Why It’s So Easy for Hackers To Steal Credit Card Numbers from Restaurants

Innovation, the Internet, gadgets, and more.
March 22 2012 11:30 PM

A Burger, an Order of Fries, and Your Credit Card Number

Why it’s so easy for hackers to steal financial information from restaurants.

(Continued from Page 1)

Many of the companies that install point-of-sale systems for small businesses neglect to set up unique passwords. When hackers find one that works at a particular franchise of a chain restaurant, they add it to the list, and often find it works at dozens or hundreds of others as well. In one of the few cases that registered on the national news radar, a Romanian gang allegedly poached credit card information from 200 Subway sandwich outlets in the United States over three years.

Once they tap into the servers, hackers often install programs to log credit card numbers. After they get the numbers, the shrewder criminals don’t use them right away. Instead, they bundle and sell them on the black market. Verified numbers fetch more than unverified ones; those with names attached fetch more still.

Customers don’t learn their information has been compromised until weeks or months later, when their banks flag purchases as suspicious. Even then the banks can’t always tell where the breach originated. And when restaurant owners do find out they’ve been hacked, some, like Harry Trubounis of SideBar 410 in Dayton, Ohio, are scrupulous enough to email their regular customers and notify them. Those are the ones that occasionally end up in the local newspaper. “I wanted to be extremely proactive in dealing with it,” Trubounis told me. But not all restaurant owners want to risk the bad publicity, even if the breach wasn’t really their fault.

Advertisement

Not all cybercrimes happen exactly like this. Sometimes hackers use proximity or special knowledge to target an individual business. For instance, they’ll sit down in a café, order a latte, and proceed to log into the coffee shop’s unsecured point-of-sale system through its free Wi-Fi network. Or, in somewhat rarer cases, they enlist an employee to help them. Verizon estimates 4 percent of all data breaches are inside jobs. And yes, your smiling waiter will occasionally betray you by taking down your information when you’re not looking. These days they use skimmers. But it’s hard to do that for long without getting caught, especially if you’re using the cards to make purchases locally—as a ring of thieving waiters at fancy New York restaurants recently discovered.

But more often, it’s not your waiter who’s ripping you off. It’s a junkie in Maryland allegedly hacking Seattle restaurants’ servers to score heroin money, Russian thieves hacking restaurant wholesalers, or unknown miscreants hacking Jumper’s Junction sports bar outside of Pittsburgh or a Chili’s on Yokosuka Naval Base in Japan.

Security analysts say restaurant owners and the companies that install their point-of-sale systems are becoming more aware of the danger of credit card thieves. Scott DeFife, an executive vice president at the National Restaurant Association, told me his Washington, D.C.-based group makes an effort to educate its members about the risks of cybercrime. And compared with the size of the U.S. restaurant industry, which employs 13 million people, the scale of the problem is relatively small: probably hundreds of breaches each year, affecting perhaps hundreds of thousands of customers.

Yet the Verizon report suggests business owners could still be doing a lot more: 96 percent of all data-breach hacks were “not highly difficult”—up from 92 percent last year. The number was enough to spur Verizon to take an unusual step this year. On Page 62 of its report, it includes a cut-out section with simple tips for securing point-of-sale systems and encourages customers to hand it to the managers and owners of their favorite local haunts. At the bottom it says, “For more information, visit www.verizon.com/enterprise/databreach (but not from your POS).”

TODAY IN SLATE

Foreigners

The World’s Politest Protesters

The Occupy Central demonstrators are courteous. That’s actually what makes them so dangerous.

The Religious Right Is Not Happy With Republicans  

The XX Factor
Oct. 1 2014 4:58 PM The Religious Right Is Not Happy With Republicans  

The Feds Have Declared War on Encryption—and the New Privacy Measures From Apple and Google

The One Fact About Ebola That Should Calm You

It spreads slowly.

These “Dark” Lego Masterpieces Are Delightful and Evocative

Crime

Operation Backbone

How White Boy Rick, a legendary Detroit cocaine dealer, helped the FBI uncover brazen police corruption.

Politics

Talking White

Black people’s disdain for “proper English” and academic achievement is a myth.

Activists Are Trying to Save an Iranian Woman Sentenced to Death for Killing Her Alleged Rapist

Piper Kerman on Why She Dressed Like a Hitchcock Heroine for Her Prison Sentencing

  News & Politics
Politics
Oct. 1 2014 7:26 PM Talking White Black people’s disdain for “proper English” and academic achievement is a myth.
  Business
Moneybox
Oct. 1 2014 2:16 PM Wall Street Tackles Chat Services, Shies Away From Diversity Issues 
  Life
Outward
Oct. 1 2014 6:02 PM Facebook Relaxes Its “Real Name” Policy; Drag Queens Celebrate
  Double X
The XX Factor
Oct. 1 2014 5:11 PM Celebrity Feminist Identification Has Reached Peak Meaninglessness
  Slate Plus
Behind the Scenes
Oct. 1 2014 3:24 PM Revelry (and Business) at Mohonk Photos and highlights from Slate’s annual retreat.
  Arts
Brow Beat
Oct. 1 2014 9:39 PM Tom Cruise Dies Over and Over Again in This Edge of Tomorrow Supercut
  Technology
Future Tense
Oct. 1 2014 6:59 PM EU’s Next Digital Commissioner Thinks Keeping Nude Celeb Photos in the Cloud Is “Stupid”
  Health & Science
Science
Oct. 1 2014 4:03 PM Does the Earth Really Have a “Hum”? Yes, but probably not the one you’re thinking.
  Sports
Sports Nut
Oct. 1 2014 5:19 PM Bunt-a-Palooza! How bad was the Kansas City Royals’ bunt-all-the-time strategy in the American League wild-card game?