clock menu more-arrow no yes mobile

Filed under:

Meet the Man Crusading Against Restaurant Credit Card Hackers

New, 2 comments

How Brian Krebs uncovers chain restaurants' biggest credit card hacks.

If you buy something from an Eater link, Vox Media may earn a commission. See our ethics policy.

Superhero photo: RawPixel/Shutterstock; Krebs photo: CBS screengrab

"I think you are safer spending money online than you are in restaurants," says Brian Krebs. Krebs — a former Washington Post journalist and self-taught computer security expert — is the blogger behind the website, which is often the first to discover major data breaches at restaurant chains. Over the past year alone, a number of restaurants — including notable names like Chick-fil-A, Jimmy John's, Dairy Queen, and even the eateries at major hotel groups like the Mandarin Oriental — have fallen victim to hackers. These cyber-criminals steal customers' credit and debit card information and sell them to the highest bidder on underground forums, drawing the attention of Krebs' one-man operation.

But why exactly are restaurant chains more vulnerable to hacks? Krebs says any restaurant that uses a Point of Sale (POS) system is open to being hacked, no matter how small or large it is. In a sense, POS systems are the heart of a restaurant's operations: The system keeps track of payroll and sales, can print guest checks and send orders to the kitchens, and most importantly, is used to process and store credit and debit card payments. Often POS systems are set up so information can be accessed remotely by the corporate offices of restaurants, other authorized parties, and unfortunately, hackers.

POS systems are one of the weakest spots in a restaurant's operations, thanks to outdated systems.

"Traditionally [POS systems] have been some of the weakest spots" in a restaurant's operations, Krebs explains, noting that restaurant owners "tend to do really sloppy things like enable the same password for each system." One of the biggest problems, Krebs notes, is that restaurant owners often run their POS systems on outdated operating systems like Microsoft XP. Because security updates are no longer offered for those platforms, they are much simpler to hack. And "Guess what?" Krebs asks. "If the bad guys can remotely login into your point of sale software, well, it's kind of game over."

Krebs points out that chain restaurants and fast-food outlets are particularly susceptible to attacks thanks to hacker efficiency. Chains not only have a higher volume of customers — and thus more credit card information — but most have several restaurants linked to the same internal system. If hackers can access just one system to breach hundreds of restaurants, Krebs argues, why would they take the harder route?

Hacking in bulk makes even more sense when considering that stolen credit card information is often sold for very low prices. According to Krebs, when 33 P.F. Chang's locations were breached last year, each stolen card was sold for just $18 to $140 each. "[Hackers] are not going to make money if they're not out there competing with others, trying to get people to buy from them instead of somebody else," Krebs says. "There's a great deal of oversupply on a lot of those things." Often sellers will offer access to thousands of cards at a time. And after the cards are purchased on the black-market forums — also known as "dump shops" — other criminals use the stolen data to buy "high-dollar merchandise" like televisions and other electronics at big-box stores, often reselling them for cash.

Sergey Nivens/Shutterstock

Sergey Nivens/Shutterstock

It's in those shady underground forums that Krebs susses out when a major business has been hit, and he often figures it out before the businesses themselves. "When there is a big breach, it's not super difficult to figure it out, because you see tons of cards at the market," he reveals. From there, Krebs reaches out to banks to figure out what they are "hearing and saying," which eventually reveals a pattern — and in most cases — a specific business. After chatting with the banks, he reaches out to the affected company to ask them the "tough" questions. "You can tell by the way they answer," he says, "whether you're right or not."

Restaurants aren't always willing to admit that they have been breached, however. Last August, Krebs broke the news that Dairy Queen had been hacked, noting that locations in states across the country had been hit. However, DQ refused to confirm that was the case until two months later, when the company finally admitted that more than 400 stores had been targeted. "I called corporate headquarters and they claimed not to know anything," Krebs says. "And then when they finally owned up to it... they said they got notified by law enforcement on the same day that I contacted them." Cases like Dairy Queen are rare for Krebs. As hackers are attacking businesses like restaurants more frequently, banks and businesses have started to reach out to Krebs first to ask for "information about their own data." Krebs has become so well-known for his work curbing digital crime that he's been subject to harassment — digital and otherwise — for his efforts.

"If they aren't doing six other things right, it's easy to hack them, too."

While the launch of Apple Pay and other alternative payment systems like Square are sometimes touted as solutions, Krebs says that any system that utilizes a card reader — even if it is attached to a phone or tablet — isn't much safer. "There's a lot of moving parts," Krebs explains. "They may have the newest, most legitimate system in the world... but if they aren't doing six other things right, it's easy to hack them, too." Essentially, these alternative payment systems also have many components that hackers can easily exploit.

So should everyone just start paying for their meals in cash? "No!" says Krebs firmly. Even after spending the past 14 years chronicling the seedy underworld of stolen credit cards, Krebs still advocates for credit cards as a secure system of payment. "If you lose your credit card, well, you can get a new credit card," he says. "If somebody makes charges... who cares? You can always say, 'I didn't do it.'" Plus, using a credit card comes the security of knowing that cybercrime warriors are out there, battling the digital underground so the rest of the world can continue earning double points. There is no Brian Krebs for cash, after all.