Chipotle Says 'Most' of Its Restaurants Were Infected With Credit Card Stealing Malware (theverge.com) 115
Earlier this year, Chipotle announced that the their payment processing system was hacked. Today, the company has released more information about the hack, identifying the malware that was responsible and releasing a new tool to help customers check whether the restaurant they visited was involved. The company did not say how many restaurants were affected, but it did tell The Verge that "most" locations nationwide may have been involved. The Verge reports: "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in a statement. "There is no indication that other customer information was affected." We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) Chipotle noted that not all locations have been identified, but it's a starting guide to check whether your visit lines up with the breached period.
Well (Score:5, Funny)
Re: (Score:2)
At least their food wasn't infected
Who knows? Maybe people who ate there and charged it came away the victims of *two* different meanings of the word "virus".
Re:Well (Score:4, Interesting)
Given the issues Chipotle has had in recent months with regard to food safety, this is actually not unlikely!
Re: (Score:2)
No, they got that out of the way last year [foodpoisonjournal.com]
Re: (Score:2)
Chipoltaway (Score:3)
What malware? (Score:2)
Re: (Score:2)
2 malware infections.
1) You eat the food
2) The bugs grow in your intestines
3) You spend lots of time in the bathroom with Moderate To Severe Gastrointestinal Distress
Other one,
1) Credit card processing is controlled by computer connected to corporate network
2) Corporate network is p0wned and hostile
3) Refuse to accept delivery of items you didn't order and your fraud complaint will be less painful. But you are going to need a new card.
Re: (Score:2)
Heh, heh, both sound like 'insider', jobs.
E. coli malware (Score:2)
Good thing I can't stand Chipotle. (Score:5, Funny)
I can avoid diarrhea AND credit card fraud!
Re:Good thing I can't stand Chipotle. (Score:4, Insightful)
I don't eat there because of their anti-GMO marketing. If you're going to use science denialism as a marketing tool and cater to a dangerous hysteria that makes the world a worse place, then meh, I'll go somewhere else.
Re: (Score:1)
GMO food requires LESS pesticides because it can be modified to be more robust yet less appealing to insects.
Re: Good thing I can't stand Chipotle. (Score:5, Insightful)
This post is the exact type of misinformation I'm taking about. GE crops aren't made to be 'drenched in' Round-Up, they're designed to tolerate it so it can be used in place of other weed control methods, which typically include a series of much worse herbicides.
Yes, there were potatoes that were engineered to produce a type of insecticide, They were called NewLeaf, and are no longer on the market. But you know what, all potatoes produce their own insecticides, notably solanine. If you want potatoes with no insecticides, you beter not eat any plants, because chemical defenses are how they evolved to cope with pests. Don't like that being altered? What do you think happens when we breed a new pest resistant variety without genetic engineering?
As for cross pollination, all plants do that. Reproduction is what life has been fine tuned to do since day one. If you are going to hold GE crops to an unreasonable double standard, then of course they're going to fail. But I could apply that same argument to non-GE crops. Crops with different traits will cross pollinate and result in different progeny, which can cause issues in some instances. Arbitrarily declaring one thing be grown in greenhouses while giving everything else a free pass makes no sense.
Your post shows exactly why I hate anti-GMO marketing so much. It preys on an ignorance of modern agricultural methods, genetics, and basic botany, all while fostering opposition to a technology that society should be embracing.
Re: (Score:1)
Look up which ones are grown on farms and sold as foods, ones that are designed to survive being drenched in RoundUp, or happy joy-joy hippie ones that are better for you. You could have guessed which it is by the fact that the hippies don't eat GMO.
Re: Good thing I can't stand Chipotle. (Score:2)
Because hippies eat something, it is better for you?
Re: (Score:2)
Hippies are into healthy stuff. It might not be better for you, but you can be confident that they believe it to be better for you.
In the 90s when NPR was running a story about "Golden Rice" and how in the future food will be engineered to be healthier, a lot of hippies said things like, "Sounds nice, but I doubt they're really going to use the technology that way." And they were right. Almost everything modified that is in a food product in the store is modified solely to withstand broad-spectrum herbicide
Re: (Score:2)
Again with the "drenched in".
Christ, did you join an anti-GMO CULT?
Again, these crops are made resistant to RoundUp, which has minimal update, ultra-low toxicity and and can be used in far smaller quantities than other FAR more toxic "natural" herbicides which destroys greater portions of crops.
Oats. Oats have a relatively high uptake of RoundUp. So, a product like Cheerios has something like 1100 parts per billion of one of RoundUp's active ingredients.
Know how much you'd have to eat?
By the EU standard,
Re: (Score:2)
You've obviously never applied RoundUp. You have to "drench" the leaves of the plant you want to kill. That is how it is applied. You spray it over the exposed leaf surfaces.
You can write, but I doubt you're able to read. Oh, you clearly know how, you're not illiterate; merely aliterate.
BTW, fear of eating the RoundUp isn't why people are opposed to using it on everything you fucking tool, and you've been told that before! . My goodness man, you're even more ignorant than if you were illiterate!
Who fucking
Re: (Score:1)
This post is the exact type of misinformation I'm taking about. GE crops aren't made to be 'drenched in' Round-Up, they're designed to tolerate it so it can be used in place of other weed control methods, which typically include a series of much worse herbicides.
Yes, there were potatoes that were engineered to produce a type of insecticide, They were called NewLeaf, and are no longer on the market. But you know what, all potatoes produce their own insecticides, notably solanine. If you want potatoes with no insecticides, you beter not eat any plants, because chemical defenses are how they evolved to cope with pests. Don't like that being altered? What do you think happens when we breed a new pest resistant variety without genetic engineering?
As for cross pollination, all plants do that. Reproduction is what life has been fine tuned to do since day one. If you are going to hold GE crops to an unreasonable double standard, then of course they're going to fail. But I could apply that same argument to non-GE crops. Crops with different traits will cross pollinate and result in different progeny, which can cause issues in some instances. Arbitrarily declaring one thing be grown in greenhouses while giving everything else a free pass makes no sense.
Your post shows exactly why I hate anti-GMO marketing so much. It preys on an ignorance of modern agricultural methods, genetics, and basic botany, all while fostering opposition to a technology that society should be embracing.
I hate both sides personally because they are both lying to some degree, just the anti GMO crowd tend to be very uneducated in what they are campaigning about so oft more full of it. There is sometimes truth in what they say though. For instance the RoundUp tolerant thing, they DO actually drench SOME things such as wheat even though it isn't designed for that per se. It has a secondary effect in that it acts as a dessicant so they often use more than they are supposed to. The problem is the noise on both s
Re: (Score:1)
100% tomato genetically, just lacking an enzyme to break down pectinase for instance (although that mod turned out different to intended in use it is obviously harmless).
meant break down pectin sorry, I forget the exact pectinase they chopped out for that one. There were some other tomato mods which I don't like more on the basis of negative effect to taste than health risks so I sometimes disagree on those grounds but that isn't a gmo issue.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Uh no. You're conflating two arguments.
GMO itself is a good thing for the planet.
It allows us to unlock more potential in our foods. More hardy, faster growing, more productive, more nutritious, more resistant to pests and herbicides.
I will agree with you that the licensing structure is fairly evil and counterproductive. But these companies DO deserve to be renumerated for the costs involved in developing these crops and their growing ecosystem.
I could understand you wanting to ban because you thought th
Re: (Score:2)
Just so you know. Whether you've known it or not, you've been eating RoundUp resistant crops for over a decade now.
And, likely, NONE of the farmed food you have ever eaten is unmodified by the hand of man over the last several centuries.
Re: (Score:2)
I've never seen an ad taking a stance, which is what you imply, simply ads talking about what they offer.
Kudos for honesty! (Score:1)
Nice web tool to see if you were at risk - I was able to confirm from my cc records that i didn't use it there on any of the at-risk dates. Thanks to their doing the right thing, I can relax. (If I there was a hit I would have replaced my CC.)
Too many companies either cover up this stuff, or don't give you the info needed to act. I'm looking at you Target, T J Max, ...
Re: (Score:3)
If they're doing the right thing, I should receive notice from my financial institution that Chipotle contacted them and paid for the cost to issue me new plastic.
Chip vs. Strip? (Score:4, Interesting)
Is Chipotle on the chip, or are their readers still strip based? My cards have chips these days, but I usually don't watch to see who uses which scan technology. Chip tech is supposed to combat this sort of thing, isn't it?
How'd that work out?
Re: (Score:2)
Re: (Score:2)
So the company announcement says that the malware stole data from magnetic strip reads.
"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device."
I didn't see anything specifically state that chip-based interactions were immune. What percentage of payments were strip vs. chip based?
Re:Chip vs. Strip? (Score:5, Informative)
100% of them since Chipotle in 2015 announced that they were not upgrading their POS systems to use EMV since they claimed that magnetic swipe is faster and would speed up their lines.
Re: (Score:1)
Re: (Score:2)
I wondered if this would be the case. Since chip tech exists, you'd only target malware at people who weren't using it...
Re: (Score:2)
100% of them since Chipotle in 2015 announced that they were not upgrading their POS systems to use EMV since they claimed that magnetic swipe is faster and would speed up their lines.
All they'd have to do to speed up Chip transactions is program their systems so while one customer is waiting for the chip transaction to complete, the next customer in line can be placing his order. Most small CC transactions don't even require a signature.
Re: (Score:2)
Have you never been to Chipotle? Multiple people are ordering while someone is paying.
Re: (Score:1)
Re: (Score:1)
I've never seen a register at a Chipotle that takes chips. It's all swipe.
Re:Chip vs. Strip? (Score:5, Informative)
Re:Chip vs. Strip? (Score:4, Insightful)
I'm surprised that more high-volume retail locations haven't done the same: the chip is painfully slow compared to the swipe strip, and if you are processing 100s per hour it can really put a crimp in customer flow.
Re: (Score:2)
Puts a new take on the phrase 'fast food'.
Re: (Score:1)
That's only because the US completely botched the adoption of EMV, although things seem to be getting better now.
Compare to a country like the UK or Australia where it's been done properly and there's "tap and go"... you tap your card on a reader and it beeps and the transaction is complete. It's faster than a swiping a card.
Re: (Score:2)
We in the US should be ashamed that the godless communists in Europe are more efficient at separating consumers from their money.
Re: (Score:2)
I'm surprised that more high-volume retail locations haven't done the same: the chip is painfully slow compared to the swipe strip, and if you are processing 100s per hour it can really put a crimp in customer flow.
I have seen precisely one POS terminal that read a chip as fast as a swipe. It's possible. Unfortunately I don't recall where.
Re: (Score:2)
I have seen precisely one POS terminal that read a chip as fast as a swipe. It's possible. Unfortunately I don't recall where.
literally everywhere in Europe & Australia maybe :D
It is staggeringly rare to see swipe at all now.
Re: (Score:1)
Because oligopolies control the payment market. Break them up and you'll get faster systems.
Re: (Score:2)
Re: Chip vs. Strip? (Score:1)
The US seems quite backwards in its credit card technology, here in the UK we have had chip & pin basically exclusively for a decade and are now using Rfid for low value touch based transactions (less than £30)
Re: (Score:2)
Stupidity like this is why card issuers are simply going to have to make EMV mandatory. Same deal with gas stations; yes I realize EMV readers are expensive but it's cost of doing business. Deal with it and upgrade your shit.
Re: (Score:2)
Stupidity like this is why card issuers are simply going to have to make EMV mandatory
The issuers aren't going to be doing anything for a while. Because at the moment, the vendor who gets hacked is now responsible for all mag stripe fraud.
Re: (Score:2)
Re: (Score:2)
Basically the banks have said that if a card has a chip and a merchant doesn't use it then the merchant gets to eat the fraud cost. So chip tech reduces the amount of fraud the banks have to eat the cost of.
But there are still a lot of non-chip transactions (e.g. card not present, merchants that refuse to upgrade) which are still as insecure as ever. While the merchant gets to eat the bill the customer and bank still have to deal with the rigmarole of identifying the fraudulent transactions and replacing th
Re: (Score:2)
Which is why the banks didn't bother optimizing the way the chips work to make them fast, the fewer businesses that adopt the chip, the better for them.
And this is why I carry cash (Score:3)
My wife complains that I'm always carrying cash so my wallet is always bulky and I'm missing out on credit card rewards.
If you're in the States it hardly matters (Score:2)
Re: (Score:2)
My wife complains that I'm always carrying cash so my wallet is always bulky and I'm missing out on credit card rewards.
You carry around a bulky wallet full of cash all of the time because you don't want the mild inconvenience of having a credit card number stolen?
I've had 2 CC numbers stolen -- with one, I didn't realize it until I got a fedex envelope from the bank with a replacement card, with the other, it took 10 minutes online to complete a fraud report and flag fraudulent transactions, then I had to sign and return a paper that I received with the replacement card.
Re: (Score:2)
Re: (Score:2)
So what you're saying is that you'd rather be mugged at gunpoint than having your credit card skimmed.
Yes, because:
1. I live in a country where you simply dont get mugged at gunpoint.
2. I know enough self defence that I can reliably beat most attackers unarmed.
3. Thanks to contactless, my cards are just as valuable to a mugger as cash.
Due to points 1 and 2, I don't worry about being mugged, due to point 3, after a long hiatus in the UK, mugging and pick pocketing is making a comeback. If a mugger gets my wallet, they only get whats in the wallet (I've disabled contactless on all of my cards, but a mugger do
Goddamnit (Score:2)
"Earlier this year, Chipotle announced that the their payment processing system was hacked."
Jesus fuckin' christ, will shit ever end? Is there one god damn business that can secure their shit to keep their customer's information safe?
I am SO glad that I never ate at Chipotle, but that's just down to pure luck more than anything else. If I had, and my credit card info had been hacked, I would pissed off beyond beyond all reason.
Fucking clowns. After you hear about the 1,000th data breach you start to realize
Re: (Score:2)
Jesus fuckin' christ, will shit ever end? Is there one god damn business that can secure their shit to keep their customer's information safe?
We're currently deep in the Dark Ages of computer security, and I'm not 100% sure it's the fault of your typical companies that get hacked.
If 999,999 out of 1,000,000 of your customers somehow use your tool wrong, and cut off their hands, the real problem might be the tool...
Humans can't seem to secure anything (e.g., Windows, credit card machines, servers, etc.) because the whole process in incredibly error prone and ridiculously complex.
Chipotle, out in front again (Score:2)
Chipotle researchers have found a way to imprint the giardia genome into customers' credit card strips. This can cause it to jump to rival restaurants.
Hence we need Apple Pay and Android Pay (Score:3)
Chipotle's latest problem is why restaurant and retailers need to offer Android Pay and Apple Pay support.
Why? Because under Android Pay and Apple Pay, you transact using a specially encrypted code that is not anywhere close to your credit card number. As such, there's no such thing as "skimming for card number," and it's extremely difficult--even if the hacker could intercept the data stream--to use it for credit card fraud.
Re: (Score:1)
Or bring the American cards up to European standards. They could have done that with the last switchout. In fact they *COULD* have made it more secure than the European standard. But no. Too hard or some such bullshit excuse.
Probably take them 20 years to decide to upgrade again unless there's a really big problem.
Android pay, apple pay - I was using that. In the case of Android they changed something so it didn't work anymore. So I had to get a new version of their pay, which doesn't want to work with the
Re: Pay Cash, Don't Care (Score:3, Funny)
A puff of the vape and a tip of the fedora to you, Sir Edgy!
Re: (Score:1)
Well, in most first world, civilized, countries the reason to pay with card (debit, credit, doesn't matter) is twofold: less paper, force companies to declare all earnings (transaction traceability... follow the money baby, follow the money... it's easy to have it on paper and every odd receipt be a dud, hard to explain money flowing from one account to the other directly to the company's account and not being theirs and not matching their tax declaration). But then again, that's in first world, civilized,
Re: (Score:2)
No per diem ? I don't have to present receipts for basic food and lodging provided I stay under the companies estimated costs for the market area I am working in. X amount of dollars per day for food and a basic lodging rate. If something exceeds that limit I either call and get authorization or retain and file the receipts. Most of my lodgings are arranged ahead of time and paid for by corporate accounting and I don't even have to do a thing besides show ID and sleep.
Re: (Score:2)
Cash? So I have to go to a bank periodically (once a week?) and wait in line to withdraw paper currency. So your solution is I should have yet another chore in my life.
Re: (Score:2)
Yeah ATMs are really crowded and they take forever to give you cash. Like I mean you might have to wait up to five minutes in your air conditioned or heated car while inserting a card, punching a few numbers, and grabbing that dough. And those fees! $3 just to get cash once a week. Really terrible. It's almost like it's nothing but it feels like thousands of dollars in fees.
$150/year is "nothing" to you? Yet you also consider that your time has no value either since you don't mind spending an extra 5 - 10 minutes/week driving to the bank to retrieve cash (that's 4 - 8 hours/year).
Re: (Score:2)
Avoiding paying $3 to a machine is not a micro optimization, it's more of not wanting to pay a lot for what seems like a trivial service on their end.
An ATM business is what, load money into a busy machine once a day and collect $500? Pay $3 seems steep compared to their effort.
Re: (Score:2)
The banks and the networks doing the processing are separate. Many people here pay two fees, one at the ATM that is split by the processing company and machine owner, and another fee their bank secretly charges. My bank charges me $5 a month if i use any out-of-network ATMs that month, rather sneaky.
To fix this in the US, I think we'd have to restructure our networks to eliminate the need for these interchange networks. Putting an entire industry out of business is politically difficult, especially in a nat
Re: (Score:2)
Banks want your money because they use it to make more money.
If you're paying somebody to store or access your money, you're doing something wrong. Drop whatever lousy excuse for a bank you're using and find one that won't charge you.
Re: (Score:2)
Banks want your money because they use it to make more money.
If you're paying somebody to store or access your money, you're doing something wrong. Drop whatever lousy excuse for a bank you're using and find one that won't charge you.
They don't exist in the US.
Re: (Score:2)
If you're paying somebody to store or access your money, you're doing something wrong. Drop whatever lousy excuse for a bank you're using and find one that won't charge you.
They don't exist in the US.
You're talking utter nonsense. If you actually believe this, then you've obviously never compared financial institutions.
Re: (Score:2)
I can't consider your statement relevant until you've completely documented the micro optimization of your life
I don't want to waste 5 minutes at an ATM every week, I'm certainly not going to write a detailed thesis on my life's micro optimizations so an Anonymous Coward too lazy to create or log in to a Slashdot account will consider my statement relevant. But I'll tell you another of my micro optimizations - I don't waste 10 - 15 minutes every week driving to the gas station to buy gas.
Re: (Score:2)
$150/year is "nothing" to you?
Yep. I make a decent living.
Maybe you should go back to school?
Then why would you pay hundreds of dollars to spend hours in line at the bank each year? Did you learn that in school?
Re: (Score:2)
But an ATM could have the same malware problems. Best not to use those either.
(you probably won't get E. Coli from the ATM, so it has that going for it)
Re: (Score:2)
Cash?
That's what I do. I do my best to use only cash at restaurants, including fast food and sit down restaurants. For multiple reasons.
One, computer security is truly deep in the dark ages these days. Both of the Chipotle restaurants I frequent were included in the hack, so I just saved myself a bunch of trouble getting a new card, changing some of my automatic payments for things like Netflix, etc.
Two, I don't have to wait for the server to pick up my credit card, process it, and return it.
Three, I'm pretty su
Re: (Score:2)
I use credit cards at restaurants and get reimbursed when someone steals from me. It's a 20 minute phone call the my credit card company and hasn't happened to me in 3 years. But it couldn't be simpler, assuming you like to review your monthly statements as part of tracking your personal budget.
Don't use an ATM/Debit card for anything, banks are a huge pain in the ass about fraud and it will take about 90 days to get your money back into your account.
My "fun money" is also my lunch money, and I can't really