Would you like fraud with that? Burger chain giant Wendy's 'hacked' Wendy's – the third largest fast-food chain in the world – has become the latest retail giant to lose customers' credit card numbers to crooks, it appears. The possible security breach was flagged up today by investigative journalist Brian Krebs. We're told fraudulent activity on people's payment cards led bank staff to …
<quote>For Wendy's to follow McDonald's and Subway and adopt Apple Pay.</quote>
<rant on>
In all seiousness, HOW is that ANY better???????
YOU are still putting a THIRD PARTY into the payment stream.
Simplest solution:
YOU (customer) ----> CA$H ----> merchant ----> product (or service) ----> YOU
As opposed to:
YOU ----> swipe card ----> POS system ----> payment processor ----> card issuer ----> approve/deny ----> payment processor ----> merchant POS system ----> product (or service) ----> YOU
ALL of these third parties have expenses that somehow must be paid, and guess who pays for them - YOU DO in the form of higher prices.
</rant off>
Hey ElReg, can we get a GET A CLUE icon>??????
Why not overhaul the system, in NZ I don't believe the PC is allowed to perform the transaction, the card reader does this over encrypted session via lan/dialup, the PC gets a simple COM message about the status of the transaction and can also send the transaction value to the device.
The company should never need your CC number, this should be between you and the bank, if they want to track you then use loyalty cards.
Actually, the company DOES need the CC number. If you dispute the charge and they need to counter dispute, it's the only way to confirm the charge was legitimate. The consumer is protected because any record of the cc number is required to be destroyed within a fixed time period. When I was involved in this 15 years ago that time period was 90 days. It could be shorter than that now.
Not true. The transaction, once completed, can be assigned an MBUN (meaningless but unique number). That identifies the transaction at both ends (PoS and processor). The PoS collects the information and submits it; the processor and PoS then work on the MBUN of the transaction, so the PoS can forget everything except the amount and MBUN. The processor comes-back with a yes or no (with reason code), and that transaction is done.
In the event of a dispute - "I didn't buy this, at that place, at that time", it's based on something like a report that the card holder receives by mail/email/running a report on the web site of the issuer (a monthly statement, for example). The dispute is resolved by the card issuer, not the retailer or third-party processor. Who pays is a different story...
The PoS that requested the charge, the retailer who owns that PoS, and the third-party processor (if there is one), may be of interest to the card issuer, but there is absolutely no need for the PoS, or the retailer using that PoS, to retain anything beyond the MBUN and amount.
Where this has all been strange in the USA is that the total cost of fraud has been downloaded from the card issuers to the retailers. The card holder is not on the hook. The cost is passed-on to the card holder only in the form of elevated prices built into the cost of providing retail services (if brick and mortar, the lease for the store, employees, and so-on). It's an invisible cost.
Recall Home Depot, Target, and so-on. Were there stories about how much money individuals lost? "Someone swiped my card at Target, and now I have to mortgage my house!" Were there stories about the costs to the card issuers? "VISA takes a billion-dollar hit to cover credit card fraud!" Nope, because they don't. The banks incur costs by reissuing cards, then they sue everyone except the card holders.
However, inconvenience to, and the confidence of, the card holder started to rear its ugly head. Hence, the USA finally starting to roll-out Chip-n-PIN in October 2015. As-per a comment above - if consumers figure cash is safer, there's a problem for the card issuers.
Because of this system, it is difficult for a retailer to know when there is a problem. They process transactions as one-off's. Unless they directly find physical scanners or resident malware, they won't see a problem. Only the card issuers, who have all the details, have a view that allows them to detect a wide-scale problem via correlation.
What's surprising to me here in the States is that probably half the places I go into have the "chip and PIN" type devices and of those, only about 25% are working in chip mode.
<sarc> I'm just sure that the companies without them working or not installed yet, take our information (CCs, etc.) very seriously.</sarc>
Funny thing. My mom has a target charge card. It's chip and pin only. no mag swipe. Wait didn't target surfer a major hack ? I'ts the banks not the merch that that credit card over chip and pin. For some odd reason in the US the merch pays more for using credit card vrs chip @pin/debit network so it's the banks that are refusing chip and pin. they want the higher fees. Walmart is suing visa over this.
A major problem is that Wendy's isn't even equipped to process my Chip&PIN bank credit or debit cards. This despite it being one of the busiest in our city due to our local city college being literally next door. My Paleolithic bank upgraded my cards automagically. Local businesses, excepting liquor stores, hardly any.
I believe most Wendy's are run franchisees. The information implies these were corporate stores but has that been verified? I would not be surprised if part of the security problem for Wendy's (and other fast chains) is an unevenness of IT security awareness and practices across the network.
Spot on. The linked article is even more vague about the nature of the breach.
This isn't to say there aren't problems that might be addressable from the corporate level. I have a friend who works in POS support for a Wendy's franchise on the East Coast. They do their own payment processing. Last time I checked they had about 150 Wendy's, plus various two other brands that I now forget (maybe Chili's and Popeye's). The Franchise support team consists of him, his CTO boss, and three other support techs. That's a pretty thin team given the geographic area they cover. The system has a fair number of attack points. You have the terminals themselves, the Windows systems to which the terminals are connected, and the fact that you're frequently working with the lower half of the median on intelligence pool for the workers at the actual stores (ie, think about your average idiot, remember half the people are dumber than that, and in this case, when you find the average idiot, you've got the smart one). Pile on that the mini-networks at each store are exactly the same except for the server name and probably its password.
So I expect a compromise of a big franchise in the Midwest that might have been leveraged to some other franchises. It wouldn't take long to rack up a lot of stores and more importantly even more victims. Fast food has lots of customers and I'm always surprised at how many people will swipe a credit card to pay for a meal costing less than a yuppie food stamp.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
