1(630)802-8605 Ravi.das@bn-inc.net

As summer now has officially has started, the thoughts of traveling and doing all sorts of things outdoors now come into mind.  For some, this may involve car travel, going overseas, or simply trying out a new restaurant and devouring some new kinds of foods.  Whatever our plans are, or what venues we plan to visit, just keep two things disparate things in mind:

  • The Cyber attacker will be on the hunt – they know that our guard will be down enjoying the summer festivities;
  • More often than not, we will most likely use a credit card to pay for all of our outings.

It is with these two things in mind, that we touch on today’s topic.  And yes, once again, it has to do with credit card theft at a at a well-known restaurant chain called “PDQ”.  PDQ is letting customers know about a potential data breach that may have compromised both their personal data as well as credit card information.

This security breach occurred at the many Point of Sale terminals, and most likely occurred between May 19, 2017 and April 20, 2018.  It is only now that PDQ has become aware of this Security breach, on June 8th.

From what they can tell so far, all of the 70 PDQ fast food chains have been affected, except at the locations of the Tampa International Airport, Amalie Arena and PNC Arena (interesting to note why these venues were not chosen, as these have large gatherings of people on almost minute by minute basis).  The Security breach involved the theft of the following credit card information:

*Customer names;

*Credit Card Numbers;

*Expiration Dates;

*Cardholder Verification Value (CVV) Numbers.

You may be scratching yourself in the head and wondering, how did all of this exactly happen?  Well, although this still under investigation, it is believed that the Cyber attacker(s) gained entry through an unknown hole in an outside technology vendor’s remote connection tool. All major credit brands were impacted, or any variants of them.  This includes the likes of Visa, MasterCard, Discover, and American Express.

However, it is important to note that the CVV number is not the same as the three or four-digit PIN Number that you create.  Rather, the CVV is used to confirm our identity when whenever and wherever we make purchases with a chip equipped EMV card.  Examples of where this CVV number can be found for all four major brands are illustrated below:

It is not known at this point the exact number of customers that have been affected, or what even the total dollar amount of it will be.  For that matter, to make things even scarier, it is not even known specific number of the four credit card brands that have been impacted.

Immediately after the Security breach was identified, PDQ took immediate actions by hiring a Cyber security firm to launch a comprehensive forensic study, notified the appropriate law enforcement officials, and is also working with state regulators as well.

In the meantime, PDQ is highly recommending to any of its customers whom think that they have been impacted during the time period stated, to immediately request a free credit report and to see if there are any fraudulent activities going on.

My thoughts? Well, I have some.  First, why did it take so long to discover that an actual Security breach occurred?  I mean if this happened the latest by April 20, why did it for PDQ almost two months to discover this?  Second, what kinds and types of Security checks did they do on this third party?  For that matter, did this third party even do any Security checks on their own to make sure that their systems were safe?  A simple Penetration Test more than likely would have revealed this unknown Security hole.

Remember, if you do ever hire a third-party vendor, it is your due diligence to make sure that they are u to snuff with your own Security requirements.  You are the one that will be held responsible for the impacts of any Cyber-attacks, not the third-party vendor.  In fact, I hosted an entire webinar just on this topic, and the link for it is right here:

https://infosecinstitute.wistia.com/medias/tgph18nm08

But in the end, the real issue here is how do you keep your credit card safe, especially during these times when we are trying to enjoy ourselves.  Remember, there is no 100% guarantee in anything, but the following tips will help mitigate some of those risks, as I too have been a victim of credit card fraud:

*Always ask for a receipt after visiting a fast food restaurant.  Never get rid of it there or a public receptacle, always shred it when you get home.

*If you visit a restaurant, and you have a waiter, never give them your credit card to process.  You never know, they may appear nice and all, but they could be carrying a skimmer that can quickly and easily record your credit card information.  Always have your credit card processed in front of your presence.

*At least twice a day, check your credit card transaction history online.  Report anything suspicious to your credit card company, even in the smallest dollar amount.

*Try to sign your name as a means of completing the credit card transaction instead of entering in your PIN Number at the Point of Sale Terminal.

*Always use a credit card if you can if you are eating out at a restaurant.  If you are a victim of a Cyber-attack, then you are just limited to $50.00 in liabilities.  But, if you use a debit card, you are responsible for the entire amount.

*Always try to visit those restaurants in which they have the EMV chip card transaction functionality.  This is at least another layer of protection to keep you safe versus the normal swiping method.

*Always jiggle the credit card reader to a certain degree to make sure that a skimmer is not covertly installed.  If there is anything loose, do not use this credit card reader, and notify the restaurant manager immediately!!!

*Ask to speak to the manager of the restaurant and ask him or her if the establishment is PCI compliant.  It may seem to be an odd question to ask, but it is your right to know this information.

*If you are visiting a restaurant in which there is public WiFi available, make sure that you store your credit card in aluminum case.  You never know who has a portable network sniffer on hand, hiding it covertly.  You can easily purchase one of these casings at Amazon, here is an example:

https://www.amazon.com/RFID-Blocking-Credit-Holder-Protector/dp/B00ZBWTDKU/ref=asc_df_B00ZBWTDKU/?tag=hyprod-20&linkCode=df0&hvadid=167148881477&hvpos=1o1&hvnetw=g&hvrand=14342725793950765960&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=1028087&hvtargid=pla-343982905124&psc=1

*Always try to leave the tip in cash, not use your credit card!!!

The moral of the story is enjoy your summer, have fun, but be careful with your credit card when you eat out!!!