Saturday, June 14, 2014

Hack this, biatches!

P. F. Chang's restaurants have announced that their Point-Of-Sale system was hacked.  Any of you who have used a credit or debit card there in the last 2-3 months should monitor your accounts (and change the PIN on your debit card).

Naturally, there's turmoil at P. F. Chang's, since identifying all the malware is a tedious and time consuming process.  A restaurant can't survive going weeks without accepting credit cards, so what do you do?  This:

They're using manual card imprinting at all their restaurants:
After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants.
Interestingly, the company also said that it has switched over to manual credit card imprinting systems for all P.F. Chang's China Bistro branded restaurants located in the continental United States. 


In an FAQ posted to its website, the company explained that it has temporarily ditched its electronic Point-of-Sale System in favor of old-school “imprinting devices” to process payments while the company gets the situation under control and understands the scope of the attack.
“All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions,” the company said. “This allows you to use your credit and debit cards safely.”
From a security perspective, this is exactly the right thing to do.  Unplug from the matrix.


Arthur said...

And what are they doing with the carbon copies?

I'd have a good rueful laugh if all of this paper just ended up in the trash out back.

Dave H said...

Arthur's got a point. Credit card fraud predates networked POS terminals. Dumpster diving was a popular way to collect card numbers. Although most imprint forms today use NCR (no carbon required) forms so there's no carbon paper to throw away.

Another slightly more modern way to collect numbers is for an employee to snap a photo of your card with their phone camera when they run it though the imprint machine. Access is restricted to whoever handles your card, but it's still a risk.

R.K. Brumbelow said...

There is always the human factor. It is impossible to stop fraud, though chip and pin helps as it requires the actual card or at least the CHR key. Now that we have our FFL and are setting up our storefront, I am seeing the new costs associated with processing, and let me tell you imprint processing is slow and expensive. That being said, the fallout from widespread fraud is much worse.

Can someone please explain to me why anyone stores customer data on any outward facing server? I know transactions need to be stored for a period of time, but why does that storage need to be online? Store, forward, archive and delete.

Same goes for utilities and traffic systems BTW, they should never ever be on public networks, even within VPNs

Jake (formerly Riposte3) said...

On a related note, one of the latest trends is to issue cards that don't have raised numbers. That's what I got last month when my old one expired.

Ruth said...

Whats scary is that there's a large number of consumers who don't understand the manual imprinting process. Last time we had the credit card server go out we had to do manual imprints, and I had customers refusing to allow us to do so, refusing to sign the slips, take the slips and refusing to give them back, taking the slips and tearing off their credit card info....

R.K. Brumbelow said...

@Ruth, Did you then inquire as to how they expected to pay? LOL. This is why one should always carry a bit of hard currency on yourself.

newrebeluniv said...

Haha. "Hard Currency". I assume you mean paper.

Interacting with other people is a risk. If you prove your identity to someone, they now know enough about you to fake your identity. If you use a paper check or ATM card, you are giving the information to others that they need to access your account. That is how the system works.