In late January, the nationwide fast-food chain, Wendy’s, became aware of a possible credit card breach at some of its locations after customers reported unusual activity on their payment cards.
Wendy’s claims to have found malware on some their restaurant locations systems that's designed to steal card data. This breach is currently still under investigation and the company says it still does not know how many people are impacted.
While the extent of this breach is still unknown, it has been said that the breach appears to be on track to surpass the damages of the infamous Target and Home Depot breaches.
Dan Berger, CEO of the National Association of Federal Credit Unions, states there was a huge increase in debit card fraud in the weeks prior to Wendy’s breach going public. He claims much of the fraud was later linked to customers who visited Wendy’s locations less than a month prior.
According to Berger, “This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher than what they were hit with after Home Depot or Target. It seems to have been a sophisticated group, in terms of timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”
The scary part- these criminals don’t even have to know victims PIN numbers to drain the accounts. Most banks and credit unions allow customers to call in through an automated system and change their PINs, using credentials like Social Security numbers, birth dates, and card expiration date to verify the cardholder’s identity. Once the thief has changed the PIN, they use a counterfeit copy of the card to withdraw cash from the accounts at ATMs.
An anonymous credit union CEO stated in an email to Berger, “We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it’s not even the end of January. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015. All I’m suggesting is that we’re expecting much higher losses lately than we ever did after the Target or Home Depot problems. I think we may end up with 5 to 10 times the loss on this breach, wherever it occurred.”
Berger has claimed that NAFCU’s members are unsure whether they should simply reissue card for any and all customers who visited a Wendy’s location anytime recently, or if they should hold off. Remember, Wendy’s has not even come out and told the public how long this breach lasted, or if the malware is even contained!
October 2015 was the deadline for banks and credit unions to issue more secure means of payment, the EMV chip-based credit & debit cards. While these EMV cards are designed to make stealing credit credentials more difficult & expensive for criminals, without the implementation of the chip-card readers and if not used correctly, the cards will not stop a breach. While it’s not for certain, it seems quite likely that the infected Wendy’s locations were not asking patrons to use the chip card reader and instead swipe using the magnetic stripe.
One thing will always remain the same- criminals will always want to steal your financial information. As cyber criminals grow in sophistication each year, so should your IT environment. POS terminals have been proven to be easy targets for criminals and simply too sensitive to leave them without defense measures implemented. When will you take action?
Start with the implementation of a hardened build standard with precision change detection, coupled with breach detection technology will ensure that even if a breach is successful, you’ll at least be alerted to the fact immediately and be in a position to take action to prevent any card data loss. In addition to abiding by the PCI DSS compliance standards and adopting the latest EMV terminals, companies need to implement true end-to-end encryption and that also includes encrypting any data in the memory.
Read more on PCI DSS Compliance
Read this article on Krebs on Security