U.S. fast-food chain Sonic Drive-In said Tuesday it is investigating a potential payment card breach. Its alert follows a large, potentially related batch of stolen card data appearing for sale on a cybercrime "carder" marketplace.
PCI-DSS Stumble?
If verified, Sonic would be the latest large U.S. business to be targeted by payment card data thieves. Retailers, hotels, restaurants and many other types of businesses have been hammered by cybercriminals who use a variety of techniques to steal card data.
It's strongly advised that businesses follow the Payment Card Industry's Data Security Standard, or PCI-DSS, a labyrinth of recommendations for securing payments data. The regimen is designed to secure network transmission of card details and prevent fraudsters from grabbing unencrypted data.
But reaching PCI-DSS compliance can be difficult. And once an organization is compliant, it can easily fall out of compliance due to changes in its infrastructure or new business processes.
There's also third-party risk. Many companies have service agreements with a variety of vendors that have network access to their clients. "These vendors that do remote access - they're sometimes lazy and they want to use the same password across all stores, and none of them are secure," says John Christly, global CISO for Netsurion, a network security vendor.
That's what happened with another fast-food chain, Wendy's, last year. Hackers gained access credentials to some of Wendy's service providers and then used that access to install malware on point-of-sale systems in 1,025 U.S. restaurants (see Wendy's Hackers Took a Bite Out of 1,000+ Restaurants).
Likewise, retailer Target in 2013 lost 40 million card details and 70 million other records after attackers gained access to its network through a vendor that installed refrigeration systems in its stores.
Another common attack vector involves phishing emails - fake messages disguised to look legitimate. Netsurion's Christly says it's possible that someone at Sonic fell victim to such an attack, which involves baiting someone into clicking on a malicious link or opening malware disguised as a legitimate file, which gives attackers a beachhead in the victim's network.
Old-Time Terminals
If PCI-DSS recommendations are implemented correctly, in theory, it should be very difficult to steal payment card details.
But nothing is ever 100 percent certain, and many companies in the United States have yet to shore up their payments infrastructure, says Robert Capps, vice president of business development at NuData Security, a company that specializes in detecting fraud.
"You still have a lot of old-time terminals and storage and forwarding of credit card numbers that is still happening at some of these merchants," Capps says.
Credit card companies have also been pushing retailers to install EMV-compliant payment terminals. Those terminals accept payment cards with a cryptographic chip, which generates a one-time code to verify the transaction. EMV prevents the use of counterfeit cards, providing the original card carried an EMV chip.
Fraudsters have enjoyed years of success when copying the magnetic stripe on the back of the card and then creating a copy that can be used to make in-person purchases.
EMV Upsides
The EMV system, however, checks for the presence of a cryptographic chip on the card and rejects cards at the point of sale if they lack a chip, but should have one. EMV, however, is only aimed at stopping card cloning and doesn't stop skimming malware that can read card data from a point-of-sale terminal.
For Sonic, however, the EMV discussion remains academic. Christi Woodworth, Sonic's vice president of public relations, tells Information Media Security Group in a statement that the company "has not adopted EMV for a variety of reasons specific to our business."
Woodworth adds: "Many in the security industry feel that EMV would have minimal benefit against many of the recent breaches but as we learn more, we will evaluate."