Hopefully this pushes more and more restaurants towards using separate chip-reader (EMV) pinpad devices. I've noticed several area restaurants switching lately (Arby's, Wendy's), and I hope it continues. These devices use point-to-point encryption, meaning that even if the POS machine is comprimised, no sensitive card data can be stolen. The POS machine never sees raw card data.
Chipreaders are terribly slow, I don't understand how they could not develop a secure payment system without 10-second~ delay times. My local grocery store installed new chip readers and within a week had taped over time in favor of the more-expensive but quicker stripe processing.
Hilariously, using contactless EMV payment (i.e. Apple/Android Pay) with the same POS terminals is lightning fast.
But this gets filed as "infrastructure is hard". A related example: If you get a chance, try the IC card system used by the train and transit systems in Japan; they're delightful.[1] At peak rush-hour, commuters are darn near running through the (many) pay stations tapping through without breaking stride -- including display of remaining balance!
Yet, the relatively recent transit tap card system where I live is laughingly slow. At a much more modest walking pace, it's easy to pull away from the reader before it's confirmed the transaction. Seconds per commuter, for system that's considerably newer than the IC card system.
I love Android Pay. If a place accepts it, I 100% use it over a card. It's near instantaneous, it's more secure (the merchant isn't getting my real card data), it's easy for me to audit, and it means I don't need my wallet when I go to the store.
Something to keep in mind is that Apple/Android Pay support both MSD (magnetic stripe data) and EMV contactless modes, which can result in different timings. EMV contactless also drops significant portions of the EMV contact requirements. This is why banks generally won't let you get cash back, or make large purchases on contactless, there's a trade off.
I've actually found it to be better; no tradeoffs.
I haven't tried cash back as I use credit cards rather than debit cards. I've used Apple Pay in the US, Canada, NZ, Australia, Germany, Sweden, and Denmark, and it's ALWAYS preferably to using the actual card, particularly for an American.
If you have a US based bank, even with EMV the bank prefers a signature, which means you have to sign the damn receipt. This is more inconvenient than doing so in the US because:
1. The merchants aren't used to it, so it's a surprise/hurdle
2. It's not common, so you have to sign an actual receipt, not an electric display
3. They don't seem to waive the signature requirement for small purchases ($25-$50) as they do in the US. So you're signing for EVERYTHING.
Magically, if you try to use your US-card-with-a-PIN (assuming you set one up) in an unmanned scenario like in a parking garage, SUDDENLY YOUR PIN WORKS! (quelle surprise!)
I also fell in love with the convenience of Apple Pay+Watch when I was skiing in Whistler; no need to take off my gloves, unzip a pocket, reach in, find, card, use card, sign receipt. Just a quick double-tap on the side button without even undoing my glove gauntlet, velcro closure around the wrist of my jacket, or any of my 5 layers of clothes (yes, it was cold).
Paywave was the most-commonly accepted in Australia of everywhere I've been recently, to the extent that they even tap your credit card to the machine first, assuming it will work, and are surprised when it doesn't. Yet they were VERY surprised by the watch, often saying they had never seen anyone use their watch before. I'm not sure if contactless+phone would have been as unexpected or not; I never tried.
Weirdly, I've only really noticed this in the US. Back in Australia where we've been using chips for about a decade, I rarely remember it taking more than a couple of seconds, certainly not 10.
We also have contactless payment on most of our credit cards (as in built into the card, not Android/Apple Pay) and support for it on ~90% of terminals as well though so it's not much used anymore.
Likewise in New zealand. I've always heard the argument that the US is bigger so it's harder to change (for everything - POS, the metric system, any kind of regulation etc).
Even after a decade in the US it amuses me that NASA can run a fleet of vehicles on Mars, that the country produced places like silicon valley, and that American ideology is one of entrepreneurship/innovation but as a country we struggle with changes the rest of the world has decided are worth the effort.
It makes me wonder what the US would be like if we weren't still wasting huge sums of money on healthcare and credit card fraud etc!
Of course some may say that the US is what it is because of these things...
Well, it shouldn't amaze you. The telephone was literally invented in Canada, and we have the worst telco situation in North America; and that's really saying something.
I think the problem is inherent in early adoption. The people who buy the first version of the thing are happy to wait another couple versions before upgrading, because they already have something which is substantially similar to the upgrade. You see this with people comparing the telco situation in Ethiopia (which despite a terrible organizational model, and very little capital, is improving rapidly) to anywhere in the developed world doesn't make sense. If you have landlines and a cable TV infrastructure, 4G over the air will have less demand automatically.
American card terminals pretty much universally suck compared to everywhere else in the western world so it's not that surprising to me.
According to staff at a few shops in my area when asked why they always ask if tap to pay is ok they said a lot of people still don't allow them to tap and insist on chip+pin still.
You mean in Australia? Yeah, I worked in retail while I lived there and it was pretty common. People seemed to think that using it would somehow make them more vulnerable to thieves for some reason. I even had friends who called the bank to exchange their card for one that didn't do contactless.
The problem with them is they force another prompt, which takes time to read, comprehend, and respond to.
Prompt #1: Credit/Debit?
Prompt #2: PIN
Prompt #3: Would you like cash back
Prompt #4: The total is $xx.xx, ok?
This is time consuming, particularly for people who aren't as comfortable with electronics and pressing buttons. And on top of that, many times the terminals themselves are slow.
Pay-at-the pumps are even worse
Prompt #5: Are you a fuel perks member?
Prompt #6: Receipt yes/no?
Prompt #7: Would you like a car wash?
and they're often even slower, the buttons are often hard to press, or don't register a beep and have a delay before the machine responds, so you wind up pressing the same one twice. And most lack a 'backspace', the screens suck, man don't get me started....lol
I am surprised that apparently only 1 vendor has figured out how to make a good chip reader, and I am sad that apparently other retailers don't care enough to buy from that one vendor.
I've encountered a few that only took a second or two. No idea why most of them are slow as crap given that. The ones at Starbucks (and others by that company) are terribly slow
Unfortunately when you need the chip in the card to sign the transaction details before sending to the bank, validate the response from the bank, and all of the steps in between, it takes a lot of time. There is a ton of work going into making this process faster. Things like EMV Quick Chip and contactless EMV (tap and pay) are quicker, and should be coming to retailers in the US soon. Of course we also have the option of Apple/Android Pay, which is somewhere in the middle.
Definitely if you used a debit card, since it could take a couple days to get any fraudulent charges reversed. Probably less important if you used a credit card, since you'll not have to pay for those charges and they'll just send you a new card at that point. I guess it just depends on if you want to be inconvenienced now or later :)
I personally used my credit card at one of the affected stores, and I do not plan on calling in to have my card number changed. I'll just keep a close eye on my statements (that, and I have alerts sent to my phone via SMS for any charge over $0.01, so I'd know pretty quickly)
Just because someone is forcing you use the chip DOES NOT MEAN THAT IT'S AN EMV TRANSACTION
There is no way too know if you are actually doing and EMV transaction.
The EMV spec has nothing at all to do with security. PCI controls security. I can read the card data via the chip and it's all in the clear. EMV is about process integrity, and the integrity testing is ridiculous. Chip cards are harder to forge, but that's about it. The new rules about liability puts the liability for processing a forged card on the merchant, if the transaction isn't done with EMV.
Are you saying that you know of systems which use the tag 57 (track 2 equivalent data) to read an EMV chip and process the transaction manually? I'd be surprised if most banks would even approve those transactions (no CVV/CVV2, etc).
My area was hit, and I did get hit with credit card fraud. I suspected a different vector (shady medical vendor and coincidental timing). The card that got hit was indeed used at Chipotle, but a week after the supposed "time range" indicated on the security site. Maybe the time range isn't absolute.
I used my card multiple times at multiple affected locations in four states, and I haven't seen any fraud on the card. Just a datapoint. Perhaps yours really was that shady medical provider.
Why is there no legal recourse here outside of spending my own time/resources to cancel cards and deal with all the BS that occurs with that whenever this happens? There should be financial repercussions, each affected individual should be awarded monetary compensation for their time.
I believe that since Chipotle was still using magstripe credit card readers that they are now financially liable for any fraudulent charges on your account.
A bit misleading- Chipotle is responsible for Chipotle transactions that get disputed as fraudulent. Not just any fraudulent charges (subsequent transactions occurring after a swipe at Chipotle).
There is legal recourse. It just isn't automatic. Same thing if you slip and fall at a Chipotle. They offer as little as they think they can get away with, often that's nothing.
You agreed not to get that when you got the card. And they agreed to pay you any money damages without arguing much. It's a good deal, but you can choose to use cash if you pref
Not a lawyer, but you probably do have cause for a lawsuit. Search "credit card data breach class action" and find lawyers/law firms who have handled similar cases in the past. If your data was compromised by a deep pocketed company and it was a large scale breach you can probably find a lawyer to file a class action on contingency.
Yes, they do. I still have to take time out of my day to audit the cards, challenge the payments, and then cancel the cards and get new ones, and update billpay everywhere else.
No, this generally doesn't involve immediately cancelling your existing card, sending you a new card and canceling the old one when it arrives is a much smoother experience.
Me experience is that at the first evidence of fraud or compromise the card is cancelled. The replacement arrives 7-10 days later. I'm sure it depends on the issuer, but banks in the US tend to a lowest common denominator customer experience.
In the past there have been a mix of "off-the-shelf" memory scrapers as well as custom written targeted malware. Generally they'll get inside the network and push out an exe/dll to all of the POS machines from some compromised machine. Depending on how locked down the POS machines are, there are various methods for either getting read access to the POS application process memory or having the dll injected into its memory. From there they find a way to extricate the data, either manually or automatic, depending on how locked down the network is. Application whitelisting solutions can really help block this kind of attack, but they're not perfect either. If an attacker can figure out how to get root on the machines, game over. This is why stand alone point-to-point encrypted EMV card readers are the way to go. You can't scrape the process memory for data it doesn't have, and the card readers themselves are pretty tamper resistant (if you don't count external skimmers)
In the industry I am in (mostly grocery, convenience, some specialty retail), most have moved to at least POSReady 7, and some are looking at Windows 10, though there are other concerns with PCI compliance there. Most of the large retailers are pretty good about keeping these things away from the general Internet, but once an attacker is in your network, most bets are off. The most important thing to do is to look for retailers who are using the standalone pinpad devices (i.e., they don't take your card and swipe it in the keyboard or on the display). These standalone devices encrypt card data before that Windows-based point-of-sale ever sees it. You can't steal card data from a POS which never sees card data.
Domain credentials, an understanding of the IP or hostname scheme and a simple batch file could distribute something like this pretty easily, provided the proper controls aren't in place.
I checked my home and all of the places where I know Chipotle is at in 4 different states. Every single one was on there. Would be nice if they said what percentage of stores were hit. The language implies a minority, but this looks like it could be most of them.
> The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) ... There is no indication that other customer information was affected.
What other customer information could have been affected? Kudos on the masterful PR spin — I guess by now Chipotle has had a lot of practice at this...
I am appalled at the attempt by Chipotle to downplay the scope and scale of the incident. The sentence which reads, " Not all locations were involved, and the specific time frames vary by location", is a blatant attempt to deflate the significance of the problem. This public disclosure should have been more direct, and disclose in plain language the number of stores affected. Chipotle should explain the full impact in plain language: "2,249 out of X,XXX Chipotle restaurants were compromised."
They are international now, right? I at least think I have memory of running across them in Canada.
The file name in question (thanks, heywire) is "us.json". I'm left wondering whether and how much of an international scope there might be to this.
While the version of their web site that I'm receiving by default seems to be geo-centric to the U.S. and doesn't mention foreign locations, Wikipedia has:
Chipotle Mexican Grill, Inc. (/tʃᵻˈpoʊtleɪ/)[6] is an American chain of fast casual restaurants in the United States, United Kingdom,[7] Canada,[8][9] Germany,[10] and France
The only ones not affected are most likely the ones that are part of airports/universities/hospitals that require integration with the building's POS system instead of their own.
