Attackers compromised and installed point-of-sale (POS) malware on devices at more than 100 stores in the Checkers and Rally's restaurant chain, allowing them to collect payment-card information from customers for months — and, in some cases, years, the company said in a statement released this week.
The attack highlights how POS devices continue to be a viable target for cybercriminals if the merchant, hardware maker, and payment services provider have not all adopted the Europay-Mastercard-Visa (EMV) security standard. While EMV is an effective defense against most payment device malware, many retailers have not upgraded to hardware that is EMV-capable, says Josh Platt, principal threat researcher at Flashpoint.
"Businesses are not required to upgrade their POS terminals," he says. "Unfortunately, it seems many businesses are still not EMV-compliant and will thus continue to be more susceptible to suffering losses in these situations until they become compliant."
Customers at a minimum of 104 Checkers and Rally's locations were affected by the latest breach, according to parent company Checkers Drive-In Restaurants, which only recently became aware of the breach. The company retained security consultants to investigate the attacks and determine the length of time that each location had been compromised. At least one location had the malware installed in December 2015, according to data provided by the company.
"Based on the investigation, we determined that malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations, which appears to have enabled an unauthorized party to obtain the payment card data of some guests," said Adam Noyes, the chain's chief administrative officer, in a statement. "The malware was designed to collect information stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date."
The attack also underscores how merchants that have not upgraded to EMV put themselves — and their customers' information — at risk. Merchants are quickly adopting devices that comply with the security specification, but almost half of transactions were not protected: In 2018, 54% of card-present transactions used EMV, up from 41% the prior year, according to EMV Co., the organization promoting and managing the specification.
POS terminals that use EMV technology encrypt and tokenize credit card information, preventing malware on the card reader from intercepting the data. As retailers have adopted the EMV security standard, attacks at the point of sale have become less common.
Yet the hardware is not inexpensive, and that has slowed adoption, which puts customers' information at risk, Flashpoint's Platt says.
"If a business is not EMV-compliant, the card numbers of any cards swiped at a POS terminal are transmitted," he says. "And when card numbers are transmitted, POS terminals infected with malware will be able to see the numbers and transmit them as well."
While details of the Checkers breach have not been released, often retailers use special editions of Microsoft Windows for retail environments that are not kept up to date. In addition, the retailers usually do not manage the devices, relying on a third-party service provider whose security may leave vulnerable pathways into the business, says Robert Neumann, senior security researcher at Forcepoint, a provider of managed security services.
"They are also often utilizing third-party remote admin applications, such as LogMeIn, TeamViewer, or similar for easier updating and maintenance, hence increasing the attack surface," he says. "We suspect there are special cases where POS malware is being distributed through fake software updates from a central location after successfully gaining foothold in the network by hacking."
Finally, not all issues can be blamed on the retailers, according to Flashpoint's Platt.
"It is still pretty common for EMV chip readers to not work properly," he says. "When this happens, users are typically asked to swipe their cards instead — and this defeats the purpose of EMV chip-and-pin cards."