A Burger, an Order of Fries, and Your Credit Card Number

Why it’s so easy for hackers to steal financial information from restaurants.

Credit card reader
Is your credit card number at risk when you go to a restaurant?

Photo by Pascal Le Segretain/Getty Images.

At some point in your restaurant-going life, you’ve probably felt a pang of doubt when you handed over your Visa card. How easy it would be, you probably thought, for a waiter to copy your credit card number and head out on a shopping spree. You probably got over it, reasoning that people who do such things probably get caught. And maybe you’re right. But that doesn’t mean you’re safe. The real threat isn’t that your charming waiter will steal your financial information. It’s that the Russian mafia will steal it from your waiter.

On Thursday, Verizon released its Data Breach Investigations Report, an annual landmark in the data-security industry. The big story this year, Verizon reports, was the rise of “hacktivists”—vigilantes who orchestrate high-profile cyber-attacks on big corporations, government entities, and even Internet security companies, usually to make a political statement (although sometimes, it seems, out of sheer vindictiveness). These are the attacks that make headlines, and for good reason: They’re sophisticated, brazen, and sometimes downright scary.

But if 2011 was “the year of the hacktivist,” as Forbes proclaimed, every year is the year of the run-of-the-mill cybercriminal. For at least a decade, organized crime groups around the world, but particularly in Eastern Europe, have been honing their hacking skills in a bid to capture our credit card and bank account numbers. Increasingly, they’re targeting restaurant franchises and other small businesses by hacking their point-of-sale checkout systems, which are often woefully insecure. And, as the Verizon report shows, they’re getting better at it all the time.

Unlike hacktivists’ flashy attacks, these criminals’ exploits rarely make the news. Publicity is not in their interest, and it can takes months for their victims to find out they’ve been hit. When businesses do learn they’ve been compromised, they often conclude that publicizing the crimes wouldn’t be in their interest either. For these reasons, attacks on retail establishments fly under the radar, though they vastly outnumber those orchestrated by well-known groups like Anonymous and LulzSec, which accounted for just 3 percent of the 855 data-breach cases covered in the Verizon report.

Restaurants were easily the most-targeted businesses, accounting for over half of all reported attacks. Retail stores were second, at about 20 percent. The findings are consistent with those of a similar report released earlier this year by Trustwave, an information security company, which found that the food and beverage, retail, and hospitality industries combine to account for 80 percent of data breaches.

Why are small businesses such frequent targets? Because they offer hackers the easiest path to your financial information. In fact, security consultants say, there’s an entire underground industry built around extracting customers’ credit card numbers from retailers’ point-of-sale systems.

Rich Mogull, an information security analyst who runs a company called Securosis, explains that a typical cybercrime works something like this. First, a hacker—often in Russia, but sometimes in the United States, Romania, Vietnam, or elsewhere—uses special software to scan a portion of the Internet for IP addresses that look like they might belong to the servers restaurants and retailers use to transmit credit and debit card data. When they find them, they send that information to another program that starts trying common passwords to log into the server remotely.

Many of the companies that install point-of-sale systems for small businesses neglect to set up unique passwords. When hackers find one that works at a particular franchise of a chain restaurant, they add it to the list, and often find it works at dozens or hundreds of others as well. In one of the few cases that registered on the national news radar, a Romanian gang allegedly poached credit card information from 200 Subway sandwich outlets in the United States over three years.

Once they tap into the servers, hackers often install programs to log credit card numbers. After they get the numbers, the shrewder criminals don’t use them right away. Instead, they bundle and sell them on the black market. Verified numbers fetch more than unverified ones; those with names attached fetch more still.

Customers don’t learn their information has been compromised until weeks or months later, when their banks flag purchases as suspicious. Even then the banks can’t always tell where the breach originated. And when restaurant owners do find out they’ve been hacked, some, like Harry Trubounis of SideBar 410 in Dayton, Ohio, are scrupulous enough to email their regular customers and notify them. Those are the ones that occasionally end up in the local newspaper. “I wanted to be extremely proactive in dealing with it,” Trubounis told me. But not all restaurant owners want to risk the bad publicity, even if the breach wasn’t really their fault.

Not all cybercrimes happen exactly like this. Sometimes hackers use proximity or special knowledge to target an individual business. For instance, they’ll sit down in a café, order a latte, and proceed to log into the coffee shop’s unsecured point-of-sale system through its free Wi-Fi network. Or, in somewhat rarer cases, they enlist an employee to help them. Verizon estimates 4 percent of all data breaches are inside jobs. And yes, your smiling waiter will occasionally betray you by taking down your information when you’re not looking. These days they use skimmers. But it’s hard to do that for long without getting caught, especially if you’re using the cards to make purchases locally—as a ring of thieving waiters at fancy New York restaurants recently discovered.

But more often, it’s not your waiter who’s ripping you off. It’s a junkie in Maryland allegedly hacking Seattle restaurants’ servers to score heroin money, Russian thieves hacking restaurant wholesalers, or unknown miscreants hacking Jumper’s Junction sports bar outside of Pittsburgh or a Chili’s on Yokosuka Naval Base in Japan.

Security analysts say restaurant owners and the companies that install their point-of-sale systems are becoming more aware of the danger of credit card thieves. Scott DeFife, an executive vice president at the National Restaurant Association, told me his Washington, D.C.-based group makes an effort to educate its members about the risks of cybercrime. And compared with the size of the U.S. restaurant industry, which employs 13 million people, the scale of the problem is relatively small: probably hundreds of breaches each year, affecting perhaps hundreds of thousands of customers.

Yet the Verizon report suggests business owners could still be doing a lot more: 96 percent of all data-breach hacks were “not highly difficult”—up from 92 percent last year. The number was enough to spur Verizon to take an unusual step this year. On Page 62 of its report, it includes a cut-out section with simple tips for securing point-of-sale systems and encourages customers to hand it to the managers and owners of their favorite local haunts. At the bottom it says, “For more information, visit (but not from your POS).”