Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations

[Walt Mankowski <waltman@pobox.com>]

On Wed, Mar 07, 2018 at 12:46:26PM -0500, Rich Freeman wrote:
> On Wed, Mar 7, 2018 at 11:00 AM, JP Vossen <jp@jpsdomain.org> wrote:
> > POS Malware Found at 160 Applebee’s Restaurant Locations
> > https://www.rmhfranchise.com/dataincident/
> >
> > The only PA location they know about is here, which is up near Erie, so in
> > theory it should not affect PLUG N after meeting dinners:
> >         Location: PA - Hermitage - 201 S Hermitage Rd
> >         Dates Affected: 2017-12-06 to 2018-01-02
> >
> 
> The Applebees we normally frequent (and as far as I'm aware all the
> other ones in the general area) are operated by The Rose Group.  We
> are potentially safe.  It depends on whether the issue is with
> terminals operated by the RMH franchise specifically, or if it hit
> everything and this is just RMH disclosing it for their own
> restaurants and not speaking to anybody else.
> 
> In any case, it is probably safe to assume that bad people know
> everything about you, and all your account numbers.  The whole idea of
> a shared secret that you share with everybody you do business with and
> every employee that handles your transactions is insane.  I'm amazed
> things aren't worse than they already are.

It's hard to tell exactly what happened at these Applebees, but I'm
guessing they were probably still using magstrips to read the credit
card information. Chip cards prevent these kinds of attacks.

> Maybe when ESR is done disrupting the UPS industry he can take on the
> payment card industry.  At least they seem to be going in the right
> direction with chips though honestly I don't know exactly how they
> work so maybe I shouldn't get my hopes up.  I don't get why they don't
> put the terminal IN the card.  Just send the transaction to the card
> wirelessly, have the card display it on its own built-in display,
> accept input via a built-in keypad, and then sign the transaction
> which is returned wirelessly and relayed to the bank.  Even with
> chip+PIN you're really only able to validate that a card+owner was
> present, not that they signed the specific transaction being presented
> to the bank.

Congratulations! You've reinvented how chip cards work! With all due
respect to ESR's technical chops, this is a solved problem. With the
exception of the part about verifying individual transactions, this is
how people in Europe have been doing using credit cards for
decades. The chip generates a one-time code and completes an encrypted
transaction with the terminal. The merchant never sees your real
credit card number.

Apple Pay works in an even more secure manner. When you add a credit
card, it sets up a pair of encryption keys with your bank. After you
verify the transaction with your face or fingerprint, the transaction
goes directly to the bank. When you pay, you literally have your card
appear on a computer screen (your phone). (I'm guessing Android Pay
works in a similar manner, but I have no idea.)

Walt

Attachment: signature.asc
Description: PGP signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug