Forgot your password?
typodupeerror
Security

Credit Card Breach At P.F. Chang's 117

Posted by Soulskill
from the another-day-another-breach dept.
schwit1 tips a post by Brian Krebs saying that P.F. Chang's China Bistro, a nationwide restaurant chain, is the latest victim of a massive data breach. The company is currently investigating. Krebs writes: On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang's locations between the beginning of March 2014 and May 19, 2014. ... The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
This discussion has been archived. No new comments can be posted.

Credit Card Breach At P.F. Chang's

Comments Filter:
  • I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"

    • Re:Cash and checks (Score:5, Insightful)

      by lexman098 (1983842) on Tuesday June 10, 2014 @07:20PM (#47207405)
      I use credit cards for 99% of my purchases. That way I avoid the issue of dealing with change and refilling on cash. I've never been held responsible for a fraudulent charge.
      • by culmor30 (2676135)
        Hi everyone, I have some anecdotal evidence which counters the claims of *both* of the posters above me!
      • This. Any bank that isn't a ripoff (and assuming that you don't have the worst credit in the world) offers zero liability for fraudulent purchases. Given that checks are tedious to write and process, and cash is easy to get lost or stolen, it doesn't make a whole lot of sense to pick them over a credit card.

        I probably went to PF Changs in this time period, and used my credit card there no less (I'm not quite sure whether it was in April or in May that I last went) but I'm not at all concerned about it. I've

        • by msauve (701917)

          Any bank that isn't a ripoff (and assuming that you don't have the worst credit in the world) offers zero liability for fraudulent purchases. Given that checks are tedious to write and process

          You fail to mention the full, tedious process for reporting fraudulent card transactions, and getting them reversed. Whenever I've had to do it (recently, almost yearly), There are records to review, paperwork to fax, etc. to confirm what charges are legit and which aren't.

          It's a wash in effort between dealing with ca

          • You fail to mention the full, tedious process for reporting fraudulent card transactions, and getting them reversed. Whenever I've had to do it (recently, almost yearly), There are records to review, paperwork to fax, etc. to confirm what charges are legit and which aren't.

            With my card, in most cases, I get a call where they verify a half-dozen or so purchases. There was once where they called me to say that my card was cancelled, with a new one in the mail. I've never had to fill out any paperwork from that particular bank/card, let alone had to fax anything. The policies vary company-by-company, so something that's onerous for you may be much easier for someone else.

            • by msauve (701917)
              " The policies vary company-by-company, so something that's onerous for you may be much easier for someone else."

              Yes, anecdotal evidence means very little.
            • by Euler (31942)

              I have to agree that the CC company makes a difference, Capital One has always been the one to tell me when something bad has happened. Slight inconvenience to me. Somebody besides me ate the cost (probably Capital One.) So obviously their business model is profitable enough to not really worry too much.

              That being said, it is about F'ing time that retailers and CC companies make the investment into chip and pin systems. Not perfect, but would basically shut down most causal card skimmers. The one-time

          • Tedious? Then you have the wrong credit card.

            Every time this has happened to me with any card, they call me and ask me if I had made a few recent purchases. If I say no to any of them, they cancel the card and immediately ship me a new one. Max time 10 minutes. I need to type in the card number every time I make a purchase online anyhow. If I have to make a purchase in the couple of days it takes for the new card to arrive... I use a different card.

            When your bank account is cleaned out, you are without mone

          • by BronsCon (927697)
            My bank has an automated phone menu for it! I choose the option and it takes me through a list of transactions, allowing me to press 1 if fraudulent or 2 of legit. It's been a while, but I seem to recall being asked the date and amount of the oldest fraudulent transaction before the list review began; ostensibly to determine where the review should stop. The temporary credit was immediate, I got a phone call the next day to confirm that I had, in fact, meant to report fraud, and received a letter within a w
      • I use credit cards for 99% of my purchases. That way I avoid the issue of dealing with change and refilling on cash. I've never been held responsible for a fraudulent charge.

        Plus using a credit card gives you 5% cashback for various categories of purchases.

      • Re:Cash and checks (Score:4, Insightful)

        by swell (195815) <jabberwock@poetic. c o m> on Wednesday June 11, 2014 @12:47AM (#47209199)

        "I use credit cards for 99% of my purchases. That way I avoid the issue of dealing with change and refilling on cash. I've never been held responsible for a fraudulent charge."

          - OTOH, I use CASH for 90% of my purchases. Only one retailer (a major online company) knows my card number and they are unlikely to leak it. Similarly I have no revealing 'loyalty cards' for grocery & drug store purchases.

        So my wallet is much thinner than yours and I have little fear of identity theft. I carry $200-$400 at all times. If it is stolen, I will be unhappy but not as much as if my identity is stolen.

        I don't think it's anyone's business if I purchase adult diapers or pron or medicines or alcohol. Should I reveal that in return for 'rewards'? You will have to decide for yourself if you want to advertise your lifestyle in exquisite detail to worldwide data marketers.

    • Re:Cash and checks (Score:5, Insightful)

      by vux984 (928602) on Tuesday June 10, 2014 @07:27PM (#47207443)

      I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"

      Is it a real issue or a theoretical issue? I've seen a few fraudulent charges over the years, and the bank has never given me any greif over any of them.

      Your solution of carrying cash exposes you to higher risk of direct loss or theft. And you lose the card rewards program.

      As for cheques -- yeah, whatever, because those aren't stupidly easy to forge; and most people won't even take them anymore.

      On the upside you have a smallish boost in privacy relating to your purchases. (locations, times, and amount spent)

      Seems you've traded one set of small risks for another. Not sure that amounts to a real overall improvement though.

      • Don't neglect those rewards either. Every year I get a nice free $200 payment towards my credit card bill, and since I always pay it off before interest accrues, it's pure profit.

        Stupid paypal always forces me to default to paying with a bank account, and when I try to pay with a credit card they insist that I don't do it because the credit card supposedly costs me more. Paypal just wants to make a higher profit margin.

      • by sjames (1099)

        The risk of forged checks is there even if you never use them yourself.

      • by mjwx (966435)

        Is it a real issue or a theoretical issue? I've seen a few fraudulent charges over the years, and the bank has never given me any greif over any of them.

        Not really, the average loss from credit card fraud is $500, it costs Australia $2 billion annually. Eventually this costs comes back to you.

        Your solution of carrying cash exposes you to higher risk of direct loss or theft. And you lose the card rewards program.

        LoL @ rewards program.

        Seriously, carrying cash does not increase your theft profile, with the addition of contactless payments that do not require a form of authentication, plastic is now as at risk as cash. Yep, sure you can tell me "but the bank will cover me" but all you're really saying is "I'm naive like a child". The bank only covers its self.

        Seriously, rew

        • by Calavar (1587721)

          Compared to the costs of using credit cards (most of them hidden like interchange fees and merchant service fees) cash is cheaper.

          You still pay those when you use cash because the agreement between the credit card company and the merchant forbids the merchant from offering a lower price when goods are purchased with cash.

          In fact, given the number of high profile breaches in recent days it seems carrying cash is safer. You can expect more breaches as criminals figure out ways to colelct your card information from NFC without you even taking your card out of your wallet.

          As others have already said, it's not the cardholder that takes the loss when fraud occurs. It's the merchant. Sucks for them, of course, but certainly not for the cardholder. So I'm not sure why you're still rambling on about the safety of cash. If a thug steals your wallet full of cash, it's gone for ever. Not so if

          • by mjwx (966435)

            You still pay those when you use cash because the agreement between the credit card company and the merchant forbids the merchant from offering a lower price when goods are purchased with cash.

            Fortunately, not legally enforceable.

            Dual pricing is permitted by law in Australia precisely because it is illegal for a third party to force a hidden cost onto a business. For a moment, consider the people you are defending here, they are forcing extra costs on merchats, which results in higher prices and you're

            • by vux984 (928602)

              Lots of businesses do a cash discount. The only way you dont know about this is because you dont do cash transactions... your loss.

              Most of the business I've dealt with that do a cash discount have nothing at all to do with credit card fees. They are simply committing tax evasion; as a cash transaction lets them avoid putting it on the books. Which is fine, but lets not pretend its because of big bad credit card companies.

              And what does the merchant do when they take a loss? Put prices up to compensate.

              Yes.

              Y

            • I think the problem with your argument is that you are in a different country (Austrailia) than most of us (US). The laws and processes there appear to be quite different. Here:

              1) There is minimal difficulty in disputing charges. Most banks have the process pretty streamlined, so on the rare occasion it happens, it's relatively simple to deal with and causes you no disruption (at least with credit cards...debit cards can be a little more dicey with the potential for bounced payments and stuff, which is why

        • Is it a real issue or a theoretical issue? I've seen a few fraudulent charges over the years, and the bank has never given me any greif over any of them.

          Not really, the average loss from credit card fraud is $500, it costs Australia $2 billion annually. Eventually this costs comes back to you.

          Because nobody would commit fraud if credit cards did not exist.

      • by Nyder (754090)

        .. And you lose the card rewards program.

        ....

        Cash reward for credit cards isn't a cash reward. You must be the type that thinks trickle down economy is good.

        Here's how the cash rewards work. The CC company says "Hey, our Customers are stupid. They pay high interest rates to us for convince. How about we tell these sheep that they can get cash back, while we up their interest rate 1% to pay that cash back.

        Car analogy: You go to buy a new car. The Dealer says they give you $1000 cash back if you buy this certain model. You think, cool, I'll

        • by Anonymous Coward

          That's how it works for some "wankers" but for me I pay them $0 in interest and they pay me thousands of dollars a year in cash back.

        • by vux984 (928602)

          Here's how the cash rewards work. The CC company says "Hey, our Customers are stupid. They pay high interest rates to us for convince. How about we tell these sheep that they can get cash back, while we up their interest rate 1% to pay that cash back.

          As I pay my balance off virtually all the time my rewards cash back far exceeds any interest payments and fees.

          I guess its like the lottery -- a tax on people bad at math. Except unlike the lottery, I can win at this game. And do.

        • by josecanuc (91)

          Often, the rewards are paid out of the merchant's pocket, not even the credit card company or the bank that issued it. Merchants are charged a percentage ranging from about 1% to 4% on purchases. Rewards cards often take the highest percentages.

          In effect, your "cash back" is paid by the person from whom you are purchasing merchandise/services. That results in higher prices, as merchants adjust pricing to meet their net profit needs.

          It's correct that you, the account holder, are paying your own reward, but i

          • by vux984 (928602)

            It's correct that you, the account holder, are paying your own reward, but it's not so direct that it is paid out of interest+fees.

            In that case, not using a rewards card means I'm paying for other peoples rewards, and not getting any myself; so I'm still ahead using a rewards card vs not using one.

    • Now I have to avoid you at the grocery store for fear of being in line behind you while you write a check.

      • by riverat1 (1048260)

        I almost always use cash at the grocery store. I'm the one waiting in line for person running their card through the machine. Checks are for the big purchases.

        • by plover (150551)

          Umm...no. Cash takes considerably longer to tender than credit. The customer takes time selecting the bills and coins, the cashier takes time counting it, then enters the amount in the cash register, and after the till opens, they have to count out the customer's change. This takes an average of about 16 seconds per transaction.

          A credit transaction today is a swipe of a card, and can be processed and authorized in under one second.

          Chip and PIN is not as fast as a magnetic stripe due to the very limited CP

          • by nabsltd (1313397)

            Cash takes considerably longer to tender than credit. The customer takes time selecting the bills and coins, the cashier takes time counting it, then enters the amount in the cash register, and after the till opens, they have to count out the customer's change.

            The one assumption you make here is that the credit card user is on the ball, and swipes either before the final total is rung or immediately after. I have seen many customers stand there until the cashier tells them the total, then reach into their wallet/purse and hunt the credit card, swipe it the wrong way, finally get it right, then hit "debit" on a card that is credit only.

            Granted, these same people would likely take even longer to pay with cash, but I can see why some people think that cash is faste

        • Considering that cashiers can hardly do math anymore even when the POS tells them which bills to provide in change... cards are much faster.

          (Not that I blame them, I can hardly do basic math either. That is what the computer is for.)

    • I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"

      I also tend to stay away from places with "Bistro" in the name. You can generally count on a 50% or more higher price, with no commensurate increase in quality.

      "Bob's Chinese" is more likely to try harder.

    • Checks are more insecure than credit cards...

    • I usually use EMV + PIN

      should be safe enough. I wonder why people keep useing those magnetic stripes.

    • by Salgat (1098063)
      I use credit cards for all my purchases and get around $300/year back in rewards. On top of that, all my purchases have additional protections provided by the credit card company. Further, not a single person is liable for any fraudulent charges made on a credit card. I'm having a hard time seeing your point.
    • I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"

      If you use personal checks for everything, are a complete fool. Checks are trivially easy to fake. All they need is your bank account number, helpfully printed in clear text on the front of the check. The bank's routing number is published information. There is absolutely no protection in the personal check system.

      Your name does not need to be on the check they create. All they need is an ID from somebody, and that person's name on the check. There is no protection built into the system at all.

      If you do hav

    • by kilodelta (843627)
      I tend to use a business debit card. Has essentially the same liability limits a credit card does. Better yet - my bank is proactive. All I have to do is call and dispute charges and I'm sent a new card a couple days later. Works great.
  • by mveloso (325617) on Tuesday June 10, 2014 @07:05PM (#47207297)

    If it's stripe data, that implies the POS readers were compromised, just like Target. Interesting.

    • by Nyder (754090)

      If it's stripe data, that implies the POS readers were compromised, just like Target. Interesting.

      Yes, they have been compromised at the factory, which I stated in the Target Breaches, but no ones to believe because I will NOT name my sources.

      • by rtb61 (674572)

        It seems like all the POS compromises were inside jobs of one description or another. Pay minimum wage, chop and change employees, means you system will get compromised, it is just a matter of time. Looks like all instore purchase will require cameras at the checkout to to photograph every person making a credit card purchase. All deliveries based upon online credit card purchases will require an identified and photographed individual to accept them (skype could become popular for online purchase, no video

      • by nitehawk214 (222219) on Wednesday June 11, 2014 @10:34AM (#47212221)

        If it's stripe data, that implies the POS readers were compromised, just like Target. Interesting.

        Yes, they have been compromised at the factory, which I stated in the Target Breaches, but no ones to believe because I will NOT name my sources.

        And you are cross at people for believing your claim with no evidence? You must be religious.

  • Target store is going to change its name to Kick Me.

  • ...but half an hour later, it was empty again.

  • Minimize the number of places you expose your CC numbers. Pay cash where feasible. Use debit cards ONLY at bank terminals. Be especially careful at restaurants and gas stations.

    • by vux984 (928602) on Tuesday June 10, 2014 @07:35PM (#47207493)

      Minimize the number of places you expose your CC numbers. Pay cash where feasible. Use debit cards ONLY at bank terminals. Be especially careful at restaurants and gas stations.

      Or, if your in good standing with your bank, don't worry about it. The banks are good about fraudulent charges in the civilized world.

      • by mjwx (966435)

        Minimize the number of places you expose your CC numbers. Pay cash where feasible. Use debit cards ONLY at bank terminals. Be especially careful at restaurants and gas stations.

        Or, if your in good standing with your bank, don't worry about it. The banks are good about fraudulent charges in the civilized world.

        This really has to be one of the most naive things I've heard in a long time.

        Sadly I hear it quite often.

        "The bank will look after me, the bank's got my back".

        Why do you think the bank wont drop you like a hot brick if you become too much of a liability? Why do you think the bank actually works for you and not the shareholders?

        I'm not a paranoid nutcase, I'm happy to use the services of a bank but I also know that they will try to screw me over as much as possible. That's their business, to make

        • by vux984 (928602)

          Why do you think the bank actually works for you...

          I have no such illusion. I am not a liability. They make money off me. I presume they take about 3% of everything I run through the card, less the 1% they send back to me... So, 2% is theirs.

          If they had to choose between eating a few fraudulent charges, and losing me as a customer they'd eat the charges. So, no, I'm not being naive. I know exactly what I'm worth to them.

        • "The bank will look after me, the bank's got my back".

          Because if the bank doesn't have my back, I take my money elsewhere.

      • by pantaril (1624521)

        Or, if your in good standing with your bank, don't worry about it. The banks are good about fraudulent charges in the civilized world.

        But who eats the loss? I seriously doubt it's the bank. AFAIK they bill the merchant which means there IS problem (because the merchant will project those chargebacks into the price of his goods).

        The right solution is payment system where you don't give your secret keys when you make a payment. For example bitcoin or other cryptocurrencies.

    • by TWX (665546)
      I really wish that this was possible, but some places like Costco don't take credit except from a single card (AMEX), and buying things at Costco with cash could itself be risky given the amount of cash one would need to carry. Plus they only take plastic at their fuel pumps.
      • by mythosaz (572040)

        Costco might not take other CREDIT cards, but they POS debit just fine.

        Aside, any AMEX will work as a Costco card to activate their gas pumps, for membership gas prices without membership. Any Discover does the same at Sam's gas pumps. [At least until later this year when they phase out Discover.]

    • Carry hundreds of dollars worth of cash around with you at all times = security.

    • by ewieling (90662)
      I do similar things. Yes, it can help prevent credit card fraud and the hassle associated with it, but I am far more concerned about the privacy implications of using plastic for everything.
  • And yes, I am serious. I am now going to get my flame suite on though.

  • ... you have bigger damage to worry about than your credit, like your colon.
  • There were two suspicious charges in New York state: $20 at Burger King and $300 at Kohls, both declined (yah!). I used that CC at PF Changes in late March.
    • by freeze128 (544774)
      Wow! I was going to say that the criminals seem to be getting smarter, but your post is evidence otherwise.

      "Gee, this card can't handle a $20 charge for lunch, so I'll try to buy something MORE expensive with it...."
  • The thing I like about bitcoin is it allows the user to determine how secure or insecure they wish to be while with credit cards they are dependent upon multiple third parties security measures and the weakest link in the chain can expose you to fraud. I never had an issue with fraud in Bitcoin and have had multiple issues with fraud with debit/cc's where I needed to get replacement cards and was liable for the deductible.

    When I pay a retailer with Bitcoin I don't have to worry about identity theft or my a

    • by ASDFnz (472824)

      I cannot agree more, I even just bogged about it;-

      http://mineforeman.com/2014/06... [mineforeman.com]

      Bitcoin's public/private key system avoids the issue all together.

      With a credit card when you hand over your plastic you have effectively just handed over you private key for someone to copy with a magnetic strip reader, a photocopier or even something as old school like a pen and paper.

    • Bitcoin does solve the issue of being able to electronically pay people you may not trust, but so does PayPal. Bitcoin transactions are slow to confirm, you have no protection as a buyer to perform a chargeback (for example, you buy tickets for a concert that turn out to be counterfeit) and the price of Bitcoin is extremely unstable. Bitcoin also is not really free of transaction fees, either. You will pay a fee to an exchange when buying Bitcoin with fiat.

      Bitcoin's deflationary design also makes it lous

      • I am going to stay ontopic rather than discuss all of your statements.

        Bitcoin does solve the issue of being able to electronically pay people you may not trust, but so does PayPal.

        Isn't the chargeback potential a risk under paypal not found for bitcoin? When someone gets paid the charge can be reversed at any time per Paypal's discretion. Thieves will buy bitcoins all the time on ebay with stolen paypal accounts and than the seller will be out all the money when paypal reverses the transaction. Additionally, isn't paypals security polices also a risk for the user unlike with bitcoin where you can trust the mathemat

        • Isn't the chargeback potential a risk under paypal not found for bitcoin? When someone gets paid the charge can be reversed at any time per Paypal's discretion. Thieves will buy bitcoins all the time on ebay with stolen paypal accounts and than the seller will be out all the money when paypal reverses the transaction. Additionally, isn't paypals security polices also a risk for the user unlike with bitcoin where you can trust the mathematics and network which is immune from many traditional attack vectors?

          Yes, chargebacks are a potential fraud risk for business owners. As a customer, though, being able to perform a chargeback is an important safeguard against a seller that doesn't make good on their part of a transaction.

          While having your bank/credit card information on file at PayPal is also a potential security risk, it's still significantly less of a risk than trusting every business you allow to directly process your credit card.

  • The only way almost all credit card thefts have been realized is their sale on different web sites. These Security personal check the sites at regular intervals (or informed of them) then point and say AH! HA!

  • And by massive they mean "On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so...". Hardly on the scale of the Target breach so far.
  • Given that China is the 3rd most visited country in the world, this is probably not nationwide problem, but also for tourists who have been there and have paid with credit card at this China bistro chain.

    It's good that such a problem hasn't happened in one of European countries, or in USA, because the problem would have likely been much bigger due to larger base of people using credit cards.

    (here's hopelessly hoping that editors do better job writing "articles" outside their US-only minds)

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...