Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Businesses Security The Almighty Buck Privacy United States News Technology

Wendy's Says More Than 1,000 Restaurants Affected By Hack (go.com) 134

An anonymous reader writes from a report via ABC News: The fast food giant Wendy's has reported today that hackers were able to steal customers' credit and debit card information at 1,025 of its U.S. restaurants. The company said Thursday hackers were able to obtain card numbers, names, expiration dates and codes on the card, beginning in late fall. Some customers' cards were used to make fraudulent purchases at other stores. Wendy's first announced it was investigating a possible hack in January. In May, it found malware in fewer than 300 restaurants; two types of malware were found two months later and the number of restaurants affected was "considerably higher." There are more than 5,700 Wendy's restaurants in the U.S. Customers can check to see which locations were affected via Wendy's website. The company said it is offering free one-year credit monitoring to people who paid with a card at any of those restaurants. In May, Wendy's announced plans to start automating all of its restaurants with self-service ordering kiosks.
This discussion has been archived. No new comments can be posted.

Wendy's Says More Than 1,000 Restaurants Affected By Hack

Comments Filter:
  • by subk ( 551165 ) on Thursday July 07, 2016 @04:04PM (#52466063)
    WaReZ da B33F!!
  • pay with cash.
    Though I do use my CC sometimes as well.
    • by Jhon ( 241832 )

      The next generation of hackers will be able to access your bank account with just the serial number of your $20 bill!

      (ducks and runs)

      • I continually re-use photocopies of a bill which I picked up from the tips-bowl of a LA brothel 20 years ago. Probably explains why Clinton keeps on getting hacked.
  • Considering some of the world's top financial services corporations are working on ways to incorporate Blockchain for many types of transactions, perhaps it's time for the retail world to jump onboard too. It could allow consumers and retailers to connect directly and form online networks, removing the need for middlemen and do it securely.
    • Trying to solve a data integrity and security problem by implementing the solution based on the blockchain is like trying to go to space by digging a hole in the ground.

  • by JustAnotherOldGuy ( 4145623 ) on Thursday July 07, 2016 @04:14PM (#52466129)

    It's time to go back to paying with cash for these kinds of purchases.

    Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.

    • So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.
      • So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.

        Unless they use it to open up new lines of credit or steal your identity, in which case it can get pretty messy. But that's a complex concept that numptys like you can't fathom. Now go finish your Lunchable and piss off.

        • Nobody's using your credit card to open a new line of credit or steal your identity. Then need a fair bit more data than what's encoded on the card's magstripe for that.
          • Nobody's using your credit card to open a new line of credit or steal your identity. Then need a fair bit more data than what's encoded on the card's magstripe for that.

            No, but they can leverage that data to get more information, and then the fun begins. I've seen it happen to people I know.

      • It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card.

        If only life were really that simple.

        • If only life were really that simple.

          If it's not that simple, dump your bank. I have a card from Citi. There are many things to dislike about that bank, but they called ME when a local business got hacked and someone started making unusual charges to my account. We went over the list of recent transactions on the phone so that I could invalidate the illicit ones, and they sent me text confirmation afterward. They notified the bank where I pay my bills from of the change in number.

        • I've had cards compromised 2 or 3 times - it's never been more complicated than that.

          Besides the card companies are getting pretty good at pattern recognition these days. I was travelling last week and used my card to withdraw cash at an ATM quite a few states away from my residence. The transaction was refused and I immediately got a text on my phone saying my account had been flagged for suspicious activity. It was a false alarm, but I was able to respond to the text and open it up immediately.

      • The Wendy's that I go to was affected by this. I had two different cards stolen in a short period of time, both used at the affected location. At the time I thought it was really rare, but now it makes complete sense. Also, it's a lot longer than a five minute call. It took me a few days just to get someone to call me back. For one bank I had to do a lot of paper work, then *fax* that back in. They sat on the request for a month and it took almost two months to get the money credited back to my account. I h

        • Leave your bank now. There's no excuse for taking that long in this day and age of CC fraud.

        • I would stop using that card, and apply for a new one from another bank. If possible, don't cancel the card. Just pay it off, lock it up at home, and don't use it. That's better for your credit rating.
        • by tlhIngan ( 30335 )

          The Wendy's that I go to was affected by this. I had two different cards stolen in a short period of time, both used at the affected location. At the time I thought it was really rare, but now it makes complete sense. Also, it's a lot longer than a five minute call. It took me a few days just to get someone to call me back. For one bank I had to do a lot of paper work, then *fax* that back in. They sat on the request for a month and it took almost two months to get the money credited back to my account. I h

      • So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.

        Then send me your credit card info and PIN. Let me charge some stuff and, like you said, all you need to do is make a 5 minute call to report the unauthorized charge.

        • That's funny, Todd Davis, but your logic escapes me. No one wants to get hit in the nads either, but I still don't go around with a steel codpiece. It's not worth the inconvenience when I can just keep a safe distance from crazy women and three year old kids.
    • It's time to go back to paying with cash for these kinds of purchases.

      Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.

      Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.

      The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.

      • It's time to go back to paying with cash for these kinds of purchases.

        Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.

        No, I was referring to people in general, not myself specifically.

        Personally I almost always pay in cash for minor items or small consumables. For larger items I use a credit card so I can do a chargeback if necessary.

        -

        The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.

        For larger items where I may end up with service issues or need to return it, I always use a card. It gives you major leverage with the store if something goes wrong.

        For example, I bought a $300 digital camera from Best Buy and then flew off for vacation the next day. The camera stopped worki

    • by phorm ( 591458 )

      Why?
      Carry lots of cash, and I can be mugged, it can be lost, etc.
      They can overcharge me, or screw up my order and respond to my complaint "meh"

      Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.

      • Carry lots of cash, and I can be mugged, it can be lost, etc.

        Are you saying that $100 is "lots of cash"? I don't know of a single zip code in the entire US where $100 is considered "lots of cash".

        -

        Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.

        Did you even read what I wrote? If you did, could you please tell me what kind of head injury you have? Because here's what I wrote:

        Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.

        What part of "I'll use a credit or debit card" sounded like "I won't use a credit or debit card"?

  • Why do any of these companies store your CC information? Surely it's only needed to authorize the transaction, do they need it for more than that?
    • Re: (Score:3, Informative)

      by subk ( 551165 )
      It's unclear from reading the article, but it sounds like the malware steals it from the POS application at the time of swipe, hence the need to infect the machines at individual restaurants. This is not the same as breaking into a big database and plucking a list of "stored" card info.
      • by Yvan256 ( 722131 )

        POS application indeed.

      • Except TFS mentions codes as well as numbers. That sounds like the CVV2 on the back which is not meant to be stored anywhere but the issuing bank for Cardholder Not Present transactions. Why did Wendy's have that information?

    • Re:Why?? (Score:5, Informative)

      by vux984 ( 928602 ) on Thursday July 07, 2016 @04:18PM (#52466177)

      Why do any of these companies store your CC information? Surely it's only needed to authorize the transaction, do they need it for more than that?

      There is no evidence they were storing your CC information. The POS system was infected with malware that skimmed it from the system when you swiped the card.

      The malware was persistently installed over several months, so it got a lot of people. It wasn't a quick hack where someone went in, grabbed a database, and got out.

      • by fnj ( 64210 )

        There is no evidence they were storing your CC information. The POS system was infected with malware that skimmed it from the system when you swiped the card.

        Challenge/response chip and PIN, goddamit. For Christ sake, when is the US going to catch up to the REST OF THE FUCKING WORLD? With challenge/response chip and PIN, the POS system never even sees enough data momentarily to permit theft. Somebody would have to somehow steal your physical card. There is nothing useful to skim.

        Every credit card already co

    • by Luthair ( 847766 )
      I said this back at the Home Depot breach, the real question is why do these PoS machines have the ability to talk to anything other than the payment server? There is literally zero reason for them to be contacted or to contact anything but the payment server.
      • by DogDude ( 805747 )
        Almost all POS applications these days are Internet based.
        • Re: (Score:2, Funny)

          by Anonymous Coward

          Same goes for point of sale applications.

        • How does that change anything? It's pretty trivial to lock something down to only communicate with approved endpoints, I do it all the time. My hosted PBX customers' phones can connect to two subnets; my primary location and my secondary. The rest of the internet may as well not exist as far as they're concerned.

          For something like this where a few milliseconds of added latency isn't a big deal you could put the POS systems on an isolated network that only connects out over VPNs and has no access to the a

          • by quetwo ( 1203948 )

            Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and

            • Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and that is the way out.

              It's not always that easy, unless you follow the best rules and have everything physically separate -- but then again that costs more money and adds a lot more complexity.

              Why the hell would your POS system need to talk to the same subnet the HVAC does?

              VLANs aren't exactly rocket science. Firewall and switches enforce a logical separation between the devices. Boss' PC is allowed to connect to admin address(es) on both POS and HVAC subnets, only traffic on expected ports is allowed. Bonus points for logging and alerting on traffic that shouldn't be, say the HVAC system attempting to connect to the POS system or either attempting to connect to hosts outside of their approved

              • by quetwo ( 1203948 )

                VLANs aren't hard to do, but when you are talking about a Wendy's that may have, at most, one computer, it becomes a bit much to have 5 subnets for the 4 devices that are connected to the network.

                Is it the right way to set things up? Yes. It is practical in every case? Probably not. Remember, there is no IT department for these types of stores -- so everything gets outsourced, and while security is important, it's often not as important as things just working, according to those that use the systems.

                • It's a formulaic corporate environment. It'd be trivial for Wendy's to have a standard corporate configuration that any idiot can plug in.

      • by tlhIngan ( 30335 )

        I said this back at the Home Depot breach, the real question is why do these PoS machines have the ability to talk to anything other than the payment server? There is literally zero reason for them to be contacted or to contact anything but the payment server.

        Well, you talk to the back end server for inventory and sales tracking, and they talk to the headquarters to monitor sales of their franchises.

        Short of the new self-configuring cloud-based IT gear like Meraki, having all the restaurants IT set up prope

    • Why do any of these companies store your CC information?

      That's a damn good question. But if I read the article right, I think they're skimming this stuff at the POS terminal and capturing in in transit.

      Personally, I've been running web sites for ~15 years that sell stuff online, and I never store any credit card data. Why should I? All it brings you is headaches.

      Customers use the credit card gateway, make their purchase, and they're done. I store nothing but a name and address, maybe a phone number but I don't store any credit card info, period. I don't even sto

  • When if the FTC going to start imposing fines so that these companies take the security of peoples personal and financial info seriously?

    As far the the kiosks.. we have seen a lot of those pop up here and there across LA here. They have all died to be taken away to a junk yard.

    For kiosks to succeed they better be built into every table and have smartphone integration. Possibly with siri or cortana to take my order.

    • I agree. Look at healthcare. If you're negligent, you get slapped with massive fines if you aren't held criminally liable. This is really no different.

    • by AK Marc ( 707885 )
      The free market should fix it. In an ideal world, they'll lose PCI certification, and be unable to take cards. Though the free market wants money more than punishment, so VIsa (the merchant banks, the processors, etc, but the card brand is easier to say) won't care that Wendy's is insecure and will still allow them to take cards.
      • by quetwo ( 1203948 )

        This is already happening. As of last month, companies that refused to implement CHIP+PIN (or at least CHIP+Signature) readers were charged a larger % on the transactions. A company like a Wendy's franchiser was already paying between 2.5% and 3.5%, now they are paying 3% to 4%.

        Which is pretty silly, since Wendy's corporate has been going around replacing POS terminals across the country over the last 6 months -- and they decided to not put in the chip+pin readers (opting for swipe terminals ONLY). I can

        • by AK Marc ( 707885 )
          Chips take no longer than swipes (presuming you have a connection). I have no idea what dial-up chip transactions are like, but the terminal time for a transaction is almost the same. So low on the milisecond scale that even over Wal-Mart scale (millions of transactions) it doesn't add up to more than a few seconds.
          • Dial-up is fast. I think I read it's done at 300 bauds, and it isn't a joke : slow negociation and handshake are avoided, and perhaps whatever is done to encabulate your data is reduced.

            Uh, I am at a loss figuring out how US ATMs work if all you have is a swipe card. Do you sign, and if so, where? A piece of paper comes out, which you sign and throw away on the curb?

            • ATMs, of course, use a PIN. They have always used a PIN.
            • by AK Marc ( 707885 )
              ATMs around the world work the same. You insert the card. You put in a PIN, you complete your transaction, the card comes back out. The time to transaction is the same whether chip or swipe. The ATM can do either.
            • by quetwo ( 1203948 )

              2400 baud, but who's counting ;)

              ATMs are usually connected by an ISDN-BRI, GSM, or for regional banks, a Metro-E or MPLS service. They have always used PINs, but they don't use the CHIP in the card for encryption (they use the mag strip).

  • Minimum wage register jockies can only steal from one customer at a time.
    Replace them with automatation because minimum wage went up, and now haxxors can steal from ALL YOUR CUSTOMERS!

    Still better than eating at Chipolte.
  • Wasn't this past the liability deadline for Chip transactions? I'm guessing Wendy's and not the Bank will be responsible for any fraudulent transactions due to this hack?
    • by DogDude ( 805747 )
      The only thing that stupid chip does is make merchants liable for if they don't work with those chips, and they somebody uses a fake credit card with a stolen number, without a chip. So no, the chip thing is irrelevant in this case.
      • The liability shift places liability on the merchant where the fraudulent purchase occurred.

        Consider this scenario: Someone swipes a card at Wendy's and that data was captured and used to create a fake card and the fake card is used at Safeway, which hasn't enabled their chip card readers.

        If the original card had a chip, Safeway is liable. If the original card didn't have a chip, then the bank that issued the card is liable.

  • Creating business (Score:5, Interesting)

    by TheMadTopher ( 1020341 ) on Thursday July 07, 2016 @04:25PM (#52466211)
    I wonder if credit monitoring companies secretly fund these hacks.
  • How many times have we heard about tens of thousands, millions, of people having their data stolen/purloined/misappropriated/whatever because of private industry? Anyone remember the millions who were affected by the Target fiasco? How about T.J. Maxx? Barely a murmur is heard.

    Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.

    Based on the evidence it appears government is doing substantially better than private industry in protecting our data.

    • by bill_mcgonigle ( 4333 ) * on Thursday July 07, 2016 @05:05PM (#52466471) Homepage Journal

      Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.

      Based on the evidence it appears government is doing substantially better than private industry in protecting our data.

      I might need a new debit card. What a pain. If you have government clearance, thanks to the OPM breach, the Chinese have all of your biometric data. Game over.

      The Wendy's breach can be fixed with a bunch of new cards. The government breach cannot be fixed.

      That is why people were apoplectic.

      • by WallyL ( 4154209 )

        I was quite impressed with the site sharing which locations were affected. I understand security is the mitigation of risk, not the absolute prevention of risk, and I appreciate their attempts to be so open with their customers. I suppose that due to all the other breaches everywhere else in the world, I have enough credit monitoring for quite a while, so I don't need this one too.

    • by Anonymous Coward

      Yet let a few thousand people have their data swiped through a government breach

      The OPM breach affected 21.5 million people and it included social security numbers, names, addresses, dates of birth, fingerprints, and security clearance details.

    • Your love of government is at odds with your sig.
  • "One year of free credit monitoring" is the corporate equivalent to the "Thoughts and Prayers" fecal spray from gutless politicians after every gun-driven US mass murder.
  • I went to america earlier this year and was shocked that there was virtually no implementation of chip and pin. It felt like i went back in time.

    I am honestly surprised a day goes by where there is not massive credit card fraud in the US. I swiped my card everywhere and the only check on that was my signature! the merchant is not protected at all!

    These kinds of skimming breaches are a direct result of not having chip and pin everywhere. Sure they can install a camera to grab your pin, but that is a bit more

    • by fnj ( 64210 )

      You got that right. Signature is no protection whatsoever. Every US credit card I've seen since a while has had a chip, but none has a PIN. Talk about "not getting it"! My debit card has a chip (FINALLY), and it has a PIN, but still every place I've seen still wants me to swipe instead of use the PIN.

    • Better late than never, I suppose, but some big players like Walmart [bgr.com] and Home Depot [ajc.com] are trying to get chip and PIN, albeit in a round-about way by suing the networks.

  • Oh there is. It's called chip and pin. There is no requirement for any retailer to hold credit card information for over the counter transactions.
  • ..buy an icecream with a credit card? I mean, Wendy's has only two products: soft service ice-cream and hot-dogs, and I'm pretty sure I'm the only person on the planet who buys their hotdogs. Something is very fishy about this story. Also, why are we calling these 'restaurants' now? They are a kiosk at most.
    • by fnj ( 64210 )

      ..buy an icecream with a credit card? I mean, Wendy's has only two products: soft service ice-cream and hot-dogs

      What the hell? What planet are you from? Yes, Wendy's is a RESTAURANT. There are TABLES in there. You can sit at them. You can order from at least 10 offerings of hamburgers and cheeseburgers, 9 offerings of chicken sandwiches, 6 offerings of chicken nuggets, 8 offerings of "frostys", whatever they are, a cod fillet sandwich, numerous salads, numerous combos, and probably other stuff. I never saw

  • CASH. For trivial, small-amount transactions that will not be returned (i.e., fast food), I LOVE CASH. I never get charged twice for the same thing. Never a problem with the tip amount, etc. And no exposure for hacks like this.

    Granted, I haven't had many problems with credit card transactions, but I've had ZERO problems with cash.

  • I've never understood this part of it all, the credit card holder doesn't have to pay, the retailer often keeps the money, so it's a loss for the credit card company, but they never seem to concerned by the losses they take, or at least I never see anyone going into it on the internet or news.
    • I've never understood this part of it all, the credit card holder doesn't have to pay, the retailer often keeps the money, so it's a loss for the credit card company, but they never seem to concerned by the losses they take, or at least I never see anyone going into it on the internet or news.

      We all pay through the interest rates on the cards.

  • Either they lied about it for months, or were still clueless about the actual extent FOR MONTHS, after being made aware that they'd been pwned. I'm not sure which is worse, but either way... aslholes.
  • Sometimes it's beneficial http://www.newser.com/story/21... [newser.com]

"It's ten o'clock... Do you know where your AI programs are?" -- Peter Oakley

Working...