More than any other industry, restaurants are being targeted by international crime gangs who are making a killing off your customers’ credit card numbers—and leaving you to pay the bill. They might be in your computer system right now.
Published: February 1, 2013
Christopher Schroebel was not your typical junkie. While he lived with his dad in Keedysville, Maryland, the 20-year-old supported his heroin addiction by stealing $120,000 over the space of four months. He wasn’t burglarizing homes or holding up convenience stores. He was breaking into restaurants and other businesses through their computers and selling the credit card numbers he found there to buyers around the world.
For a seasoned hacker, it wasn’t hard. Over the Internet, he used automated software to probe the security weaknesses of thousands of small businesses. He only needed to find a few that had left the digital equivalent of a back door open.
On July 20, 2011, he found one, 3,000 miles away in Seattle. Mondello Ristorante Italiano was a neighborhood eatery owned by Corino Bonjrada, who named it after his hometown in Sicily.
Once inside Mondello’s system, Schroebel inserted a couple of rogue programs. With innocuous names like “a8.exe,” they were unlikely to be noticed by the computer’s owner. They went to work with quiet efficiency.
Every time a waiter swiped a customer’s credit card, one program intercepted the data, on its way from the terminal to the computer. Within seconds, a companion program sent the information to a website in Chesterbrook, Pennsylvania. Schroebel used some of it right away, making small purchases to be sure the numbers worked. Some he would use to pilfer customers’ bank accounts. Most of it he stored up, to hawk to makers of counterfeit cards.
And unlike a typical burglary, under credit card regulations restaurants have to pay for being electronically burglarized: potentially tens of thousands in audits, fines and the cost of replacing compromised cards.
In August 2011, Bonjrada got the first inkling that something was awry. Customers starting calling about fraud on their credit cards, some accusing his waiters.
The first couple of calls, he thought, might be misunderstandings with their credit card companies. But the complaints kept coming in. And they were very specific. Within minutes of dining, one patron’s card had been used in several different locations in California, racking up more than $600 at places like Walmart, Home Depot and Jack-in-the-Box.
“The third day, once we discovered we were getting a lot of calls, I realized it was not just a sign of a mistake,” recalls Bonjrada. “I called the police.”
After giving police names of six affected customers, he asked his point-of-sale vendor to examine his system. The vendor found nothing wrong. Unconvinced, Bonjrada called in a computer consultant. While police were interviewing customers, the consultant found Schroebel’s subtle digital finger prints inside the POS.
Bonjrada is hardly a lone victim. Over the past few years, say security experts, the restaurant industry has become the number one target of data thieves. Verizon, analyzing worldwide data breaches from 2011, reports that 51 percent involved foodservice.
Just a few of the headlines last year: 1,700 credit card records were stolen from four Five Guys outlets; 940 from a Chili’s in Coral Springs, Florida; 282 from a McDonald’s in Tulsa; 300 from a small independent, the Chinese Gourmet Express, in Roseville, Minnesota; and many more from restaurants large and small.
Why restaurants? In the words of the late bank robber Willie Sutton, that’s where the money is. In this case, the currency is credit card numbers.
“There are a massive number of targets, and little attention goes into security,” says Chris Pogue, director of incident response at Trustwave’s Spiderlabs in Tulsa, a private eye for electronic data. “And most people are paying with credit cards.”
For the average restaurant, without a tech expert, standards for data security might as well be quantum physics. What is PCI compliance, what does it require and how do you achieve it?
Here are some basics:
What is the PCI-DSS?
The Payment Card Industry—Data Security Standard was launched jointly by five major credit card companies in 2004. Card-processing contracts require merchants to comply with the standard. Full compliance is the closest you can get to ironclad protection. But it’s not easy to achieve.
What does the PCI standard include?
It comprises 12 main components and more than 200 subcomponents. “The challenge with PCI is that it needs to be simplified,” says Liz Garner, director of commerce and entrepreneurship for the National Restaurant Association. “Its complexity drives people away from wanting to enact the most basic facets of risk mitigation.” To verify compliance, most restaurants—below 1 million transactions a year—must fill out an annual self-assessment questionnaire and scan their computer systems quarterly.
How can I tell if the POS system I’m buying is PCI-compliant?
The PCI Standards Council publishes lists of approved hardware, software and vendors at www.pcisecuritystandards.org.
My POS system is listed as PCI-compliant. Is that good enough?
Probably not. PCI compliance is an ongoing process, not a one-time achievement. That’s because your system keeps changing, as you change equipment, software and personnel. Someone has to keep the security system up with those changes, as well as installing the latest software patches. Says Atlanta hospitality lawyer and PCI specialist Charles Hoff, “It’s a misnomer to say a system is really compliant. They go in and out of compliance.”
Should I outsource my compliance?
Unless you’re a large chain with a dedicated IT staff, it may be safest to hire a consultant. But don’t settle for your POS vendor, for whom data security may be a sideline. Many data security specialists offer packages in the range of $100 a month.
Another factor is that large financial companies, like banks, have beefed up their cyber-security. Small restaurants have not. “Naturally, the bad guys have migrated to the lower-hanging fruit,” says Bob Russo, general manager for the PCI Security Standards Council, which sets security standards for accepting credit and debit cards [see sidebar below].
The bad guys have changed, too. Only 4 percent of data breaches involve internal employees, reports Verizon. Instead of crooked waiters, most credit card numbers are now being stolen from outside, by criminal gangs.
“Organized crime figured out years ago how easy it was to steal money this way and how hard it is to catch and prosecute,” says identity theft consultant John Sileo of Denver. “The more data that can be compromised in one fell swoop, by hacking a million credit card numbers at one time rather than collecting them one at a time, the more money organized crime makes.”
There’s a thriving black market for those numbers. CloudeyeZ, a Los Angeles firm that retrieves stolen data, tracks several sites that offer a total of 300,000 numbers on an average day. Most of the sites are overseas.
“Within 90 seconds of having card number information, they’re selling it in Eastern Europe,” says Atlanta hospitality lawyer and PCI specialist Charles Hoff.
Two underground sites were owned by 21-year-old Dutch hacker David Schrooten, a wunderkind who counted 6,000 clients. Behind an alias, he boasted about stealing data from other black marketeers. He found both a kindred spirit and a criminal business partner in Schroebel.
“They were good buddies online,” says Dan Clement, managing partner of CloudeyeZ, who corresponded with Schrooten. “What happens is that young guys befriend each other. They like to brag, and eventually, they start revealing nuggets of personal information.”
In June 2011, according to indictments, the two joined forces. Schroebel helped to raid numbers from other hacking sites and added in his own booty, at least 4,800 numbers from 80 different businesses—including numbers from the restaurant in Seattle. They packaged the stolen numbers by bank and by state and put them up for sale.
A pirated VISA number sold for as little as $2, but the money was in the volume. In all, say prosecutors, the duo offered 180,000 numbers before Schrooten’s site, Kurupt.su, was shut down.
At any given time, an assortment of roving hackers like Schroebel are prowling outside a restaurant’s digital door, says Hunter Hughes, product manager for hospitality network security services for NCR Corp. in Duluth, Georgia. “If you set up a machine and put it on the Internet, and you open a port up and leave it there for a month, you’ll be shocked at the number of people, you have no idea who they are, who try to get in. We look at the activity logs and we see these things recorded.”
Three-quarters of the time, he says, they jimmy their way in through the same entrance: point-of-sale. Versatile POS systems, which track everything from credit card swipes to inventory, offer many ports of entry. But the most common one is remote access, the feature that lets you check operations from across town or across the country.
It’s convenient for owners and just as convenient for thieves, says Jennifer Fischer, head of Americas payment system security for Visa Inc. “If you have remote access and weak passwords, it’s fairly easy for the criminals to get access to that system that has all the sensitive card information.”
In 80 percent of cases, reports Trustwave, attackers get in by figuring out passwords. Often, they’re not hard to guess, because they haven’t been changed since a vendor first installed the system. The two most common default passwords are “Password1” and “welcome.”
It was such a default password that let Schroebel into Mondello’s computer, says detective David Dunn of the Seattle Police Department. The hacker used “brute force” programs, which automatically try thousands of common passwords until one works.
A single weakness can get multiplied across franchise systems, which now account for a third of breaches, according to Trustwave. In September, two Romanian men pled guilty to hitting over 150 franchised Subway stores. After hacking passwords, they had stolen data on over 146,000 accounts and racked up over $10 million in losses. Subway did not respond to a request for comment.
“A hacker knows that if I crack into a Subway, chances are that the majority of Subways have the same systems in place,” says Mark Henry, president of IT consultant One Point Retail Solutions in Fraser, Michigan. “In a lot of cases, I’ve found that the franchisor had things in place but never communicated them to the franchise community. A hacker realizes that the franchise community is free game until those things are communicated.”
How much can a restaurant lose if it gets hit? Henry helped one breached franchisee of the fondue chain The Melting Pot. Within a month and a half, the restaurant was $75,000 in the hole, from paying fines and replacing compromised credit cards. That amount included $30,000 in customer charges its processing bank refused to remit.
Besides immediate losses, a franchise system stands to lose future sales. A 2011 survey by the Ponemon Institute found the average brand lost 21 percent of its value after customer records were stolen. It took a full year for its reputation to recover.
“Having one location in the news can scare customers away from all your locations,” says Glen Moore, marketing manager for ANXeBusiness Corp. in Southfield, Michigan, which handles cyber-security for franchisors from McDonald’s on down.
If there’s any positive news, it’s that the good guys are gaining ground. Fraud losses, as a percentage of worldwide credit card sales, have slid over the past decade, according to the trade newsletter The Nilson Report. Trustwave found 33 percent of 2011 breaches got investigated by law enforcement, up from 7 percent the year before.
For a lot of that, thank the U.S. Secret Service. Best known for protecting presidents, it’s pursued financial crimes since the Civil War, when it was formed to fight counterfeiters. The 2001 PATRIOT Act charged it with setting up joint Electronic Crimes Task Forces. The eclectic teams share personnel and information with state and local police departments, as well as scholars and private firms. There are now 32 task force offices, including ones in Rome and London.
It was the Seattle task force, which includes officers from 17 police departments, that investigated Bonjrada’s case. It took only four days for Dunn to trace the malicious programs to Schroebel’s home.
First, Dunn examined the infected hard drive and discovered that one of the malicious programs was communicating with a computer server in Pennsylvania. The server’s owners provided both an address and a debit card number that turned out to be Schoebel’s. In Schroebel’s bank account, the investigator found both cash advances taken on stolen credit cards and money laundered through a Hong Kong currency exchange.
The hacker was arrested in November 2011, virtually penniless, and went through drug rehab before he was extradited to Seattle.
Schroebel’s computers led authorities to his Dutch co-conspirator. With the aid of Romanian police, Schrooten was arrested in March, as he stepped off a plane in Cluj, Romania. Both men later pled guilty, and Schroebel has been sentenced to 84 months in prison. Schrooten is due to be sentenced in March 2013.
Dunn praises the task force’s connections. “We’re part of this network that helps us with national and global investigations,” he says. “When it comes to cyber guys, there is no border. You’ll never find a whole crew in one city. But they speak a common language, and that language is fraud.”
Police also commend Bonjrada. By stepping forward quickly, not only had he limited his customers’ losses to 130 cards, but he had helped to bust an international ring while many of the stolen card numbers were still unused. He had kept fraud losses from Schrooten’s site down to tens of millions, instead of a potential $90 million.
“He gave us the ability to start on a fresh trail,” says Robert Kierstead, assistant special agent in charge of the Seattle office of the Secret Service. “In a lot of cases, two weeks go by before a business realizes it’s been hacked.”
In the meantime, Bonjrada quickly replaced his entire computer system and now has it scanned every few months. His business suffered for several months. But after the U.S. Attorney called his restaurant the “safest” in the city, customers started coming back.
To other restaurant owners, he offers some advice. “Like me, it can happen to anyone, just because of something like a password. Make sure you do something about it to protect yourself.”
Data Security for Dummies
“Security is a layered approach,” says Hunter Hughes, product manager for hospitality network security services for NCR. Here are a few layers that can drastically improve your security—and convince a hacker to move on to a softer target.
Avoid dictionary words and names. Mix letters, numbers and punctuation characters in upper- and lower-cases. Eight characters or more will be exponentially harder to crack. Whatever the password, change it every three months.
“Imagine you have a gated community,” says Tracy Libertino, senior vice president of VendorSafe Technologies in Houston. “The firewall is that gate. The firewall is blocking and monitoring any traffic that wants to come in and go out.” The key is to configure the firewall properly, and then keep it up-to-date.
When you type in a password, these systems ask for a second piece of information to confirm your identity. It might be a personal tidbit, like your birthplace. The safest systems text a one-time code to your cellphone.
Look for terminals that encode data the moment a card is swiped. Says Jennifer Fischer, head of Americas payment system security for Visa Inc., “It makes the data worthless even if a criminal gains access to
Make sure the network for your credit card readers can’t talk to the one that lets employees check email. Put free public Wi-Fi on a separate network, as well.
Disable remote administration
Like turning off a light when you leave a room, turn this feature off when you’re not using it. When you need to check the system, call a manager and ask them to turn it temporarily back on.
Check your card machines periodically
Many manufacturers stick on seals that will be broken if equipment is tampered with. It’s also a good practice to photograph a terminal when it’s first installed, so that you can look later for any unauthorized changes.