CiCi's Pizza May Have Been Hacked

An anonymous reader writes:Security expert Brian Krebs says more than half a dozen financial institutions contacted him, "all asking if I had any information about a possible credit card breach. Every one of these banking industry sources said the same thing: They'd detected a pattern of fraud on cards that all had one thing in common: They'd all been used in the last few months at various CiCi's Pizza locations... The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company's point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang."

The pizza chain referred Krebs to an outside firm managing their restaurants, who referred him to an outside PR firm, so he eventually just contacted the chain's point-of-sale provider, Datapoint. They confirmed that the Secret Service was investigating several different point-of-sale vendors in "one particular franchise... All of these attacks have been traced to social engineering/Team Viewer breaches because stores from several POS vendors let supposed techs in to conduct 'support'."

Obvious headline is obvious

[Anonymous Coward]

CiCi's lost CCs.

Cheap pizza, cheat IT...

[Anonymous Coward]

Not surprising. Not good pizza either.

Re:

[BenJeremy]

Shudder...

Worst. Pizza. Ever.

Even my boys hate the place, with a hot, burning passion. Cardboard, topped with a few teaspoons of bland sauce, barely covered with cheese, next to such lovely items as stale breadsticks and mac and cheese... did I say cheese? More like cloudy water.

The only place I've eaten that was worse would be a couple of short lived places on Yonge Street in Toronto in the 90s (UFO Pizza and some non-descript chinese buffet)

Re:

[JustAnotherOldGuy]

Shudder...Worst. Pizza. Ever.

CiCi's is rivaled only by Chuck E. Cheese in terms of "non-edible items masquerading as pizza".

Re:

[Not-a-Neg]

I'm probably the only person on Slashdot that remembers Bullwinkle's in Santa Clara, CA (they closed in 1996). They would remove the plastic wrapper off their frozen pizza right before your eyes and stick it in the oven to be heated. A thin piece of cardboard, thin veneer of ketchup, a few sprinkles of chalky mozarella and a couple slices of the thinnest pepperoni on Earth. The animatronic show preceded by a dancing water fountain was worth it though.

I've heard of CiCi

[OzPeter]

But I hand't heard they made pizza. I just though there were a cardboard tile store.

NOOOOOOO!

[Gravis Zero]

I didn't say anything when various stores, banks and social media sites were getting hacked because I knew that networked computers came a price. But now YOU DO THIS TO PIZZA?! DAMN YOU! DAMN YOU ALL TO HELL!

Re:

[Anonymous Coward]

I think they should be more concerned about what is being sold under the name "pizza".

Re:

[Anonymous Coward]

My father is a cop, and every Friday and Saturday night they go to CiCis at least once. They look through the names on the POS, and usually find someone that has an arrest warrant.

Nice to know that CiCi's is willing to let the cops rifle through their business records weekly without a warrant.

I don't think it was the POS manufacturer

[infernalC]

I am a senior developer at a POS software company, but not the one related to this story. My take from TFA is that the criminals impersonated support folks from the POS vendor, but didn't actually compromise the vendor's network. The PCI DSS has all sorts of requirements for merchants to follow that would have prevented this. For example, the merchants should not let computers in their cardholder data environment have unfettered access to the Internet, all remote access to the CDE must be multi-factor authenticated, and vendor accounts have to be enabled on an as-needed-only basis.

This is probably a case of a criminal calling CiCi's store 2348, getting a franchisee-trained manager on the phone, and telling her "Hi, I'm from ACME POS, your POS vendor. We are calling to install updates to make the chip readers you aren't using yet work later on... and we need access to the workstation in the back of the store. Can you please open a browser and go to www.getmein.com?...". I doubt the defacing of the POS vendor's website has squat to do with it.

Of course, the franchisee is running a consumer-grade router with no outbound filtering on it whatsoever... because they are in a low-margin business and they needed something cheap. The computer died in the back about 6 months ago, so they dropped in a replacement PC from Wal-Mart and promptly disabled UAC, etc.

The manager isn't knowledgeable enough to notice that the domain he is being asked to go to is wrong, the caller ID is wrong, etc. He or she needs to worry about the 73 kids in the restaurant who are dropping pizza on the floor that the new guy isn't cleaning fast enough, the 8 pizzas on the stuck upper belt in the oven, and the bathroom with the overflowing commode. Not to mention the health inspector waiting up front. Trough-style kid's restaurants are a nightmare.

I wish POS software could be handled completely as a service and reside in a VPC managed by the POS vendor. In reality though, the Internet is just not reliable enough for that in many (most) most places, and controlling POS peripherals from a cloud app is not really feasible.

Re:

[luther349]

coming from pizza hut from years are pos system is linux based. few scammers know anything when it comes to linux. if the workstation in the back dies we cant drop in another from Walmart we have to wait for them to come out in person and replace it.

Re:

[theurge14]

This is why restaurant franchises hire managed services companies to handle all of this.

Re:

[MobSwatter]

POS vendors should not be trying to service 10k+ deployments with a skeleton crew either. POS has for the most part been a pretty dirty business but has been made worse by economic conditions, pay scales falling and honest techs are in short supply under those circumstances, skilled techs are getting pretty rare. I've also noted a number of in-house jobs on restaurants on part of their employees as well. This whole thing is being produced by a failing economy, exactly why everyone should have the right t

we've sure been getting a lot of stories

[Black Parrot]

about something that "might happen" or "might have happened" lately. Isn't there enough news about stuff that definitely did happen?

Re:

[DamonHD]

You're old enough to understand by now that /. is not the place to be if you want complete certainty. Maybe go browse the NTSB 'completely unambiguously solved cases' PDF stack if you want that. Oh, wait...

Rgds

Damon

Ugh.

[jtownatpunk.net]

I ate there once just to try it. Yech. If I had to choose between identity theft and eating there again, it would be a tough choice. Exactly how much would I have to eat?

How they were caught

[jsh1972]

The hack was detected because the hackers altered the recipes stored on the computer. Customers and employees were shocked when actual pizzas started coming out of the oven, that's when management determined someone had hacked the system.