Are Franchisees The New Sweet Spot For Card Data Thieves?

Written by Frank Hayes
January 17th, 2013

The payment-card breach revealed on January 11 by 560-store restaurant chain Zaxby’s throws a light on what may be the near-future of major breaches. The chain said it found malware on systems at 108 stores across the southeastern U.S. after card processors identified the stores as common points of purchase for fraudulent card activity.

But Zaxby’s doesn’t operate any of the stores—they’re all franchisees, putting both the company and the franchisees in a worst-of-both-worlds situation.

The company said it helped the franchisees check their servers after the common-point-of-purchase notifications. “During the course of its forensic investigation, Zaxby’s Franchising Inc. identified some suspicious files, including malware, on the licensees’ computer systems at certain Zaxby’s locations. Because those files could have been used to export guest names and debit card numbers, Zaxby’s Franchising Inc. informed appropriate law enforcement authorities of the potential criminal activity,” the company said in its statement.

The infected stores were in Virginia, Kentucky, Tennessee, Georgia, North Carolina, South Carolina, Alabama, Mississippi, Arkansas and Florida.

Zaxby’s added that the investigation hasn’t determined whether card data was stolen and that the breach appears to be due to an external attack. The company also said it was working with all franchisees to beef up security.

Zaxby’s didn’t report an estimate of the number of card numbers stolen or give a timeframe for the notifications and investigations. But it posted the addresses of the infected stores on a separate Web site that the company created last November, suggesting the problem was already significant at that point.

This isn’t exactly a novel attack, but it may mark a shift in how thieves are going after card data. Attacks on servers were all the rage five years ago, when Albert Gonzalez was ripping through the data of large chains that included TJX, Target, 7-Eleven and JCPenney. Then PCI clamped down and big chains’ networks and servers were hardened—and in recent years, POS tampering has been the preferred way to customers’ card numbers.

Now there appears to be a new sweet spot at the disconnect between franchises and franchisees.

“The new attack vector tends to be platform based more than chain based. Once they find an exploit on a certain POS or server, [attackers] try to identify everyone in the world that runs that platform,” said StorefrontBacktalk Franchisee columnist Todd Michaud. “That being said, they are definitely looking at franchise systems, because the disconnect between corporate and a franchisee (is less likely to be well protected), coupled with the fact that if they have an exploit on that platform, they can get many locations.”

Ironically, the more standardized the payments system a franchise recommends or requires (usually in the name of a consistent level of security), the more likely the whole chain will be subject to attack if a security hole is exploited. If franchisees all chose their own systems, security would likely be more of a mess—but it would be a more diverse mess and less convenient for attackers looking for wholesale card plunder.

If the franchising chain sets standards but doesn’t have skin in the game itself by running restaurants—as is the case at Zaxby’s—it’s at least one level removed from any problems that show up.

And if the franchising chain sets standards that aren’t followed, that can open new security holes that the chain doesn’t expect.

Although Zaxby’s helped franchisees hunt for malware once the systems were under a cloud, the fact that the individual franchisees are essentially small businesses means they really need the help—they’re unlikely to spot suspicious activity themselves.

“Because the biggest risk for the hacker is accessing the system, and because these chains process fewer transactions than the big guys, they are forced to let their code remain active for a longer period of time to try and gather as many cards as possible before they get them,” Michaud said. “There is a chance that an admin or firewall might catch the entry and, therefore, each time they come get the cards, they risk getting their honey-hole shut down. So franchise systems are good for software that can sit unattended for long periods of time without being noticed.”

Marrying the security of a mom-and-pop shop with the standardized systems of a regional chain? That’s got to be highly attractive to attackers and potentially much easier to exploit than traveling across the country tampering with PIN pads. It won’t be surprising if a lot more franchisers see their stores breached—and if still more such breaches fly under the processors’ and card brands’ antifraud radar.

Then again, big chains aren’t off the hook. They process a lot more cards—and there will always be PIN pads.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.