Wendy's Says More Than 1,000 Restaurants Affected By Hack (go.com) 134
An anonymous reader writes from a report via ABC News: The fast food giant Wendy's has reported today that hackers were able to steal customers' credit and debit card information at 1,025 of its U.S. restaurants. The company said Thursday hackers were able to obtain card numbers, names, expiration dates and codes on the card, beginning in late fall. Some customers' cards were used to make fraudulent purchases at other stores. Wendy's first announced it was investigating a possible hack in January. In May, it found malware in fewer than 300 restaurants; two types of malware were found two months later and the number of restaurants affected was "considerably higher." There are more than 5,700 Wendy's restaurants in the U.S. Customers can check to see which locations were affected via Wendy's website. The company said it is offering free one-year credit monitoring to people who paid with a card at any of those restaurants. In May, Wendy's announced plans to start automating all of its restaurants with self-service ordering kiosks.
Re: (Score:1)
The fly is organic and locally sourced.
Re: (Score:2)
Additionally, they are found to be Gluten Free and nonGMO !
Re: (Score:2)
Don't worry sir, the spider in your salad will take care of it.
New corporate slogan.. (Score:5, Funny)
And this is why I... (Score:2, Insightful)
Though I do use my CC sometimes as well.
Re: (Score:3)
The next generation of hackers will be able to access your bank account with just the serial number of your $20 bill!
(ducks and runs)
Re: (Score:2)
Re: (Score:2)
Time for Blockchain? (Score:2)
Re: (Score:2)
Trying to solve a data integrity and security problem by implementing the solution based on the blockchain is like trying to go to space by digging a hole in the ground.
It's time.......... (Score:3, Insightful)
It's time to go back to paying with cash for these kinds of purchases.
Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.
Re: (Score:2)
Didn't Jack Tramiel buy Atari with his?
Re: (Score:2)
If you have enough of them and cash advances... yup.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.
Unless they use it to open up new lines of credit or steal your identity, in which case it can get pretty messy. But that's a complex concept that numptys like you can't fathom. Now go finish your Lunchable and piss off.
Re: (Score:3)
Re: (Score:2)
Nobody's using your credit card to open a new line of credit or steal your identity. Then need a fair bit more data than what's encoded on the card's magstripe for that.
No, but they can leverage that data to get more information, and then the fun begins. I've seen it happen to people I know.
Re: (Score:2)
It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card.
If only life were really that simple.
Re: (Score:1)
If it's not that simple, dump your bank. I have a card from Citi. There are many things to dislike about that bank, but they called ME when a local business got hacked and someone started making unusual charges to my account. We went over the list of recent transactions on the phone so that I could invalidate the illicit ones, and they sent me text confirmation afterward. They notified the bank where I pay my bills from of the change in number.
Re: (Score:2)
I've had cards compromised 2 or 3 times - it's never been more complicated than that.
Besides the card companies are getting pretty good at pattern recognition these days. I was travelling last week and used my card to withdraw cash at an ATM quite a few states away from my residence. The transaction was refused and I immediately got a text on my phone saying my account had been flagged for suspicious activity. It was a false alarm, but I was able to respond to the text and open it up immediately.
Re: (Score:1)
Re: (Score:3)
It's not that simple--when you have multiple monthly, automatic bills paid via the account. You have to go in and change your card details on each of those auto payment accounts
That's still less work (and safer) than writing a check every month.
then in some cases deal with their slow billing systems that still use the old info and charge you fees for returned funds and then for being late.
So you cancel the automatic payment on the old card, set the new one up, and make manual payments on the due date until it kicks in. Still less work (and safer) than writing a check every month.
Re: (Score:2)
then in some cases deal with their slow billing systems that still use the old info and charge you fees for returned funds and then for being late.
So you cancel the automatic payment on the old card, set the new one up, and make manual payments on the due date until it kicks in. Still less work (and safer) than writing a check every month.
If only that actually worked--because that's exactly what I did with DirecTV. When their billing system runs it captures the billing information--even if it's a full two weeks prior to the actual draft date. Within that window you apparently *cannot* successfully alter what it will do--despite attempts to do so, and despite it saying that it *did* and *would* alter its behavior according to your changes. In short, some systems just suck--and the customer suffers (and pays) for it.
Re: (Score:2)
Re: (Score:2)
Use one card for auto payments. Leave the card at home. Never swipe it anywhere. Never use it for any other online charges. Use another card to buy your Baconators. Problem solved.
Re: (Score:2)
Virtually all of my automatic "bill" payments (ie, mortgage, water, cable, power, car, boat) are setup to draft by checking account # rather than a credit/debit card. I don't generally write checks at all but by setting those up that way I basically never have to worry about changing the card information.
Anything charging by card # is something much less critical. I mean you have to change them every now and then anyways - credit cards have expiration dates.
Re: (Score:2)
The Wendy's that I go to was affected by this. I had two different cards stolen in a short period of time, both used at the affected location. At the time I thought it was really rare, but now it makes complete sense. Also, it's a lot longer than a five minute call. It took me a few days just to get someone to call me back. For one bank I had to do a lot of paper work, then *fax* that back in. They sat on the request for a month and it took almost two months to get the money credited back to my account. I h
Re: It's time.......... (Score:2)
Leave your bank now. There's no excuse for taking that long in this day and age of CC fraud.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
So what? It doesn't cost you anything other than a 5 minute call to report an unauthorized charge and get it credited then 24-48 hrs to receive a new card. People like you just need to stop making such a big deal about it.
Then send me your credit card info and PIN. Let me charge some stuff and, like you said, all you need to do is make a 5 minute call to report the unauthorized charge.
Re: (Score:1)
Re: (Score:2)
That's funny, Todd Davis, but your logic escapes me.
Todd Davis?? The football player?
Did I miss a reference, or...?
Re: (Score:2)
It's time to go back to paying with cash for these kinds of purchases.
Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.
Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.
The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.
Re: (Score:2)
It's time to go back to paying with cash for these kinds of purchases.
Wait, you're paying for trivial garbage with your card? Welcome to the land of increased attack opportunities.
No, I was referring to people in general, not myself specifically.
Personally I almost always pay in cash for minor items or small consumables. For larger items I use a credit card so I can do a chargeback if necessary.
-
The bigger the purchase is, the more I want to make it with cash. The more a bank is involved, the dirtier and more at risk I feel.
For larger items where I may end up with service issues or need to return it, I always use a card. It gives you major leverage with the store if something goes wrong.
For example, I bought a $300 digital camera from Best Buy and then flew off for vacation the next day. The camera stopped worki
Re: (Score:1)
Why?
Carry lots of cash, and I can be mugged, it can be lost, etc.
They can overcharge me, or screw up my order and respond to my complaint "meh"
Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.
Re: (Score:2)
Carry lots of cash, and I can be mugged, it can be lost, etc.
Are you saying that $100 is "lots of cash"? I don't know of a single zip code in the entire US where $100 is considered "lots of cash".
-
Now if somebody steals my card or it is lost, I can cancel it. I can charge back any false charges, including in cases where the product wasn't as it should be.
Did you even read what I wrote? If you did, could you please tell me what kind of head injury you have? Because here's what I wrote:
Cars, boats, homes, and anything over $100, sure, I'll use a credit or debit card. Under $100 it's going to be plain ol' cash.
What part of "I'll use a credit or debit card" sounded like "I won't use a credit or debit card"?
Why?? (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
POS application indeed.
Re: (Score:1)
Except TFS mentions codes as well as numbers. That sounds like the CVV2 on the back which is not meant to be stored anywhere but the issuing bank for Cardholder Not Present transactions. Why did Wendy's have that information?
Re:Why?? (Score:5, Informative)
Why do any of these companies store your CC information? Surely it's only needed to authorize the transaction, do they need it for more than that?
There is no evidence they were storing your CC information. The POS system was infected with malware that skimmed it from the system when you swiped the card.
The malware was persistently installed over several months, so it got a lot of people. It wasn't a quick hack where someone went in, grabbed a database, and got out.
Re: (Score:2)
Challenge/response chip and PIN, goddamit. For Christ sake, when is the US going to catch up to the REST OF THE FUCKING WORLD? With challenge/response chip and PIN, the POS system never even sees enough data momentarily to permit theft. Somebody would have to somehow steal your physical card. There is nothing useful to skim.
Every credit card already co
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
Same goes for point of sale applications.
Re: (Score:2)
How does that change anything? It's pretty trivial to lock something down to only communicate with approved endpoints, I do it all the time. My hosted PBX customers' phones can connect to two subnets; my primary location and my secondary. The rest of the internet may as well not exist as far as they're concerned.
For something like this where a few milliseconds of added latency isn't a big deal you could put the POS systems on an isolated network that only connects out over VPNs and has no access to the a
Re: (Score:2)
Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and
Re: (Score:2)
Sure. But (and this was the case at Target) about your HVAC system that you outsource to a 3rd party vendor. Your POS system can only talk to an accounting system, which in turn talks to the Bank. You've locked down the subnet, sure. BUT since your POS system can talk to the same subnet as that HVAC system (because the boss needs to be able to admin it), and that gets compromised, then there is still a way out. OR they compromise the accounting system which has access to send reports to corporate, and that is the way out.
It's not always that easy, unless you follow the best rules and have everything physically separate -- but then again that costs more money and adds a lot more complexity.
Why the hell would your POS system need to talk to the same subnet the HVAC does?
VLANs aren't exactly rocket science. Firewall and switches enforce a logical separation between the devices. Boss' PC is allowed to connect to admin address(es) on both POS and HVAC subnets, only traffic on expected ports is allowed. Bonus points for logging and alerting on traffic that shouldn't be, say the HVAC system attempting to connect to the POS system or either attempting to connect to hosts outside of their approved
Re: (Score:2)
VLANs aren't hard to do, but when you are talking about a Wendy's that may have, at most, one computer, it becomes a bit much to have 5 subnets for the 4 devices that are connected to the network.
Is it the right way to set things up? Yes. It is practical in every case? Probably not. Remember, there is no IT department for these types of stores -- so everything gets outsourced, and while security is important, it's often not as important as things just working, according to those that use the systems.
Re: (Score:2)
It's a formulaic corporate environment. It'd be trivial for Wendy's to have a standard corporate configuration that any idiot can plug in.
Re: (Score:2)
Didn't say they did. The boss has one computer, which has access to both networks to do administrative functions on both.
Re: (Score:2)
Well, you talk to the back end server for inventory and sales tracking, and they talk to the headquarters to monitor sales of their franchises.
Short of the new self-configuring cloud-based IT gear like Meraki, having all the restaurants IT set up prope
Re: (Score:2)
Why do any of these companies store your CC information?
That's a damn good question. But if I read the article right, I think they're skimming this stuff at the POS terminal and capturing in in transit.
Personally, I've been running web sites for ~15 years that sell stuff online, and I never store any credit card data. Why should I? All it brings you is headaches.
Customers use the credit card gateway, make their purchase, and they're done. I store nothing but a name and address, maybe a phone number but I don't store any credit card info, period. I don't even sto
Fines Please (Score:2)
When if the FTC going to start imposing fines so that these companies take the security of peoples personal and financial info seriously?
As far the the kiosks.. we have seen a lot of those pop up here and there across LA here. They have all died to be taken away to a junk yard.
For kiosks to succeed they better be built into every table and have smartphone integration. Possibly with siri or cortana to take my order.
Re: (Score:2)
I agree. Look at healthcare. If you're negligent, you get slapped with massive fines if you aren't held criminally liable. This is really no different.
Re: (Score:2)
Re: (Score:2)
This is already happening. As of last month, companies that refused to implement CHIP+PIN (or at least CHIP+Signature) readers were charged a larger % on the transactions. A company like a Wendy's franchiser was already paying between 2.5% and 3.5%, now they are paying 3% to 4%.
Which is pretty silly, since Wendy's corporate has been going around replacing POS terminals across the country over the last 6 months -- and they decided to not put in the chip+pin readers (opting for swipe terminals ONLY). I can
Re: (Score:2)
Re: (Score:2)
Dial-up is fast. I think I read it's done at 300 bauds, and it isn't a joke : slow negociation and handshake are avoided, and perhaps whatever is done to encabulate your data is reduced.
Uh, I am at a loss figuring out how US ATMs work if all you have is a swipe card. Do you sign, and if so, where? A piece of paper comes out, which you sign and throw away on the curb?
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
2400 baud, but who's counting ;)
ATMs are usually connected by an ISDN-BRI, GSM, or for regional banks, a Metro-E or MPLS service. They have always used PINs, but they don't use the CHIP in the card for encryption (they use the mag strip).
Re: (Score:2)
Re: (Score:3)
I only know once place near me that actually uses the chips. Everyone else has the scanners for the chips, but they're not hooked up and can't actually be used.
Re: (Score:2)
So what happened in October 2015 was a liability shift. Prior to that, banks would reimburse merchants for fraudulent purchases. With the liability shift, banks stopped reimbursing merchants if the bank had issued a chip card but the merchant continued to swipe cards. There's been delays in merchants getting their chip solutions developed and certified, that's why you see places with chip readers that don't work.
So today chip cards can still be cloned and used at places that are still swiping. As more place
it's a feature, not a bug (Score:2)
Replace them with automatation because minimum wage went up, and now haxxors can steal from ALL YOUR CUSTOMERS!
Still better than eating at Chipolte.
Re: (Score:2)
and no will be there to stop someone from installing a skimmer on the auto POS station
Chip (Score:1)
Re: (Score:2)
Re: (Score:2)
The liability shift places liability on the merchant where the fraudulent purchase occurred.
Consider this scenario: Someone swipes a card at Wendy's and that data was captured and used to create a fake card and the fake card is used at Safeway, which hasn't enabled their chip card readers.
If the original card had a chip, Safeway is liable. If the original card didn't have a chip, then the bank that issued the card is liable.
Re: (Score:2)
My local store, which I went to once because I happened to be in a hurry and it was nearby, lists the dates as being from January to June of this year.
Creating business (Score:5, Interesting)
Private industry doing it better than government (Score:2)
How many times have we heard about tens of thousands, millions, of people having their data stolen/purloined/misappropriated/whatever because of private industry? Anyone remember the millions who were affected by the Target fiasco? How about T.J. Maxx? Barely a murmur is heard.
Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.
Based on the evidence it appears government is doing substantially better than private industry in protecting our data.
Re:Private industry doing it better than governmen (Score:4, Informative)
Yet let a few thousand people have their data swiped through a government breach and people go apoplectic.
Based on the evidence it appears government is doing substantially better than private industry in protecting our data.
I might need a new debit card. What a pain. If you have government clearance, thanks to the OPM breach, the Chinese have all of your biometric data. Game over.
The Wendy's breach can be fixed with a bunch of new cards. The government breach cannot be fixed.
That is why people were apoplectic.
Re: (Score:1)
I was quite impressed with the site sharing which locations were affected. I understand security is the mitigation of risk, not the absolute prevention of risk, and I appreciate their attempts to be so open with their customers. I suppose that due to all the other breaches everywhere else in the world, I have enough credit monitoring for quite a while, so I don't need this one too.
Re: (Score:1)
The OPM breach affected 21.5 million people and it included social security numbers, names, addresses, dates of birth, fingerprints, and security clearance details.
Re: (Score:1)
Thoughts and Prayers (Score:2)
Because america is in the dark ages... (Score:2)
I went to america earlier this year and was shocked that there was virtually no implementation of chip and pin. It felt like i went back in time.
I am honestly surprised a day goes by where there is not massive credit card fraud in the US. I swiped my card everywhere and the only check on that was my signature! the merchant is not protected at all!
These kinds of skimming breaches are a direct result of not having chip and pin everywhere. Sure they can install a camera to grab your pin, but that is a bit more
Re: (Score:2)
You got that right. Signature is no protection whatsoever. Every US credit card I've seen since a while has had a chip, but none has a PIN. Talk about "not getting it"! My debit card has a chip (FINALLY), and it has a PIN, but still every place I've seen still wants me to swipe instead of use the PIN.
Re: (Score:1)
Better late than never, I suppose, but some big players like Walmart [bgr.com] and Home Depot [ajc.com] are trying to get chip and PIN, albeit in a round-about way by suing the networks.
If only there were some way to mitigate this risk (Score:2)
Why would anyone.. (Score:1)
Re: (Score:2)
What the hell? What planet are you from? Yes, Wendy's is a RESTAURANT. There are TABLES in there. You can sit at them. You can order from at least 10 offerings of hamburgers and cheeseburgers, 9 offerings of chicken sandwiches, 6 offerings of chicken nuggets, 8 offerings of "frostys", whatever they are, a cod fillet sandwich, numerous salads, numerous combos, and probably other stuff. I never saw
Re: (Score:2)
They make some pretty yummy chicken sandwiches too. And chili.
Let me see if I can remember how this works. Patties come out of the freezer and sit on the slack rack if you need them soon or go into the fridge if you don't. They go on the grill for four flips (I forget the timing) and then they're a burger. They stay on the grill for two more flips and then they go in a plastic drawer and if the restaurant is in a hurry, then any ones in there not too dried out get made into burgers. When the chili is made, the drawer is raided and any additional needed meat is cooked
You know what I love? (Score:2)
CASH. For trivial, small-amount transactions that will not be returned (i.e., fast food), I LOVE CASH. I never get charged twice for the same thing. Never a problem with the tip amount, etc. And no exposure for hacks like this.
Granted, I haven't had many problems with credit card transactions, but I've had ZERO problems with cash.
Who pays? (Score:2)
Re: (Score:2)
I've never understood this part of it all, the credit card holder doesn't have to pay, the retailer often keeps the money, so it's a loss for the credit card company, but they never seem to concerned by the losses they take, or at least I never see anyone going into it on the internet or news.
We all pay through the interest rates on the cards.
Assholes (Score:2)
Someone's playing Hack-Man (Score:1)