Why It’s So Easy for Hackers To Steal Credit Card Numbers from Restaurants

Innovation, the Internet, gadgets, and more.
March 22 2012 11:30 PM

A Burger, an Order of Fries, and Your Credit Card Number

Why it’s so easy for hackers to steal financial information from restaurants.

Credit card reader
Is your credit card number at risk when you go to a restaurant?

Photo by Pascal Le Segretain/Getty Images.

At some point in your restaurant-going life, you’ve probably felt a pang of doubt when you handed over your Visa card. How easy it would be, you probably thought, for a waiter to copy your credit card number and head out on a shopping spree. You probably got over it, reasoning that people who do such things probably get caught. And maybe you’re right. But that doesn’t mean you’re safe. The real threat isn’t that your charming waiter will steal your financial information. It’s that the Russian mafia will steal it from your waiter.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

On Thursday, Verizon released its Data Breach Investigations Report, an annual landmark in the data-security industry. The big story this year, Verizon reports, was the rise of “hacktivists”—vigilantes who orchestrate high-profile cyber-attacks on big corporations, government entities, and even Internet security companies, usually to make a political statement (although sometimes, it seems, out of sheer vindictiveness). These are the attacks that make headlines, and for good reason: They’re sophisticated, brazen, and sometimes downright scary.

But if 2011 was “the year of the hacktivist,” as Forbes proclaimed, every year is the year of the run-of-the-mill cybercriminal. For at least a decade, organized crime groups around the world, but particularly in Eastern Europe, have been honing their hacking skills in a bid to capture our credit card and bank account numbers. Increasingly, they’re targeting restaurant franchises and other small businesses by hacking their point-of-sale checkout systems, which are often woefully insecure. And, as the Verizon report shows, they’re getting better at it all the time.

Advertisement

Unlike hacktivists’ flashy attacks, these criminals’ exploits rarely make the news. Publicity is not in their interest, and it can takes months for their victims to find out they’ve been hit. When businesses do learn they’ve been compromised, they often conclude that publicizing the crimes wouldn’t be in their interest either. For these reasons, attacks on retail establishments fly under the radar, though they vastly outnumber those orchestrated by well-known groups like Anonymous and LulzSec, which accounted for just 3 percent of the 855 data-breach cases covered in the Verizon report.

Restaurants were easily the most-targeted businesses, accounting for over half of all reported attacks. Retail stores were second, at about 20 percent. The findings are consistent with those of a similar report released earlier this year by Trustwave, an information security company, which found that the food and beverage, retail, and hospitality industries combine to account for 80 percent of data breaches.

Why are small businesses such frequent targets? Because they offer hackers the easiest path to your financial information. In fact, security consultants say, there’s an entire underground industry built around extracting customers’ credit card numbers from retailers’ point-of-sale systems.

Rich Mogull, an information security analyst who runs a company called Securosis, explains that a typical cybercrime works something like this. First, a hacker—often in Russia, but sometimes in the United States, Romania, Vietnam, or elsewhere—uses special software to scan a portion of the Internet for IP addresses that look like they might belong to the servers restaurants and retailers use to transmit credit and debit card data. When they find them, they send that information to another program that starts trying common passwords to log into the server remotely.

TODAY IN SLATE

Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

Why Are Lighter-Skinned Latinos and Asians More Likely to Vote Republican?

A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

The XX Factor
Sept. 22 2014 12:29 PM A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

Subprime Loans Are Back

And believe it or not, that’s a good thing.

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

  News & Politics
Politics
Sept. 22 2014 6:30 PM What Does It Mean to Be an American? Ted Cruz and Scott Brown think it’s about ideology. It’s really about culture.
  Business
Moneybox
Sept. 22 2014 5:38 PM Apple Won't Shut Down Beats Music After All (But Will Probably Rename It)
  Life
Outward
Sept. 22 2014 4:45 PM Why Can’t the Census Count Gay Couples Accurately?
  Double X
The XX Factor
Sept. 22 2014 7:43 PM Emma Watson Threatened With Nude Photo Leak for Speaking Out About Women's Equality
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
  Arts
Brow Beat
Sept. 22 2014 9:17 PM Trent Reznor’s Gone Girl Soundtrack Sounds Like an Eerie, Innovative Success
  Technology
Future Tense
Sept. 22 2014 6:27 PM Should We All Be Learning How to Type in Virtual Reality?
  Health & Science
Medical Examiner
Sept. 22 2014 4:34 PM Here’s Where We Stand With Ebola Even experienced international disaster responders are shocked at how bad it’s gotten.
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.