US fast food chain Wendy’s has become the latest brand to fall foul of cyber criminals. It has now emerged that a malware infection it reported last year is far more serious than first thought.
Originally less than 300 of the company’s 5,800 locations were impacted, but it has now emerged that the number of stores impacted by the breach is ‘significantly higher’ and that the intrusion may not yet be contained, though Wendy’s did not state exactly how many locations are affected.
The restaurant, which has 6,500 chains across the US and 28 countries, discovered the malware going after customers’ payment card information from Point of Sale (POS) systems, after unusual activity involving payment cards was noticed.
In the last few years retailers and restaurant companies including Target, Kmart and Home Depot have suffered serious security incidents.
The US is behind many other countries in that it still operates easy-to-steal magnetic stripe cards and does not yet require PINs. Though some US chains began investing in European-style chip cards last year in a bid to clamp down on fraud, uptake is slow and many are still vulnerable to POS attacks.
Last month, the US’s largest megastore, Walmart, sued credit card company Visa for allowing customers to sign their names using a microchip-enabled card rather than use PIN numbers.
But the risk of POS attacks is not limited to the US – wherever you are in the world, a checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
‘Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale,’ explained George Rice, senior director, payments at HPE Security, ‘and unfortunately, POS systems are often the weak link in the chain – they should be isolated from other networks, but often are connected.’
There are proven methods for fast food, and any businesses using POS systems, to avoid the impact of these types of advanced attacks, said Rice, by neutralising data from breaches either at the card reader, at the point of sale, in person or online.
> See also: Are you sitting on a Point-of-Sale timebomb?
Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.
‘The good news,’ said Rice, ‘is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.’