Hopefully this pushes more and more restaurants towards using separate chip-reader (EMV) pinpad devices. I've noticed several area restaurants switching lately (Arby's, Wendy's), and I hope it continues. These devices use point-to-point encryption, meaning that even if the POS machine is comprimised, no sensitive card data can be stolen. The POS machine never sees raw card data.
Chipreaders are terribly slow, I don't understand how they could not develop a secure payment system without 10-second~ delay times. My local grocery store installed new chip readers and within a week had taped over time in favor of the more-expensive but quicker stripe processing.
Just because someone is forcing you use the chip DOES NOT MEAN THAT IT'S AN EMV TRANSACTION
There is no way too know if you are actually doing and EMV transaction.
The EMV spec has nothing at all to do with security. PCI controls security. I can read the card data via the chip and it's all in the clear. EMV is about process integrity, and the integrity testing is ridiculous. Chip cards are harder to forge, but that's about it. The new rules about liability puts the liability for processing a forged card on the merchant, if the transaction isn't done with EMV.
Are you saying that you know of systems which use the tag 57 (track 2 equivalent data) to read an EMV chip and process the transaction manually? I'd be surprised if most banks would even approve those transactions (no CVV/CVV2, etc).
My area was hit, and I did get hit with credit card fraud. I suspected a different vector (shady medical vendor and coincidental timing). The card that got hit was indeed used at Chipotle, but a week after the supposed "time range" indicated on the security site. Maybe the time range isn't absolute.
Why is there no legal recourse here outside of spending my own time/resources to cancel cards and deal with all the BS that occurs with that whenever this happens? There should be financial repercussions, each affected individual should be awarded monetary compensation for their time.
I believe that since Chipotle was still using magstripe credit card readers that they are now financially liable for any fraudulent charges on your account.
There is legal recourse. It just isn't automatic. Same thing if you slip and fall at a Chipotle. They offer as little as they think they can get away with, often that's nothing.
You agreed not to get that when you got the card. And they agreed to pay you any money damages without arguing much. It's a good deal, but you can choose to use cash if you pref
Not a lawyer, but you probably do have cause for a lawsuit. Search "credit card data breach class action" and find lawyers/law firms who have handled similar cases in the past. If your data was compromised by a deep pocketed company and it was a large scale breach you can probably find a lawyer to file a class action on contingency.
In the past there have been a mix of "off-the-shelf" memory scrapers as well as custom written targeted malware. Generally they'll get inside the network and push out an exe/dll to all of the POS machines from some compromised machine. Depending on how locked down the POS machines are, there are various methods for either getting read access to the POS application process memory or having the dll injected into its memory. From there they find a way to extricate the data, either manually or automatic, depending on how locked down the network is. Application whitelisting solutions can really help block this kind of attack, but they're not perfect either. If an attacker can figure out how to get root on the machines, game over. This is why stand alone point-to-point encrypted EMV card readers are the way to go. You can't scrape the process memory for data it doesn't have, and the card readers themselves are pretty tamper resistant (if you don't count external skimmers)
I checked my home and all of the places where I know Chipotle is at in 4 different states. Every single one was on there. Would be nice if they said what percentage of stores were hit. The language implies a minority, but this looks like it could be most of them.
> The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) ... There is no indication that other customer information was affected.
What other customer information could have been affected? Kudos on the masterful PR spin — I guess by now Chipotle has had a lot of practice at this...
heywire|8 years ago
mmanfrin|8 years ago
toomuchtodo|8 years ago
throwaway91111|8 years ago
torturedcardboy|8 years ago
There is no way too know if you are actually doing and EMV transaction.
The EMV spec has nothing at all to do with security. PCI controls security. I can read the card data via the chip and it's all in the clear. EMV is about process integrity, and the integrity testing is ridiculous. Chip cards are harder to forge, but that's about it. The new rules about liability puts the liability for processing a forged card on the merchant, if the transaction isn't done with EMV.
heywire|8 years ago
frikk|8 years ago
tyingq|8 years ago
Splendor|8 years ago
robbiemitchell|8 years ago
icelancer|8 years ago
dstaley|8 years ago
tyingq|8 years ago
brians|8 years ago
scott00|8 years ago
ryanlol|8 years ago
shoover|8 years ago
heywire|8 years ago
mark_element|8 years ago
adjkant|8 years ago
gnicholas|8 years ago
What other customer information could have been affected? Kudos on the masterful PR spin — I guess by now Chipotle has had a lot of practice at this...
pasbesoin|8 years ago
heywire|8 years ago
robbiemitchell|8 years ago