Wendy’s admits to payment card malware infection

Wendy’s, the world’s third largest burger chain, just released its First Quarter results for 2016.

Turnover is up, and the company announced an “increased outlook” for the rest of 2016, meaning that it’s backing itself to do better than originally expected.

But there’s a small fly in the ointment, about halfway through the report, under the heading Update on investigation into unusual payment card activity.

Cybersecurity sleuth Brian Krebs wrote about the possibility of a Wendy’s malware breach back in January 2016.

Krebs’s article came on the back of what’s called CPP intelligence, short for Common Point of Purchase.

When customers report fraudulent transactions on their cards, payment card companies draw lines back in time through their recent purchases, looking for individual shops, or chains, or franchises, where these “purchase paths” intersect.

If there is a common point of purchase that stands out amongst the crowd of tranactions, it’s worth looking to see if that CPP was a factor in the fraud.

In the case of a single store, or restaurant, or pub, it might indicate skimming by a staff member working there.

In the case of a chain or franchise that shares a payment processing network, it might indicate that the payment system itself has been penetrated by hackers.

These days, that rarely means that the hackers are logged in personally, sniffing out transaction data.

Instead, once the crooks have figured out how to get into and then move around inside the network, they will usually distribute malware to do the dirty work for them, automatically and continuously.

That’s what happened in long-remembered breaches such as Target, Home Depot, Neiman Marcus, P.F Chang’s and more.

Now, it turns out that something similar happened at Wendy’s, as explained in the quarterly report:

[Wendy’s] believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.

(Wendy’s customers who want to know more should take a look at the company’s FAQ about the incident.)

Chip versus magstripe

The US was notoriously slow to switch to chip-based payment cards, which most of us from the rest of the world have been happily using for years.

Thanks to backwards compatibility, and the fact that there are still lots of non-chip-based cards out there, the insecurities of the old magnetic stripe (magstripe) system are still with us.

During a chip-based payment, when you typically plug your card into a short slot at the bottom of the payment device, none of the raw data from the chip is transmitted to the cash register computer.

Strong cryptography is used inside the chip on the card itself and in the payment device, so that even if malware on the cash register intercepts the incoming data from the payment device, no long-term harm will be done.

Importantly, the data available from to “data sniffing” malware on the cash register is not enough to clone the transaction or the card.

During a magstripe payment, however, when your card is swiped, the raw data from the card is usually transmitted directly to the cash register computer.

(Believe it or not, the payment device usually emulates a USB keyboard to simplify the transmission of the card data – it effectively “types in” the unencrypted data off the magstripe.)

Although the payment transaction between the cash register and the financial institution uses strong cryptography, all the encryption happens on the computer.

In other words, if there’s malware on the cash register, the encryption happens too late: the malware scans repeatedly through RAM looking for data temporarily in memory that resembles a credit card magstripe.

Whenever the malware spots data belonging to a transaction in progress, it copies it and sends it off to the crooks in an innocent-looking network packet.

What to do?

If you are in the US, you ought to have a chip-enabled card by now.

If you can, insist on using the chip when you reach the payment point.

Don’t hand over your card, even if the transaction happens in front of you, just in case the merchant swipes your card out of habit instead of “chipping” it.

(Once your card has been swiped, even if you then cancel the transaction, you have no idea what just happened to the magstripe data that was read off it.)

Use the slot at the bottom of the device – the one that connects up to the chip but leaves most of your card sticking out.

Sometimes, you may encounter payment devices where the chip reader and the magstripe reader are integrated, so that you can’t do a chip-enabled transaction without also giving up your magstripe data.

In this case, you don’t have much choice if you really need to go through with the transaction, for example if you are trying to rent a car after arriving at the airport on a business trip.

Nevertheless, it does no harm to ask if the merchant has a different card reader: you may be pleasantly surprised.

After all, the staff who process your card payments are increasingly concerned about security themselves, sometimes as a result of bad experiences of their own.

For example, I was recently at a supermarket checkout where the teller said, “The chip reader at this till has started giving problems – if you’re in a hurry you can swipe instead, but it’s better if I go and get another reader.”

Payment card chips won’t eliminate fraud due to cash register malware, but they make things much harder for the crooks.

And you might as well say we owe the crooks that much.