Skip to main content

Featured Post

Amazon Last Minute Christmas Sale Save Big On Tech After Black Friday

It's not too late to pick up tech gifts from Amazon. It's Last Minute Christmas Deals sale has discounts across smart home, laptops, monitors, speakers and other gadgets.

A Burger, an Order of Fries, and Your Credit Card Number

Why it’s so easy for hackers to steal financial information from restaurants.

Is your credit card number at risk when you go to a restaurant?
Photo by Pascal Le Segretain/Getty Images.

At some point in your restaurant-going life, you’ve probably felt a pang of doubt when you handed over your Visa card. How easy it would be, you probably thought, for a waiter to copy your credit card number and head out on a shopping spree. You probably got over it, reasoning that people who do such things probably get caught. And maybe you’re right. But that doesn’t mean you’re safe. The real threat isn’t that your charming waiter will steal your financial information. It’s that the Russian mafia will steal it from your waiter.

On Thursday, Verizon released its Data Breach Investigations Report, an annual landmark in the data-security industry. The big story this year, Verizon reports, was the rise of “hacktivists”—vigilantes who orchestrate high-profile cyber-attacks on big corporations, government entities, and even Internet security companies, usually to make a political statement (although sometimes, it seems, out of sheer vindictiveness). These are the attacks that make headlines, and for good reason: They’re sophisticated, brazen, and sometimes downright scary.

But if 2011 was “the year of the hacktivist,” as Forbes proclaimed, every year is the year of the run-of-the-mill cybercriminal. For at least a decade, organized crime groups around the world, but particularly in Eastern Europe, have been honing their hacking skills in a bid to capture our credit card and bank account numbers. Increasingly, they’re targeting restaurant franchises and other small businesses by hacking their point-of-sale checkout systems, which are often woefully insecure. And, as the Verizon report shows, they’re getting better at it all the time.

Unlike hacktivists’ flashy attacks, these criminals’ exploits rarely make the news. Publicity is not in their interest, and it can takes months for their victims to find out they’ve been hit. When businesses do learn they’ve been compromised, they often conclude that publicizing the crimes wouldn’t be in their interest either. For these reasons, attacks on retail establishments fly under the radar, though they vastly outnumber those orchestrated by well-known groups like Anonymous and LulzSec, which accounted for just 3 percent of the 855 data-breach cases covered in the Verizon report.

Restaurants were easily the most-targeted businesses, accounting for over half of all reported attacks. Retail stores were second, at about 20 percent. The findings are consistent with those of a similar report released earlier this year by Trustwave, an information security company, which found that the food and beverage, retail, and hospitality industries combine to account for 80 percent of data breaches.

Why are small businesses such frequent targets? Because they offer hackers the easiest path to your financial information. In fact, security consultants say, there’s an entire underground industry built around extracting customers’ credit card numbers from retailers’ point-of-sale systems.

Rich Mogull, an information security analyst who runs a company called Securosis, explains that a typical cybercrime works something like this. First, a hacker—often in Russia, but sometimes in the United States, Romania, Vietnam, or elsewhere—uses special software to scan a portion of the Internet for IP addresses that look like they might belong to the servers restaurants and retailers use to transmit credit and debit card data. When they find them, they send that information to another program that starts trying common passwords to log into the server remotely.

Many of the companies that install point-of-sale systems for small businesses neglect to set up unique passwords. When hackers find one that works at a particular franchise of a chain restaurant, they add it to the list, and often find it works at dozens or hundreds of others as well. In one of the few cases that registered on the national news radar, a Romanian gang allegedly poached credit card information from 200 Subway sandwich outlets in the United States over three years.

Once they tap into the servers, hackers often install programs to log credit card numbers. After they get the numbers, the shrewder criminals don’t use them right away. Instead, they bundle and sell them on the black market. Verified numbers fetch more than unverified ones; those with names attached fetch more still.

Customers don’t learn their information has been compromised until weeks or months later, when their banks flag purchases as suspicious. Even then the banks can’t always tell where the breach originated. And when restaurant owners do find out they’ve been hacked, some, like Harry Trubounis of SideBar 410 in Dayton, Ohio, are scrupulous enough to email their regular customers and notify them. Those are the ones that occasionally end up in the local newspaper. “I wanted to be extremely proactive in dealing with it,” Trubounis told me. But not all restaurant owners want to risk the bad publicity, even if the breach wasn’t really their fault.

Not all cybercrimes happen exactly like this. Sometimes hackers use proximity or special knowledge to target an individual business. For instance, they’ll sit down in a café, order a latte, and proceed to log into the coffee shop’s unsecured point-of-sale system through its free Wi-Fi network. Or, in somewhat rarer cases, they enlist an employee to help them. Verizon estimates 4 percent of all data breaches are inside jobs. And yes, your smiling waiter will occasionally betray you by taking down your information when you’re not looking. These days they use skimmers. But it’s hard to do that for long without getting caught, especially if you’re using the cards to make purchases locally—as a ring of thieving waiters at fancy New York restaurants recently discovered.

But more often, it’s not your waiter who’s ripping you off. It’s a junkie in Maryland allegedly hacking Seattle restaurants’ servers to score heroin money, Russian thieves hacking restaurant wholesalers, or unknown miscreants hacking Jumper’s Junction sports bar outside of Pittsburgh or a Chili’s on Yokosuka Naval Base in Japan.

Security analysts say restaurant owners and the companies that install their point-of-sale systems are becoming more aware of the danger of credit card thieves. Scott DeFife, an executive vice president at the National Restaurant Association, told me his Washington, D.C.-based group makes an effort to educate its members about the risks of cybercrime. And compared with the size of the U.S. restaurant industry, which employs 13 million people, the scale of the problem is relatively small: probably hundreds of breaches each year, affecting perhaps hundreds of thousands of customers.

Yet the Verizon report suggests business owners could still be doing a lot more: 96 percent of all data-breach hacks were “not highly difficult”—up from 92 percent last year. The number was enough to spur Verizon to take an unusual step this year. On Page 62 of its report, it includes a cut-out section with simple tips for securing point-of-sale systems and encourages customers to hand it to the managers and owners of their favorite local haunts. At the bottom it says, “For more information, visit (but not from your POS).”


Related Posts Plugin for WordPress, Blogger...

Popular posts from this blog

Chicken Nachos

Chicken Nachos are the perfect thing for a busy weeknight dinner. They are easy to throw together using leftover chicken and can be customized using whatever Mexican toppings your gang enjoys.

2020 Lincoln Aviator Preview

The 2020 Lincoln Aviator gives wing to Ford’s luxury-SUV ambitions, with sensational style and Lincoln’s first plug-in hybrid drivetrain.
The 2020 Lincoln Aviator gives strong evidence that Ford’s luxury bona fides don’t start and end with the full-size Navigator.
Revealed at the 2018 LA Auto Show, the 2020 Aviator leaps into the niche between the Navigator SUV and the Nautilus crossover, as it revives a nameplate Lincoln hasn’t touched since the 2006 model year.

Asus ZenBook 14 (UX433) Review

Asus has revamped the ZenBook line with a whole new design, including a lighter build, redesigned hinge, and a light-up numpad built right into the touch pad
Should I Buy The Asus ZenBook 14 UX433?
The ZenBook 14 is a very promising shakeup to the Asus laptop line. It’s smaller, lighter, and better looking than any of the previous models, without having to sacrifice either ports or powers. There aren't many laptops around that can offer you a 14in display in a body this compact while still giving you USB-A and HDMI ports, not to mention a Core i7 processor.
Unless you're an Excel addict you can probably safely ignore the glowing numpad - it's a fun gimmick, but most of us will probably forget it's even there, and without tactile feedback it's hardly a proper replacement for the keys. Still, this is a strong enough laptop elsewhere that it doesn't need that gimmick to get by, and there's plenty to recommend it otherwise.

2019 Mitsubishi Mirage Review

The 2019 Mitsubishi Mirage challenges the assumption that there are no bad new cars anymore.
The 2019 Mitsubishi Mirage is a subcompact car that prioritizes high fuel economy, a good factory warranty, and a low base price over comfort.
It’s offered in hatchback and G4 sedan bodies, and is available in base ES, SE, and GT trims. We’ve given the Mirage 3.3 out of 10, one of our lowest ratings for any new car.

Spider-Man: Into the Spider-Verse Movie Review

Nth Time's a Charm

If you groaned at the thought of another "Spider-Man" movie, fear not because you weren't alone. How many times can one character be rebooted or reimagined before it becomes insufferable? Apparently we aren't there yet, because "Spider-Man: Into the Spider-Verse" is a welcome breath of fresh air.
Everyone's history with the movies about our favorite neighborhood webslinger differs. Sam Raimi's trilogy has its diehard fans (despite only producing one truly great film) and the Andrew Garfield-led "The Amazing Spider-Man" movies were cut short when they didn't meet expectations (the first one is good!). Last year, Jon Watts' "Spider-Man: Homecoming" found Tom Holland in the title role, providing a fun, well-rounded look at the character, which had been missing for a while.

Like Fan Page