Jump to content

Breach at Dickey’s BBQ Smokes 3M Cards


Karlston

Recommended Posts

Breach at Dickey’s BBQ Smokes 3M Cards

One of the digital underground’s most popular stores for peddling stolen credit card information began selling a batch of more than three million new card records this week. KrebsOnSecurity has learned the data was stolen in a lengthy data breach at more than 100 Dickey’s Barbeque Restaurant locations around the country.

 

js-blazingsun.png

An ad on the popular carding site Joker’s Stash for “BlazingSun,” which fraud experts have traced back to a card breach at Dickey’s BBQ.

On Monday, the carding bazaar Joker’s Stash debuted “BlazingSun,” a new batch of more than three million stolen card records, advertising “valid rates” of between 90-100 percent. This is typically an indicator that the breached merchant is either unaware of the compromise or has only just begun responding to it.

 

Multiple companies that track the sale in stolen payment card data say they have confirmed with card-issuing financial institutions that the accounts for sale in the BlazingSun batch have one common theme: All were used at various Dickey’s BBQ locations over the past 13-15 months.

 

KrebsOnSecurity first contacted Dallas-based Dickey’s on Oct. 13. Today, the company shared a statement saying it was aware of a possible payment card security incident at some of its eateries:

“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”

The confirmations came from Miami-based Q6 Cyber and Gemini Advisory in New York City.

 

Q6Cyber CEO Eli Dominitz said the breach appears to extend from May 2019 through September 2020.

 

“The financial institutions we’ve been working with have already seen a significant amount of fraud related to these cards,” Dominitz said.

 

Gemini says its data indicated some 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing malware, with the highest exposure in California and Arizona. Gemini puts the exposure window between July 2019 and August 2020.

 

pitsmoked.png

“Low-and-slow” aptly describes the card breach at Dickie’s, which persisted for at least 13 months.

With the threat from ransomware attacks grabbing all the headlines, it may be tempting to assume plain old credit card thieves have moved on to more lucrative endeavors. Alas, cybercrime bazaars like Joker’s Stash have continued plying their trade, undeterred by a push from the credit card associations to encourage more merchants to install credit card readers that require more secure chip-based payment cards.

 

That’s because there are countless restaurant locations — usually franchise locations of an established eatery chain — that are left to decide for themselves whether and how quickly they should make the upgrades necessary to dip the chip versus swipe the stripe.

 

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of point-of-sale (POS) device and processors that they utilize,” Gemini wrote in a blog post about the incident. “However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”

 

While there have been sporadic reports about criminals compromising chip-based payment systems used by merchants in the U.S., the vast majority of the payment card data for sale in the cybercrime underground is stolen from merchants who are still swiping chip-based cards.

 

This isn’t conjecture; relatively recent data from the stolen card shops themselves bear this out. In July, KrebsOnSecurity wrote about an analysis by researchers at New York University, which looked at patterns surrounding more than 19 million stolen payment cards that were exposed after the hacking of BriansClub, a top competitor to the Joker’s Stash carding shop.

 

The NYU researchers found BriansClub earned close to $104 million in gross revenue from 2015 to early 2019, and listed over 19 million unique card numbers for sale. Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

 

Visa and MasterCard instituted new rules in October 2015 that put retailers on the hook for all of the losses associated with counterfeit card fraud tied to breaches if they haven’t implemented chip-based card readers and enforced the dipping of the chip when a customer presents a chip-based card.

 

Dominitz said he never imagined back in 2015 when he founded Q6Cyber that we would still be seeing so many merchants dealing with magstripe-based data breaches.

 

“Five years ago I did not expect we would be in this position today with card fraud,” he said. “You’d think the industry in general would have made a bigger dent in this underground economy a while ago.”

 

Tired of having your credit card re-issued and updating your payment records at countless e-commerce sites every time some restaurant you frequent has a breach? Here’s a radical idea: Next time you visit an eatery (okay, if that ever happens again post-COVID, etc), ask them if they use chip-based card readers. If not, consider taking your business elsewhere.

 

 

Breach at Dickey’s BBQ Smokes 3M Cards

 

ThanksForReading200x49.jpg

Link to comment
Share on other sites


  • Replies 2
  • Views 614
  • Created
  • Last Reply

Heists and robberies sure are done differently these days. I am sad for the future generations who likely won't be able to relate to what present-day gamers like and muse about titles like GTA, RDR or even Mafia.

Link to comment
Share on other sites


Consumers need to be proactive with the use of credit cards.  At one time I had 17 credit cards.  Why?  Because each card was tied to use at one and only one store.  Had a credit card for Amazon, Paypal, Walmart, my favorite flower shop,  etc.  I never used a credit card in a restaurant, gas station, or to make a one time purchase in a brick and mortar store.  If a card had fraudulent charges appearing on it I knew exactly which store had been hacked and immediately had the card cancelled, no problem.  I never lost a penny due to fraud.  Today I only have two credit cards.  Why?  Because they use virtual numbers that are only good for one time use and I receive an immediate notification of each charge on my cards.  So after I use the number that is issued at the time of the purchase, it can never be used again.  I could give that list of numbers out and they would do no one any good.  Naturally this is for online use only so I don't even carry a credit card on me any more, just cash (and a gun.) And I don't have any type of pay associated with my phone, matter of fact, out of my 9 phones, only two even have NFC capabilities and those are turned off.  An ounce of prevention is worth a pound of cure as the old saying goes and I know from friends that have been victims that the time they have to invest in getting it straightened out is much more valuable than any money they may have lost.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...