re: "US Secret Service had been in touch after initial waffle"

        It's the US secret service. If you have to ask what flavour, your obviously not in the "know".

  2. Anonymous Coward
    Facepalm

    Is it just me…

    or is someone else asking: "Who on earth uses anything other than cash to buy low-cost items like icecreams?"

    If someone was going to spend more than $50 at a place, fine, bring out the plastic, but otherwise it's needlessly overcomplicating a process.

    Maybe I'm just old fashioned and distrust modern finance systems too much.

    1. chivo243 Silver badge
      Thumb Down

      Re: Is it just me…

      Have an up vote! My thinking exactly, credit cards at a Dairy Queen?? even if you are buying 50 bucks worth of ice cream, pay in cash!

      I am seriously thinking of doing any payments in shops with cash ONLY! I think I'd rather be mugged for the €50 in my pocket rather than my plastic being sucked dry... there is an upside to paying cash, no NSA tracking of your cash flo...

      1. Anonymous Coward
        Anonymous Coward

        Re: Is it just me…

        I am seriously thinking of doing any payments in shops with cash ONLY!

        Until very recently, I did not have a debit card. I have a prepaid one issued by the local post office which I've now used exactly 3 times, for purchasing items from online stores (two here in Australia, one in the UK). I reload it by taking cash to the post office and presenting the card to be reloaded. The only way I get cash out, is to go visit my bank branch and present my passbook.

        The card gets used when no other payment options exist: my preference is to do cash, BPay direct deposit, or use this debit card; in that order.

    2. Lamont Cranston

      Re: Is it just me…

      You still carry cash? How quaint...

      Seriously, though, credit/debit cards are incredibly convenient, whereas cash is messy and easily lost. Contactless payment schemes may be riddled with security holes, but the simplicity at POS is undeniable, and attractive to both consumers and retailers.

      1. Mike Flugennock
        Mushroom

        Re: Is it just me…

        Yeah, it may be "quaint", but at least if I lose twenty bucks out of my wallet, all I've lost is twenty bucks.

        ...and there's no goddamn' way in hell you can tell me that cash is anywhere near as messy as what I'd have to deal with if some Russian mafiosi got hold of my credit card info or my banking site logins and sucked my accounts dry.

        Shill much?

        1. Anonymous Coward
          Anonymous Coward

          Re: Is it just me…

          If I loose my debit card out of my wallet, I've not lost 20 bucks. ;)

          But all in all, it's tools for the job. Each has different uses, each has benefits and drawbacks.

        2. Lamont Cranston
          Happy

          @ Mike Flugennock

          It did occur to me that what I wrote does sound a little like I'm shilling for the banking industry. I'm not though* - I don't even have a contactless payment card, I just like the idea of them, as I've very much gotten out of the habit of keeping cash about my person (I'd quite happily carry a chequebook, if cheques were still a viable payment method, in preference to cash).

          With regards to the havoc that could be wrought by the "Russian mafiosi," that's the reason that I prefer to use my credit, rather than my debit card (particularly online) - as pointed out above, stolen debit card details give them access to all my money, stolen credit card details give them access to someone else's money (I've had my credit card details stolen a couple of times, and never been out of pocket as a consequence, and have enjoyed the protection that using my credit card gave me when a hotel billed me for a room I hadn't used).

          1. usbac Silver badge

            Re: @ Mike Flugennock

            An added plus of using my AMEX card is that they automatically double the manufacturers warranty on almost everything you buy (with some limits). It's saved me a bundle a few times.

            Also, I have a cash back card, so at the end of the year, I get almost a grand back in cash. That's money I wouldn't have if I used cash everywhere! I pay off the card every month, so I don't pay anything to use it.

    3. Alan Brown Silver badge

      Re: Is it just me…

      "Who on earth uses anything other than cash to buy low-cost items like icecreams?"

      Debit cards are routinely used here (UK) for sub $5 transactions - and they use the same network as credit cards for authorization.

      1. Charles 9

        Re: Is it just me…

        Plus in the US, credit cards typically come with theft insurance standard (Visa frequently advertises this aspect on TV). If a card is ID'd to have been stolen, the issuer can usually flag any suspicious transactions, ring you up, send a new card, and you're not on the hook for the oddball. This is especially true for cheap transactions, where it's just cheaper for the credit card company to eat the occasional small costs rather than waste money in legal battles.

        1. Hans Neeson-Bumpsadese Silver badge

          Re: Is it just me…

          "credit cards typically come with theft insurance standard"

          That's exactly why I always use my credit card in preference to my debit card (but I'd use cash for small-value payments)

          If someone snags my debit card, they have direct access to my money in my bank account - if they get my credit card then they have access to money that technically belongs to someone else.

          (Dear Old Mum always uses her debit card because she "doesn't like spending other people's money" then got stung when she paid a lot of money to a company which went bankrupt between payment and delivery, leaving her out of pocket, and little comeback. If she'd used credit card, then the credit card company will take the hit)

        2. jcitron

          Re: Is it just me…

          Yup.... And one of the reasons why I use a credit card instead of a debit card especially while traveling. I carry minimal cash and use my Amex for everything else. It's also an easy way to track receipts because you can get a printout of everything you've spent.

    4. Anonymous Coward
      Anonymous Coward

      Re: Is it just me…

      Yes.

      Think DQ ice cream "cake" or drinks for a little league team - clearly enough to warrant use of a credit card in my book. And some people use credit or debit cards for nearly all purchases for the expense record they give.

      I moved in May 2013, taking about $200 cash for cross country driving miscellaneous expenses. That lasted me until another cross country visit back to the old neighborhood in July 2014.

    5. John Gamble

      Re: Is it just me…

      "Who on earth uses anything other than cash to buy low-cost items like icecreams?"

      Possibly someone who is buying more than one? Like for a family, or a softball team?

      Or possibly someone who is reserving their cash for emergencies instead of a frozen treat?

    6. alwarming
      Paris Hilton

      Re: Is it just me…

      Two words: Rewards card.

      Paris, coz i-scream while eats the cone...

  3. Alan Brown Silver badge

    Cashing out locally

    Not a new tactic at all.

    Gangs have been using money mules to cash out locally and shift money to other accounts for at least 10 years. In some cases they've got people _in_ bank branches too.

  4. Elmer Phud

    Franchised stores

    Having just about found enough dosh to set up the business and being understaffed usually results in several 'short-cuts' in running the business.

    Far too many 'managers' of franchises shouldn't be put in charge of a tea cup ride at the fair - all they know comes from a 'business studies' course that convinced them they could take over the world.

    1. unitron
      Holmes

      Re: Franchised stores

      If someone could just barely come up with the capital to buy the franchise and open the store, then they almost certainly are going to be running it themselves (sweat equity of a sort) rather than have the extra expense of paying a manager.

  5. The Mole

    Poorly written franchise agreement

    "Dean Peters has since said it was difficult to determine if breaches occurred at any of the franchised stores which were independent and not required to report security lapses"

    Sounds like they need to rewrite their franchise agreements (or just read them?). I would have thought any half competent lawyer would have put clauses in requiring the reporting of any events or actions that are likely to be potentially compromising to the licensed brand if reported on.

  6. Anonymous Coward
    Anonymous Coward

    Are you talking to me?

    Could I just request El Reg journos to add a line indicating vulnerable operating systems and/or software version number on security stories.

    "Backoff Point-of-Sale Malware"

    https://www.us-cert.gov/ncas/alerts/TA14-212A

    1. tom dial Silver badge

      Re: Are you talking to me?

      From the us-cert.gov posting it is obvious that the vulnerable POSs all run some variant of Windows. However, that probably is merely a reflection of the target environment, and the root fault appears (from the article) to be deployment failures : remote access (strike 1), weak credentials (strike 2), and credential reuse (strike 3).

      Someone (individuals in the case of debit cards and largely banks in the case of credit cards) is eating the cost of these depressingly repetitive events and the civil courts would seem a reasonable agent for reassigning them to the responsible parties.

  7. Ralph B
    Thumb Up

    My Compliments to Mr. Pauli

    A story about an ice-cream chain that included the phrases "chilling news", "initial waffle", "details were milky", "cool sales" and "sweet news". Well played, sir! Very well played!

    1. Anonymous Coward
      Anonymous Coward

      Re: My Compliments to Mr. Pauli

      Ice cream parlours' parlous security leaves sour taste.

    2. Sandtitz Silver badge

      Re: My Compliments to Mr. Pauli

      The subhead also - the funny prison chant in Down by Law

  8. pierce
    Paris Hilton

    wait. Dairy Queen serves nothing remotely resembling actual ice cream. its soft-serve synth crap.

    paris, cuz she's fake, too.

    1. Anonymous Coward
      Anonymous Coward

      Vanilla Blizzard [TM]

      Heaven

  9. jcitron

    It all boils down to training the users. Since this takes time, many IT departments don't want to do it, so I don't blame the end-user, meaning the store clerk for this mess. The blame should go back to the IT department for not enforcing secure logins and passwords on the systems. If the IT group allows passwords such as Password1234, or 12345678, especially from remote logins, well shame on them and the company!

  10. Anonymous Coward
    Anonymous Coward

    An example of default passwords

    In a prior IT position, I was the admin for all of the point of sale for several large hotel/casino properties. We're talking about hundreds of POS terminals.

    The vendor was a major US POS vendor (I won't name names), and the built in non changeable admin username AND password was the company's name! We kept demanding that it be changed, but were told "it's in the code, we can't".

    There is even a way by touching certain corners of the touchscreens in a certain order, you get to a screen with all kinds of admin functions, including a command prompt window.

    Anyone that's been through their training classes, knows all of this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let Facebook pay for it

      I sincerely hope upon receiving that reply you found a new vendor and got your legal department on to reclaiming any compensation applicable for being supplied a product that was plainly not fit for purpose.

  11. ecofeco Silver badge

    How many does that make now?

    One a week?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like