Arby's Probes Possible Data Breach Affecting 355,000 Credit Cards (krebsonsecurity.com) 49
Brian Krebs is reporting that Arby's "recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide." The breach is said to only affect some corporate stores and not franchised restaurant locations. While there is no exact number of those affected, it's possible that more than 355,000 credit and debit cards issued by PCSU members banks may have been compromised. Krebs On Security reports: The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions. The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks. Arby's declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017. Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.
Bitcoin. (Score:1)
Should have used bitcoin.
Re: (Score:2)
Yep, it is a recurring theme with credit cards isn't it?
What is it with these guys? (Score:2)
Last night on the news there was also a story about some Arby's being picketed because they hadn't paid their employees. Are these guys asleep at the switch or something?
Re: (Score:3, Informative)
It probably depends on if the restaurant is a franchise or not. There is a Popeye's close by that is absolutely terrible and has had constant negative reviews for years. You'd think corporate would want to improve things? Nope. Same deal for Steak N Shake. Worst service I've ever had in restaurant and constant complaints. Drive 30 minutes away and the next one is the complete opposite
Re: (Score:2)
McD's OO/Corp. status is regional... In New England they're all owned by the corp.
Re: (Score:1)
...also couldn't resist...
Re: (Score:2)
How does it only effect ards issued by one bank.if it was malware on the PoS machines?
The thieves likely stole numbers from any and all cards that ran through their infected payment terminals.
PCSU isn't a single bank, it's an association of about 800 credit unions. Arby's didn't report the number above, that came from PCSU's count of impacted member cards. They said 355,000 cards were impacted, a figure that does not include any other cards issued by any other banks. If those 800 member banks represent 10% of all cardholders (I don't know that for sure, that's just a rough guess to demonst
Arby's? who would? (Score:2)
ARBY'S (Score:5, Insightful)
WE HAVE THE MALWARE!
Can we at least see a list of stores that were affected so I'd know if I need to take action?
Is that too much to ask?!
Re: (Score:2)
A breach that impacted 355,000 member cards is huge, indicating it was deployed to a large percentage of their chain, if not the whole chain. Since their breach "ended" on January 19 and it still took them 3 weeks to produce the list of affected cards, that tells me that Arby's response time is pretty damn poor, and that they may not be very good at tracking what's going on. Some senior VP said that "not all [of their 1000] corporate restaurants [out of 4000] were affected", but with news this bad combine
How the hell is this still a problem? (Score:3)
Re: (Score:2)
Re: (Score:3)
No, the whole point of Chip and PIN is the use of symetric key cryptography to generate a one time transaction with no need to share account details to the terminal. Basically the same thing as Apply Pay/etc. do, but embedded in a passive chip instead of requiring an active device.
This is not correct. Chip cards use cryptography only to produce a "cryptogram" called the ARQC. This is a Message Authentication Code, a checksum-like number that authenticates the card containing the secret key produced the message. By adding a PIN, the card can also fold the PIN into the cryptogram, authenticating the user, too. However, the card data, including the PAN is still sent in the clear for authorizing. The chip does not encrypt the card data.
Also, the chip is not passive. The chip contai
Re: How the hell is this still a problem? (Score:2)
Why only one particular card issuer? Only a guess - the system should immediately encrypt the CC data and immediately delete the clear data. Only encrypted data should ever be used when communicating with card issu
Re: (Score:2)
Knowledgeable hacker takes job at Arby's running a register or slicing meat. Hacker waits until he can get unsupervised physical access to store system (a Windows PC, presumably). Hacker arranges off-site access to system. Hacker quits job, accesses system remotely and has his way with them.
That is an interesting scenario but I am betting it will be another case of the attackers compromising a third party vendor and then working their way into the system like the Target breach, the Wendy's breach, etc. A business can have the most robust security system in the world, but if their business partners are lax it is all for nothing.
Re: (Score:2)
Re: (Score:2)
a) Inventory tracking and ordering
b) Fast-food specific: send order to kitchen
Be VERY careful (Score:1)
Not completely unrelated, but... Arby's charged me $87.80 for an $8.78. I noticed the incorrect charge a few days too late to dispute with my credit card company. I called the local store to find out THEY MANUALLY ENTER THE TOTALS in their credit card machines. Probably fat fingered the total. It's also common practice these days to withhold receipts (hence why I didn't notice right away). The GM and DM both acknowledge the problem, but 3 weeks after my first call I have yet to see a dime.
It's crazy these d
But (Score:4, Insightful)
Not too much trouble.. (Score:2)
It's probably the same 8 people who made all those transactions. Surprised that they even had that many sales! ;)
Arbys? (Score:1)
Re: (Score:2)
I'm just impressed that there are 355,000 people who eat at Arby's
It's probably a money laundering scheme. I used to be sort of a regular at an Italian restaurant that never seemed to have many customers. The food wasn't bad at all and the staff actually spoke Italian. It was kind of fun to think that syndicate bosses were meeting behind the kitchen, but that would have probably been too much of a cliche, even for the mob. They probably run an Arby's instead.
Re: (Score:2)
Chip Cards (Score:2)
Chip-based cards will solve this kind of problem... the chip only surrenders enough data to process one transaction, so repeated transactions without the card present is impossible... would be nice if they rolled this out to the Internet too.
Re: (Score:1)
Which Arby's?