Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Crime Privacy

Chipotle Says 'Most' of Its Restaurants Were Infected With Credit Card Stealing Malware (theverge.com) 115

Earlier this year, Chipotle announced that the their payment processing system was hacked. Today, the company has released more information about the hack, identifying the malware that was responsible and releasing a new tool to help customers check whether the restaurant they visited was involved. The company did not say how many restaurants were affected, but it did tell The Verge that "most" locations nationwide may have been involved. The Verge reports: "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in a statement. "There is no indication that other customer information was affected." We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) Chipotle noted that not all locations have been identified, but it's a starting guide to check whether your visit lines up with the breached period.
This discussion has been archived. No new comments can be posted.

Chipotle Says 'Most' of Its Restaurants Were Infected With Credit Card Stealing Malware

Comments Filter:
  • Well (Score:5, Funny)

    by Plumpaquatsch ( 2701653 ) on Friday May 26, 2017 @05:05PM (#54494631) Journal
    At least their food wasn't infected,
  • by s1d3track3D ( 1504503 ) on Friday May 26, 2017 @05:10PM (#54494657)
    You're going to need your credit card when you go buy more underwear after eating Chipotle. (south park)
  • I can't find the malware, or how the hack happened. Does anyone have real information about this hack?
    • 2 malware infections.

      1) You eat the food
      2) The bugs grow in your intestines
      3) You spend lots of time in the bathroom with Moderate To Severe Gastrointestinal Distress

      Other one,

      1) Credit card processing is controlled by computer connected to corporate network
      2) Corporate network is p0wned and hostile
      3) Refuse to accept delivery of items you didn't order and your fraud complaint will be less painful. But you are going to need a new card.

  • new tool: don't eat there again.
  • by Chas ( 5144 ) on Friday May 26, 2017 @05:16PM (#54494687) Homepage Journal

    I can avoid diarrhea AND credit card fraud!

    • by ChromeAeonium ( 1026952 ) on Friday May 26, 2017 @05:45PM (#54494845)

      I don't eat there because of their anti-GMO marketing. If you're going to use science denialism as a marketing tool and cater to a dangerous hysteria that makes the world a worse place, then meh, I'll go somewhere else.

      • by Ogive17 ( 691899 )
        Do they have "anti-GMO" marketing or do they simply advertise their products as non-GMO and the meats from animals that were not fed growth hormones?

        I've never seen an ad taking a stance, which is what you imply, simply ads talking about what they offer.
  • by Anonymous Coward

    Nice web tool to see if you were at risk - I was able to confirm from my cc records that i didn't use it there on any of the at-risk dates. Thanks to their doing the right thing, I can relax. (If I there was a hit I would have replaced my CC.)

    Too many companies either cover up this stuff, or don't give you the info needed to act. I'm looking at you Target, T J Max, ...

    • by TWX ( 665546 )

      If they're doing the right thing, I should receive notice from my financial institution that Chipotle contacted them and paid for the cost to issue me new plastic.

  • Chip vs. Strip? (Score:4, Interesting)

    by AdamThor ( 995520 ) on Friday May 26, 2017 @05:39PM (#54494805)

    Is Chipotle on the chip, or are their readers still strip based? My cards have chips these days, but I usually don't watch to see who uses which scan technology. Chip tech is supposed to combat this sort of thing, isn't it?

    How'd that work out?

    • Lots of cards still don't have chips and stores will still let you swipe them... so it's not a binary situation.
    • So the company announcement says that the malware stole data from magnetic strip reads.

      "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device."

      I didn't see anything specifically state that chip-based interactions were immune. What percentage of payments were strip vs. chip based?

      • Re:Chip vs. Strip? (Score:5, Informative)

        by robertchin ( 66419 ) on Friday May 26, 2017 @05:54PM (#54494891) Homepage

        100% of them since Chipotle in 2015 announced that they were not upgrading their POS systems to use EMV since they claimed that magnetic swipe is faster and would speed up their lines.

        • Wonder if after this if they continue using swipe only? Fraud gravitates towards the weakest link.
        • I wondered if this would be the case. Since chip tech exists, you'd only target malware at people who weren't using it...

        • by hawguy ( 1600213 )

          100% of them since Chipotle in 2015 announced that they were not upgrading their POS systems to use EMV since they claimed that magnetic swipe is faster and would speed up their lines.

          All they'd have to do to speed up Chip transactions is program their systems so while one customer is waiting for the chip transaction to complete, the next customer in line can be placing his order. Most small CC transactions don't even require a signature.

          • Have you never been to Chipotle? Multiple people are ordering while someone is paying.

          • I work for a McD's franchisee as the technical person. We moved to chip and pin this year, even in our drive thrus. Processing time is less than 4 seconds for chip and pin. Chipolte was way stupid for doing this. They are responsible for all these fraudulent charges because of the liability changes last year.
    • by Anonymous Coward

      I've never seen a register at a Chipotle that takes chips. It's all swipe.

      • Re:Chip vs. Strip? (Score:5, Informative)

        by dustman81 ( 1134599 ) on Friday May 26, 2017 @05:52PM (#54494873)
        Chipotle has stated that they absolutely refuse to use the EMV chip, and only will do swipe, citing speed over security. https://www.scmagazine.com/chi... [scmagazine.com]
        • Re:Chip vs. Strip? (Score:4, Insightful)

          by sphealey ( 2855 ) on Friday May 26, 2017 @06:03PM (#54494935)

          = = = has stated that they absolutely refuse to use the EMV chip, and only will do swipe, citing speed over security = = =

          I'm surprised that more high-volume retail locations haven't done the same: the chip is painfully slow compared to the swipe strip, and if you are processing 100s per hour it can really put a crimp in customer flow.

          • Puts a new take on the phrase 'fast food'.

          • by Anonymous Coward

            That's only because the US completely botched the adoption of EMV, although things seem to be getting better now.

            Compare to a country like the UK or Australia where it's been done properly and there's "tap and go"... you tap your card on a reader and it beeps and the transaction is complete. It's faster than a swiping a card.

          • We in the US should be ashamed that the godless communists in Europe are more efficient at separating consumers from their money.

          • = = = has stated that they absolutely refuse to use the EMV chip, and only will do swipe, citing speed over security = = =

            I'm surprised that more high-volume retail locations haven't done the same: the chip is painfully slow compared to the swipe strip, and if you are processing 100s per hour it can really put a crimp in customer flow.

            I have seen precisely one POS terminal that read a chip as fast as a swipe. It's possible. Unfortunately I don't recall where.

            • by trawg ( 308495 )

              I have seen precisely one POS terminal that read a chip as fast as a swipe. It's possible. Unfortunately I don't recall where.

              literally everywhere in Europe & Australia maybe :D

              It is staggeringly rare to see swipe at all now.

          • by Tablizer ( 95088 )

            the chip is painfully slow compared to the swipe strip

            Because oligopolies control the payment market. Break them up and you'll get faster systems.

          • That makes them 100% liable for any losses due this leak. No chip and the vendor is responsible.
          • The US seems quite backwards in its credit card technology, here in the UK we have had chip & pin basically exclusively for a decade and are now using Rfid for low value touch based transactions (less than £30)

        • Stupidity like this is why card issuers are simply going to have to make EMV mandatory. Same deal with gas stations; yes I realize EMV readers are expensive but it's cost of doing business. Deal with it and upgrade your shit.

          • Stupidity like this is why card issuers are simply going to have to make EMV mandatory

            The issuers aren't going to be doing anything for a while. Because at the moment, the vendor who gets hacked is now responsible for all mag stripe fraud.

    • Basically the banks have said that if a card has a chip and a merchant doesn't use it then the merchant gets to eat the fraud cost. So chip tech reduces the amount of fraud the banks have to eat the cost of.

      But there are still a lot of non-chip transactions (e.g. card not present, merchants that refuse to upgrade) which are still as insecure as ever. While the merchant gets to eat the bill the customer and bank still have to deal with the rigmarole of identifying the fraudulent transactions and replacing th

      • by Imrik ( 148191 )

        Which is why the banks didn't bother optimizing the way the chips work to make them fast, the fewer businesses that adopt the chip, the better for them.

  • by BLToday ( 1777712 ) on Friday May 26, 2017 @06:28PM (#54495059)

    My wife complains that I'm always carrying cash so my wallet is always bulky and I'm missing out on credit card rewards.

    • by law you can't be held liable for more than $50 bucks of fraud and I've never seen anyone held for that (maybe on the really crappy cards you use to rebuild credit after a messy divorce?). As long as you read your statement once a month the one who's gonna lose out here is Chipotle. Especially since they're not doing chip 'n pin.
    • by hawguy ( 1600213 )

      My wife complains that I'm always carrying cash so my wallet is always bulky and I'm missing out on credit card rewards.

      You carry around a bulky wallet full of cash all of the time because you don't want the mild inconvenience of having a credit card number stolen?

      I've had 2 CC numbers stolen -- with one, I didn't realize it until I got a fedex envelope from the bank with a replacement card, with the other, it took 10 minutes online to complete a fraud report and flag fraudulent transactions, then I had to sign and return a paper that I received with the replacement card.

    • by Luthair ( 847766 )
      So what you're saying is that you'd rather be mugged at gunpoint than having your credit card skimmed.
      • by mjwx ( 966435 )

        So what you're saying is that you'd rather be mugged at gunpoint than having your credit card skimmed.

        Yes, because:

        1. I live in a country where you simply dont get mugged at gunpoint.
        2. I know enough self defence that I can reliably beat most attackers unarmed.
        3. Thanks to contactless, my cards are just as valuable to a mugger as cash.

        Due to points 1 and 2, I don't worry about being mugged, due to point 3, after a long hiatus in the UK, mugging and pick pocketing is making a comeback. If a mugger gets my wallet, they only get whats in the wallet (I've disabled contactless on all of my cards, but a mugger do

  • "Earlier this year, Chipotle announced that the their payment processing system was hacked."

    Jesus fuckin' christ, will shit ever end? Is there one god damn business that can secure their shit to keep their customer's information safe?

    I am SO glad that I never ate at Chipotle, but that's just down to pure luck more than anything else. If I had, and my credit card info had been hacked, I would pissed off beyond beyond all reason.

    Fucking clowns. After you hear about the 1,000th data breach you start to realize

    • by Teckla ( 630646 )

      Jesus fuckin' christ, will shit ever end? Is there one god damn business that can secure their shit to keep their customer's information safe?

      We're currently deep in the Dark Ages of computer security, and I'm not 100% sure it's the fault of your typical companies that get hacked.

      If 999,999 out of 1,000,000 of your customers somehow use your tool wrong, and cut off their hands, the real problem might be the tool...

      Humans can't seem to secure anything (e.g., Windows, credit card machines, servers, etc.) because the whole process in incredibly error prone and ridiculously complex.

  • Chipotle researchers have found a way to imprint the giardia genome into customers' credit card strips. This can cause it to jump to rival restaurants.

  • by MtViewGuy ( 197597 ) on Saturday May 27, 2017 @06:22AM (#54496759)

    Chipotle's latest problem is why restaurant and retailers need to offer Android Pay and Apple Pay support.

    Why? Because under Android Pay and Apple Pay, you transact using a specially encrypted code that is not anywhere close to your credit card number. As such, there's no such thing as "skimming for card number," and it's extremely difficult--even if the hacker could intercept the data stream--to use it for credit card fraud.

    • by ebvwfbw ( 864834 )

      Or bring the American cards up to European standards. They could have done that with the last switchout. In fact they *COULD* have made it more secure than the European standard. But no. Too hard or some such bullshit excuse.

      Probably take them 20 years to decide to upgrade again unless there's a really big problem.

      Android pay, apple pay - I was using that. In the case of Android they changed something so it didn't work anymore. So I had to get a new version of their pay, which doesn't want to work with the

news: gotcha

Working...