Krebs on Security is reporting that US chain of fast food burger restaurants, Wendy’s, is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations. Security experts from VASCO Data Security, Lastline, Tripwire, STEALTHbits Technologies and InfoArmor have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Travis Smith, Senior Security Research Engineer at Tripwire :
“Cyber criminals continue to feast on point of sale devices. The primary function of these computers and networks are to process customer orders as quickly as possible. Security is often an afterthought which is added on later. Although details of the Wendy’s breach are not yet publicly known , there are some quick steps that organizations with point of sale devices can take to protect their customers with little to no cost.
Most of the credit card stealing malware sends the customer card data to a location on the Internet. Lock down the point of sale devices to prevent them from accessing the Internet. Second, these devices typically are little to no change outside of known Windows. Monitoring for changes to the devices can alert the staff to take appropriate steps to contain a possible breach before it spreads.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]John Gunn, Vice President of Communications, VASCO Data Security:
“You can expect that the breach will be massive when it is ultimately disclosed. It is very easy for hackers to rapidly scale an attack, so whatever vulnerability or security weakness they exploited was undoubtedly quickly applied in attacks nationwide.
“You can see an unfortunate pattern here where retail firms are making a large investment in IT security forensics after a breach has occurred, instead of investing in prevention beforehand.
“Consumers are perhaps too fast with their forgiveness. Home Depot and Target now have significantly higher market values than before their infamous data breaches. The surveys that show consumers will not do business with a retailer that loses their data are wildly inaccurate.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Giovanni Vigna, Co-Founder & CTO, Lastline:
“It is very challenging to protect a large distributed system with thousands of location, each with multiple POS devices. Certain attacks, such as POS malware, can be prevented using state-of-the-art malware detection systems, but it is much more difficult to control physical processes and devices.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jeff Hill, Channels Manager, STEALTHbits Technologies:
“The breach at Wendy’s is yet another example of how effective and difficult-to-detect today’s cyber threats can be. Like many other breaches, it was discovered not by the company’s internal security team, but rather an outside entity, in this case, credit card fraud algorithms that detected the anomalous use of the card numbers after they’d been stolen. The challenge posed by the current generation of cyber criminals is by no means unique to Wendy’s. The bottom line is that it’s extraordinarily difficult to detect a well-designed attack with a patient criminal at the controls.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Andrew Komarov, Chief Intelligence Officer, InfoArmor:
“Point-of-Sales infections are a very visible trend that’s taken off over the past few years. Keeping in mind that traditionally, big corporations and retailers use franchised-based models, in many cases their security in different branches is absolutely decentralized on practice. This allows bad actors to take advantage of such insecurities and successfully distribute malware on terminals in order to collect Track 2 data, and to perform intrusions into their targeted networks for data exfiltration.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.