The trend of cyberattackers targeting retail and fast-food chains is continuing in 2016. Nationwide fast-food chain Wendy’s is the latest to announce it is investigating a possible credit card breach stemming from its POS (point-of-sale) system.
"Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants," Wendy's spokesman Bob Bertini told Reuters. "Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident. We have hired a cybersecurity firm to assist, but are not disclosing the name at this point."
The brand name is different, but the story is much the same. It seems the attack focused on individual stores and the malware was planted in POS systems to gather credit card numbers, according to KrebsonSecurity, which broke the news. Other restaurants and retailers that have been hit in a similar fashion include Jimmy John’s, Landry’s, P.F. Chang’s, Dairy Queen, Chick-fil-A, retail giant Target and Home Depot.
“Old POS systems are easy to compromise,” Simon Crosby, CTO of endpoint security firm Bromium, told us. “They are often unpatched, and typically run POS software that requires admin privileges, so an attacker can easily run whatever code they please."
What Retailers Should Do
Wendy’s could not immediately be reached for comment, but Jonathan Cran, VP of operations at bug bounty platform Bugcrowd, said one of the most important things to note is that it's often a merchant bank or individual cardholder working in collaboration with a reporter to disclose the issue publicly.
“This either indicates that the organizations are either withholding or, more likely, have limited or no knowledge of the breach,” Cran said. “Given the distributed nature of these systems, and the lack of tooling, the breaches are difficult to detect prior to exfiltration of the information.”
Travis Smith, senior security research engineer at advanced threat detection firm Tripwire, said that security is often an afterthought on point of sale systems. Although details of the Wendy's breach are not yet publicly known, there are some quick steps that organizations with point-of-sale devices can take to protect their customers at little to no cost, he said.
“Most of the credit card stealing malware sends the customer card data to a location on the Internet. Lock down the point of sale devices to prevent them from accessing the Internet,” Smith said. “Second, these devices typically have little to no change outside of known change windows. Monitoring for changes to the devices can alert the staff to take appropriate steps to contain a possible breach before it spreads.”
Will Retailers Wake Up?
Cran said the best thing retailers can do is set up a public channel to accept input from researchers and banking industry professionals.
“Also worth noting, as the frequency of these breaches is increasing, there may be a rush from the underground to collect non-EMV cards before all retailers mandate them. EMV (which stands for Europay, MasterCard and Visa) chips will help prevent actual card duplication, but they won't prevent online theft,” he said.
And brick and mortar retailers have to wake up to the risks inherent in their businesses, according to Crosby. “Perhaps a few more well publicized breaches will help retailers wake up. That said, I’m not hopeful,” Cran said. “That’s why chip-plus pin/sign and PCI standards are so important. We need to move the world forward.”
Image Credit: The Wendy's Company.
Posted: 2016-01-27 @ 4:12pm PT
Well, it's not called 'P.O.S.' for just the one reason.