Editor’s pick: Originally published on Jan. 28.
Here is the bad news: Your burger may have come with a side of cyber theft. Wendy’s, the giant fast food retailer, apparently has suffered a credit card breach. And your credit card may be primed for compromise.
First, as regards the breach itself, few details are known. Security blogger Brian Krebs has reported this statement from Wendy’s spokesman Bob Bertini: “We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations. Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”
The implication: apparently Wendy’s has suffered a breach of the same kind that impacted Home Depot and Target. In those latter two cases, hundreds of millions of credit card numbers were stolen. No one is currently guessing how many cards will be involved in the breach at Wendy’s, a business where many purchases are with cash.
Exactly what happened at Wendy’s? Wendy’s may not be telling, but experts are ready with guesses.
“Cyber criminals continue to feast on point of sale devices," said Travis Smith, researcher at security firm Tripwire. "The primary function of these computers and networks are to process customer orders as quickly as possible. Security is often an afterthought.”
Chenxi Wang, Twistlock chief strategy officer, offered her theory. “Wendy's breach is likely a compromise in their point-of-sale systems," Wang said. "These systems often still run obsolete -- hence, vulnerable -- software. Many in the field still run Windows XP and have no plans to upgrade. It's likely that criminals found a way to implant data-stealing malware in Wendy's POS systems to collect payment card info.”
“The breach at Wendy’s is yet another example of how effective and difficult-to-detect today’s cyber threats can be," said Jeff Hill, channel marketing manager for STEALTHbits Technologies. "Like many other breaches, it was discovered not by the company’s internal security team, but rather an outside entity, in this case, credit card fraud algorithms that detected the anomalous use of the card numbers after they’d been stolen. The bottom line is that it’s extraordinarily difficult to detect a well-designed attack with a patient criminal at the controls.”
Your money question is blunter - and easier to answer. What should you do if you have used a credit card at Wendy’s? The company has said that the apparent breach occurred “late last year.” Did you plop down plastic in that period? Monitor your statement for any fraudulent transactions is the advice from Wendy’s. Dispute such charges quickly and federal law says you will not be held liable. Protections are almost as good for debit card users - but you do need to act fast. Also, there may be hassles in getting monies that had been withdrawn from your account restored. Keep nagging your card issuer and probably you will be fine.
Will your bank preemptively cancel your card and issue a new one? Probably not. Banks did exactly that as the Target breach unfolded, but that incurred huge expenses, and, bankers decided, in many cases there were no attempts to fraudulently use cards that probably had been swept up in the Target breach. Nowadays, they put more effort into monitoring activity for signs of fraud and only when they see it, do they unplug a card.
Even so, if you used yours at Wendy’s, you can ask for a replacement. Most issuers will oblige. They know you may call back a minute later to report a "lost" card.
If you used a new EMV - aka “chip” card - are you safe? In recent months, banks have been mass mailing chip cards, because, they say, they will reduce fraud. But in the case of Wendy’s, the short answer is they wouldn’t make much difference. "EMV provides no protection for the transmission of sensitive payment information to the acquiring bank," said George Rice with HPE Security-Data Security. "POS malware, memory scrapers and other covert technologies empower criminals to capture all of the payments data they need from unsuspecting retailers, despite the use of EMV.”
Discouraged? You have every right. Very probably more retailers will fall victims and so will those who have used credit cards at their establishments.
“If consumers did the research into all the companies who have suffered fraud or a data breach from Applebee's to Zappos, and who to trust, they would find that pretty much every major retailer has been hacked,” said identity theft expert Robert Siciliano.
This article is commentary by an independent contributor. At the time of publication, the author held TK positions in the stocks mentioned.