There's a common misconception about data thieves that because their chosen methods are perceived to be high-tech, their behaviors will always be similarly sophisticated as well. However, much like breaking and entering in the real world, hackers are always going to take the path of least resistance to get the payment information that they want.
And right now, quick-service restaurants are realizing just what an easy target their POS systems have been.
The story starts a few weeks ago when Wendy's confirmed that POS systems in an originally estimated 300 stores (though later estimates would revise that to a "considerably higher" unnamed tally) were infected with a strain of info-lifting malware. Rumors had been swirling as early as January that a swath of Wendy's locations had been compromised by the program, but when the fast-food chain finally got around to officially recognizing the breach, the mission was straight damage control, complete with customer service hotlines and promises galore.
Unfortunately, for Wendy's, the situation may be so dire that even the best PR firm couldn't spin it positive. Private IT security firm PandaLabs recently obtained a copy of a malware program that infected terminals at CiCi's Pizza, cracked the malware program open and found inside plenty that was far from reassuring for POS security.
Alongside cracking the particulars of how the program known as "PunkeyPOS" works, PandaLabs found that the malware program wasn't protected by any stringent server authentication method, and the version it obtained had the date "2016-04-01" hardcoded into the file. When PandaLabs compared its version with earlier iterations of PunkeyPOS, some from as far back as 2014, it could see little operational difference between the versions.
PandaLabs' verdict? The date implies that this is just one of many PunkeyPOS infection campaigns targeting businesses (at least 200 discrete infections in this case alone). Moreover, the lack of changes from at least 2014 to now hints that malware makers know they don't have to overexert themselves to break into high-profile retail chains' POS systems.
"Taking into account how easy it is to sell this information on the black market and how convenient it is to compromise these POS terminals anonymously through the internet, we are certain that cybercriminals will be increasingly drawn to these terminals," PandaLabs explained.
Given how bullish the quick-service restaurant market has been to adopt self-service kiosks, mobile ordering and other measures that proliferate access points to payment systems, one would think that the need for equally diverse and robust security policies would be self-evident. However, Wendy's, CiCi's and an entire industry must now contend not only with the burgeoning number of low-risk, high-reward malware attacks but also with the lawsuits that inevitably occur when affected parties (a Pennsylvania credit union in Wendy's case) strike back.
“As a result of Wendy’s data breach, plaintiff and class members have been forced to cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraudulent monitoring on potentially impacted accounts and take other steps to protect themselves and their customers,” the lawsuit targeting the chain alleges.
Perhaps being held legally (and financially) accountable will spur some QSR chains to take a second look at their POS security, but there will likely be plenty more casualties on both sides of the counter before all is said and done. And until then, POS hackers will continue to put out the minimum viable product they're required to — that is, until retailers figure out a way to make the job just a little bit tougher on them.