Would you like fraud with that? Burger chain giant Wendy's 'hacked'

Weird payments probed

Wendy's – the third largest fast-food chain in the world – has become the latest retail giant to lose customers' credit card numbers to crooks, it appears.

The possible security breach was flagged up today by investigative journalist Brian Krebs. We're told fraudulent activity on people's payment cards led bank staff to believe Wendy's systems have been hacked. The company has 6,500 restaurants across 28 countries.

"Wendy's is currently investigating reports of unusual activity involving payment cards at some restaurant locations," spokesman Bob Bertini told El Reg.

"Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants. We have been working with our payment industry contacts since recently learning of these reports and we have launched a comprehensive investigation with the help of cybersecurity experts to gather facts, while working to protect our customers."

It seems payment systems were compromised, and card data swiped, late last year. Popular carding website Rescator has added new US cards to its fraud offerings, but it is unknown if these are related to a Wendy's breach.

Criminal playground ... Stolen cards for sale on Rescator

Vann Abernethy, chief technology officer of network security company NSFOCUS, says customers should be monitoring their bank cards for fraud.

"This incident is another that should serve as a wake-up call for companies, the payment card industry and consumers alike," Abernethy says.

"[The EMV standard] is a good step in the right direction for preventing card information theft and duplication ... via a one-time unique authentication, and having that second factor, for example a PIN, makes this even stronger.

"The weakness in the system is the transaction between the card reader, the point-of-sale system, and the card issuer for verification."

The US still operates easy-to-steal magnetic stripe cards and does not yet require PINs with its pending deployment of EMV, something that's described by some fraud experts as a significant shortfall. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022