Chipotle Reports Findings from Investigation of Payment Card Security Incident (opens in new tab)

(chipotle.com)

83 pointsrigden338y ago71 comments

71 comments

Hopefully this pushes more and more restaurants towards using separate chip-reader (EMV) pinpad devices. I've noticed several area restaurants switching lately (Arby's, Wendy's), and I hope it continues. These devices use point-to-point encryption, meaning that even if the POS machine is comprimised, no sensitive card data can be stolen. The POS machine never sees raw card data.

mmanfrin8y ago

Chipreaders are terribly slow, I don't understand how they could not develop a secure payment system without 10-second~ delay times. My local grocery store installed new chip readers and within a week had taped over time in favor of the more-expensive but quicker stripe processing.

saidajigumi8y ago

Hilariously, using contactless EMV payment (i.e. Apple/Android Pay) with the same POS terminals is lightning fast.

But this gets filed as "infrastructure is hard". A related example: If you get a chance, try the IC card system used by the train and transit systems in Japan; they're delightful.[1] At peak rush-hour, commuters are darn near running through the (many) pay stations tapping through without breaking stride -- including display of remaining balance!

Yet, the relatively recent transit tap card system where I live is laughingly slow. At a much more modest walking pace, it's easy to pull away from the reader before it's confirmed the transaction. Seconds per commuter, for system that's considerably newer than the IC card system.

2 more replies

Veratyr8y ago

Weirdly, I've only really noticed this in the US. Back in Australia where we've been using chips for about a decade, I rarely remember it taking more than a couple of seconds, certainly not 10.

We also have contactless payment on most of our credit cards (as in built into the card, not Android/Apple Pay) and support for it on ~90% of terminals as well though so it's not much used anymore.

2 more replies

sathackr8y ago

The problem with them is they force another prompt, which takes time to read, comprehend, and respond to.

Prompt #1: Credit/Debit?

Prompt #2: PIN

Prompt #3: Would you like cash back

Prompt #4: The total is $xx.xx, ok?

This is time consuming, particularly for people who aren't as comfortable with electronics and pressing buttons. And on top of that, many times the terminals themselves are slow.

Pay-at-the pumps are even worse

Prompt #5: Are you a fuel perks member?

Prompt #6: Receipt yes/no?

Prompt #7: Would you like a car wash?

and they're often even slower, the buttons are often hard to press, or don't register a beep and have a delay before the machine responds, so you wind up pressing the same one twice. And most lack a 'backspace', the screens suck, man don't get me started....lol

amenghra8y ago

You can do EMV in under 4 seconds. Source: https://squareup.com/townsquare/weve-chipped-away-at-emv-tra... and http://www.digitaltransactions.net/news/story/With-an-Update...

com2kid8y ago

Walgreen's has lightening fast chip readers.

Everyone else, yeah, pretty slow.

I am surprised that apparently only 1 vendor has figured out how to make a good chip reader, and I am sad that apparently other retailers don't care enough to buy from that one vendor.

bpicolo8y ago

I've encountered a few that only took a second or two. No idea why most of them are slow as crap given that. The ones at Starbucks (and others by that company) are terribly slow

acchow8y ago

Have you used Square's chip reader? Wicked fast recently.

heywire8y ago

Unfortunately when you need the chip in the card to sign the transaction details before sending to the bank, validate the response from the bank, and all of the steps in between, it takes a lot of time. There is a ton of work going into making this process faster. Things like EMV Quick Chip and contactless EMV (tap and pay) are quicker, and should be coming to retailers in the US soon. Of course we also have the option of Apple/Android Pay, which is somewhere in the middle.

toomuchtodo8y ago

Would you suggest reporting a card lost to get a new number issued if it was used at one of these locations?

heywire8y ago

Definitely if you used a debit card, since it could take a couple days to get any fraudulent charges reversed. Probably less important if you used a credit card, since you'll not have to pay for those charges and they'll just send you a new card at that point. I guess it just depends on if you want to be inconvenienced now or later :)

I personally used my credit card at one of the affected stores, and I do not plan on calling in to have my card number changed. I'll just keep a close eye on my statements (that, and I have alerts sent to my phone via SMS for any charge over $0.01, so I'd know pretty quickly)

1 more reply

throwaway911118y ago

Not much point until they require chips for credit card charges.

torturedcardboy8y ago

Just because someone is forcing you use the chip DOES NOT MEAN THAT IT'S AN EMV TRANSACTION

There is no way too know if you are actually doing and EMV transaction.

The EMV spec has nothing at all to do with security. PCI controls security. I can read the card data via the chip and it's all in the clear. EMV is about process integrity, and the integrity testing is ridiculous. Chip cards are harder to forge, but that's about it. The new rules about liability puts the liability for processing a forged card on the merchant, if the transaction isn't done with EMV.

heywire8y ago

Are you saying that you know of systems which use the tag 57 (track 2 equivalent data) to read an EMV chip and process the transaction manually? I'd be surprised if most banks would even approve those transactions (no CVV/CVV2, etc).

frikk8y ago

My area was hit, and I did get hit with credit card fraud. I suspected a different vector (shady medical vendor and coincidental timing). The card that got hit was indeed used at Chipotle, but a week after the supposed "time range" indicated on the security site. Maybe the time range isn't absolute.

tyingq8y ago

Typically, the hackers that get the data sell it off, versus using it personally. That can take a while.

frikk8y ago

I just mean that I didn't use my card during the time period, but a week later.

1 more reply

Splendor8y ago

No doubt the timing of releasing this news on the holiday weekend was deliberate; intended to reach as few people as possible.

robbiemitchell8y ago

Here's a list of all US locations affected: https://docs.google.com/spreadsheets/d/1_lFhMPaRBn8JbqxR9rEq...

icelancer8y ago

Why is there no legal recourse here outside of spending my own time/resources to cancel cards and deal with all the BS that occurs with that whenever this happens? There should be financial repercussions, each affected individual should be awarded monetary compensation for their time.

dstaley8y ago

I believe that since Chipotle was still using magstripe credit card readers that they are now financially liable for any fraudulent charges on your account.

treyfitty8y ago

A bit misleading- Chipotle is responsible for Chipotle transactions that get disputed as fraudulent. Not just any fraudulent charges (subsequent transactions occurring after a swipe at Chipotle).

tyingq8y ago

There is legal recourse. It just isn't automatic. Same thing if you slip and fall at a Chipotle. They offer as little as they think they can get away with, often that's nothing.

brians8y ago

You agreed not to get that when you got the card. And they agreed to pay you any money damages without arguing much. It's a good deal, but you can choose to use cash if you pref

icelancer8y ago

Not the card issuer. Chipotle.

scott008y ago

Not a lawyer, but you probably do have cause for a lawsuit. Search "credit card data breach class action" and find lawyers/law firms who have handled similar cases in the past. If your data was compromised by a deep pocketed company and it was a large scale breach you can probably find a lawyer to file a class action on contingency.

ryanlol8y ago

Why do you need to cancel your cards?

icelancer8y ago

If card data was stolen.

1 more reply

shoover8y ago

What was that thing? It looks like all the stores in my area were hit.

heywire8y ago

In the past there have been a mix of "off-the-shelf" memory scrapers as well as custom written targeted malware. Generally they'll get inside the network and push out an exe/dll to all of the POS machines from some compromised machine. Depending on how locked down the POS machines are, there are various methods for either getting read access to the POS application process memory or having the dll injected into its memory. From there they find a way to extricate the data, either manually or automatic, depending on how locked down the network is. Application whitelisting solutions can really help block this kind of attack, but they're not perfect either. If an attacker can figure out how to get root on the machines, game over. This is why stand alone point-to-point encrypted EMV card readers are the way to go. You can't scrape the process memory for data it doesn't have, and the card readers themselves are pretty tamper resistant (if you don't count external skimmers)

mark_element8y ago

Agreed. Looks like this a big deal™. Would love to know the method of spreading across all their point of sales, were they running on windows?

bhhaskin8y ago

A ton of POS systems run on windows. Most on windows xp embedded

1 more reply

heywire8y ago

Domain credentials, an understanding of the IP or hostname scheme and a simple batch file could distribute something like this pretty easily, provided the proper controls aren't in place.

adjkant8y ago

I checked my home and all of the places where I know Chipotle is at in 4 different states. Every single one was on there. Would be nice if they said what percentage of stores were hit. The language implies a minority, but this looks like it could be most of them.

gnicholas8y ago

> The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) ... There is no indication that other customer information was affected.

What other customer information could have been affected? Kudos on the masterful PR spin — I guess by now Chipotle has had a lot of practice at this...

pasbesoin8y ago

Anyone have the whole list? (I hate enforced drill-down selection for such things.) How many locations?

heywire8y ago

A quick look at the chrome dev tools will point to a us.json which has what you're looking for.

bpicolo8y ago

That's a massive list. 2249 restaurants.

2 more replies

pasbesoin8y ago

Thank you.

robbiemitchell8y ago

Here's all the locations in one view: https://docs.google.com/spreadsheets/d/1_lFhMPaRBn8JbqxR9rEq...

j / k navigate · click thread line to collapse

71 comments

heywire8y ago

mmanfrin8y ago

saidajigumi8y ago

Hilariously, using contactless EMV payment (i.e. Apple/Android Pay) with the same POS terminals is lightning fast.

2 more replies

Veratyr8y ago

Weirdly, I've only really noticed this in the US. Back in Australia where we've been using chips for about a decade, I rarely remember it taking more than a couple of seconds, certainly not 10.

We also have contactless payment on most of our credit cards (as in built into the card, not Android/Apple Pay) and support for it on ~90% of terminals as well though so it's not much used anymore.

2 more replies

sathackr8y ago

The problem with them is they force another prompt, which takes time to read, comprehend, and respond to.

Prompt #1: Credit/Debit?

Prompt #2: PIN

Prompt #3: Would you like cash back

Prompt #4: The total is $xx.xx, ok?

This is time consuming, particularly for people who aren't as comfortable with electronics and pressing buttons. And on top of that, many times the terminals themselves are slow.

Pay-at-the pumps are even worse

Prompt #5: Are you a fuel perks member?

Prompt #6: Receipt yes/no?

Prompt #7: Would you like a car wash?

amenghra8y ago

You can do EMV in under 4 seconds. Source: https://squareup.com/townsquare/weve-chipped-away-at-emv-tra... and http://www.digitaltransactions.net/news/story/With-an-Update...

com2kid8y ago

Walgreen's has lightening fast chip readers.

Everyone else, yeah, pretty slow.

I am surprised that apparently only 1 vendor has figured out how to make a good chip reader, and I am sad that apparently other retailers don't care enough to buy from that one vendor.

bpicolo8y ago

I've encountered a few that only took a second or two. No idea why most of them are slow as crap given that. The ones at Starbucks (and others by that company) are terribly slow

acchow8y ago

Have you used Square's chip reader? Wicked fast recently.

heywire8y ago

toomuchtodo8y ago

Would you suggest reporting a card lost to get a new number issued if it was used at one of these locations?

heywire8y ago

1 more reply

throwaway911118y ago

Not much point until they require chips for credit card charges.

torturedcardboy8y ago

Just because someone is forcing you use the chip DOES NOT MEAN THAT IT'S AN EMV TRANSACTION

There is no way too know if you are actually doing and EMV transaction.

heywire8y ago

frikk8y ago

tyingq8y ago

Typically, the hackers that get the data sell it off, versus using it personally. That can take a while.

frikk8y ago

I just mean that I didn't use my card during the time period, but a week later.

1 more reply

Splendor8y ago

No doubt the timing of releasing this news on the holiday weekend was deliberate; intended to reach as few people as possible.

robbiemitchell8y ago

Here's a list of all US locations affected: https://docs.google.com/spreadsheets/d/1_lFhMPaRBn8JbqxR9rEq...

icelancer8y ago

dstaley8y ago

I believe that since Chipotle was still using magstripe credit card readers that they are now financially liable for any fraudulent charges on your account.

treyfitty8y ago

A bit misleading- Chipotle is responsible for Chipotle transactions that get disputed as fraudulent. Not just any fraudulent charges (subsequent transactions occurring after a swipe at Chipotle).

tyingq8y ago

There is legal recourse. It just isn't automatic. Same thing if you slip and fall at a Chipotle. They offer as little as they think they can get away with, often that's nothing.

brians8y ago

You agreed not to get that when you got the card. And they agreed to pay you any money damages without arguing much. It's a good deal, but you can choose to use cash if you pref

icelancer8y ago

Not the card issuer. Chipotle.

scott008y ago

ryanlol8y ago

Why do you need to cancel your cards?

icelancer8y ago

If card data was stolen.

1 more reply

shoover8y ago

What was that thing? It looks like all the stores in my area were hit.

heywire8y ago

mark_element8y ago

Agreed. Looks like this a big deal™. Would love to know the method of spreading across all their point of sales, were they running on windows?

bhhaskin8y ago

A ton of POS systems run on windows. Most on windows xp embedded

1 more reply

heywire8y ago

Domain credentials, an understanding of the IP or hostname scheme and a simple batch file could distribute something like this pretty easily, provided the proper controls aren't in place.

adjkant8y ago

gnicholas8y ago

What other customer information could have been affected? Kudos on the masterful PR spin — I guess by now Chipotle has had a lot of practice at this...

pasbesoin8y ago

Anyone have the whole list? (I hate enforced drill-down selection for such things.) How many locations?

heywire8y ago

A quick look at the chrome dev tools will point to a us.json which has what you're looking for.

bpicolo8y ago

That's a massive list. 2249 restaurants.

2 more replies

pasbesoin8y ago

Thank you.

robbiemitchell8y ago

Here's all the locations in one view: https://docs.google.com/spreadsheets/d/1_lFhMPaRBn8JbqxR9rEq...

j / k navigate · click thread line to collapse