Why It’s So Easy for Hackers To Steal Credit Card Numbers from Restaurants

Innovation, the Internet, gadgets, and more.
March 22 2012 11:30 PM

A Burger, an Order of Fries, and Your Credit Card Number

Why it’s so easy for hackers to steal financial information from restaurants.

Credit card reader
Is your credit card number at risk when you go to a restaurant?

Photo by Pascal Le Segretain/Getty Images.

At some point in your restaurant-going life, you’ve probably felt a pang of doubt when you handed over your Visa card. How easy it would be, you probably thought, for a waiter to copy your credit card number and head out on a shopping spree. You probably got over it, reasoning that people who do such things probably get caught. And maybe you’re right. But that doesn’t mean you’re safe. The real threat isn’t that your charming waiter will steal your financial information. It’s that the Russian mafia will steal it from your waiter.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

On Thursday, Verizon released its Data Breach Investigations Report, an annual landmark in the data-security industry. The big story this year, Verizon reports, was the rise of “hacktivists”—vigilantes who orchestrate high-profile cyber-attacks on big corporations, government entities, and even Internet security companies, usually to make a political statement (although sometimes, it seems, out of sheer vindictiveness). These are the attacks that make headlines, and for good reason: They’re sophisticated, brazen, and sometimes downright scary.

But if 2011 was “the year of the hacktivist,” as Forbes proclaimed, every year is the year of the run-of-the-mill cybercriminal. For at least a decade, organized crime groups around the world, but particularly in Eastern Europe, have been honing their hacking skills in a bid to capture our credit card and bank account numbers. Increasingly, they’re targeting restaurant franchises and other small businesses by hacking their point-of-sale checkout systems, which are often woefully insecure. And, as the Verizon report shows, they’re getting better at it all the time.

Advertisement

Unlike hacktivists’ flashy attacks, these criminals’ exploits rarely make the news. Publicity is not in their interest, and it can takes months for their victims to find out they’ve been hit. When businesses do learn they’ve been compromised, they often conclude that publicizing the crimes wouldn’t be in their interest either. For these reasons, attacks on retail establishments fly under the radar, though they vastly outnumber those orchestrated by well-known groups like Anonymous and LulzSec, which accounted for just 3 percent of the 855 data-breach cases covered in the Verizon report.

Restaurants were easily the most-targeted businesses, accounting for over half of all reported attacks. Retail stores were second, at about 20 percent. The findings are consistent with those of a similar report released earlier this year by Trustwave, an information security company, which found that the food and beverage, retail, and hospitality industries combine to account for 80 percent of data breaches.

Why are small businesses such frequent targets? Because they offer hackers the easiest path to your financial information. In fact, security consultants say, there’s an entire underground industry built around extracting customers’ credit card numbers from retailers’ point-of-sale systems.

Rich Mogull, an information security analyst who runs a company called Securosis, explains that a typical cybercrime works something like this. First, a hacker—often in Russia, but sometimes in the United States, Romania, Vietnam, or elsewhere—uses special software to scan a portion of the Internet for IP addresses that look like they might belong to the servers restaurants and retailers use to transmit credit and debit card data. When they find them, they send that information to another program that starts trying common passwords to log into the server remotely.

TODAY IN SLATE

Foreigners

More Than Scottish Pride

Scotland’s referendum isn’t about nationalism. It’s about a system that failed, and a new generation looking to take a chance on itself. 

iOS 8 Comes Out Today. Do Not Put It on Your iPhone 4S.

Why Greenland’s “Dark Snow” Should Worry You

Three Talented Actresses in Three Terrible New Shows

The Human Need to Find Connections in Everything

It’s the source of creativity and delusions. It can harm us more than it helps us.

Jurisprudence

Happy Constitution Day!

Too bad it’s almost certainly unconstitutional.

What Charles Barkley Gets Wrong About Corporal Punishment and Black Culture

My Father Was James Brown. I Watched Him Beat My Mother. Then I Married Someone Like Him.

  News & Politics
Weigel
Sept. 17 2014 12:02 PM Here It Is: The Flimsiest Campaign Attack Ad of 2014, Which Won’t Stop Running
  Business
Business Insider
Sept. 17 2014 1:36 PM Nate Silver Versus Princeton Professor: Who Has the Right Models?
  Life
Outward
Sept. 17 2014 1:59 PM Ask a Homo: Secret Ally Codes 
  Double X
The XX Factor
Sept. 17 2014 1:26 PM Hey CBS, Rihanna Is Exactly Who I Want to See on My TV Before NFL Games
  Slate Plus
Slate Fare
Sept. 17 2014 9:37 AM Is Slate Too Liberal?  A members-only open thread.
  Arts
Brow Beat
Sept. 17 2014 1:01 PM A Rare, Very Unusual Interview With Michael Jackson, Animated
  Technology
Future Tense
Sept. 17 2014 12:35 PM IOS 8 Comes Out Today. Do Not Put It on Your iPhone 4S.
  Health & Science
Bad Astronomy
Sept. 17 2014 11:18 AM A Bridge Across the Sky
  Sports
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.