On March 29, Earl Enterprises announced that visitors to its chain restaurants may have had their credit card information stolen. As usual when this kind of thing happens, I was asked to put together some advice for consumers on what they could do to protect themselves. It’s a well-worn subject from years of similar stories, but this time it felt different. This is partly because of the unique nature of the attack, but also because our practice of putting the responsibility for cleaning up the messes on consumers isn’t working. It’s time to put the onus where it belongs, on the corporations who allowed the data to be compromised in the first place.
Unto the Breach
If you ate out at specific Buca di Beppo, Chicken Guy!, Earl of Sandwich, Mixology, Planet Hollywood, or Tequila Taqueria, you may have had your credit or debit card information stolen. According to Earl Enterprises, this could have included just about everything needed to commit fraud: card number, expiration dates, and some cardholder names. The number of people impacted is reported to be around 2 million.
An interesting fact about this particular breach is that it wasn’t a breach per se. Instead, hackers managed to remotely access point-of-sale or POS (yes, that’s the real acronym) machines at various restaurants and install malware that scraped customer data. That information was lumped together and sold on black market websites.
What Can You Do to Stay Safe?
Aside from the bit about malware on the POS machines, Earl Enterprises breach/attack is pretty typical. As is the advice I would give on what consumers (that’s you) can do to stay safe.
First, I usually say, use a credit card and not a debit card. Credit card transactions are easily reversed and credit card companies are very good at catching fraud before you do. Importantly, you are not responsible for fraudulent credit card charges. Using a debit card is essentially a cash transaction. You can get reimbursed for these, but it sometimes takes longer and in worst-case scenarios can lead to some wrangling with the bank or the FDIC.
Once that’s out of the way, I go into the problems with magstripe transactions. Magstripes are stupidly simple. You can hook up a USB magstripe reader, run a card, and the computer will enter the information into a text file for you. A chip card (EMV card) uses a different process that is far more secure and harder to intercept.
That leads into a natural discussion about how this information is usually stolen with small devices called skimmers or shimmers. I have a whole story on how to spot them, so you can just read it. The gist is that it’s a good idea to inspect POS machines before you use them, in every context you encounter them but especially at gas pumps and outdoor ATMs. Saved you a click (but click anyway, it helps me get paid).
After that I’ll launch into a whole thing about high-tech solutions for payments. Android Pay, Apple Pay, and Samsung Pay use a tokenization system that never reveals your actual credit card information. It might seem less safe to use them since the information is transmitted wirelessly, but it’s actually very good.
Then I’ll sometimes tack on a bit about how you can use Abine Blur to create prepaid credit cards and bogus email addresses on the fly. Maybe I’ll mention how cash and prepaid credit cards are the most secure and privacy-conscious ways of doing business. I definitely won’t endorse identity theft protection services because I’m not sure they actually work, and I won’t say too much about credit monitoring because I don’t think you should have to pay for your own financial information that’s being compiled without your consent.
I never endorse Bitcoin because screw those guys, seriously.
It Doesn’t Matter How Careful You Are
We write these kind of stories all the time at PCMag, and they’re useful to illustrate the little things that can make a difference in people’s lives. People should know smarter ways to pay, and be advised to use password managers and 2FA, or at least know what these things are so they can make informed choices in their life. But the Earl Enterprises breach really got to me, because there’s almost nothing customers could have done to really protect themselves.
In the Earl Enterprises attack, the bad guys had remote access to the POS machines. That means no matter how much a customer investigated the card readers, they weren’t going to find a tell-tale skimmer because the threat was inside the machine. Moreover, at US restaurants, customers don’t always get the option to even engage with the POS terminal. We hand our payment to the server, who runs the card and returns with a receipt. That means customers can’t use the newer and more secure mobile device payment system. There’s also no guarantee that any given merchant supports EMV chips or mobile payments, or that staff would be trained in how to use it.
That’s not to mention that it was reported Earl Enterprises took 10 months to respond to the breach. Nor that because this information was sold in bulk, which is standard for these kind of operations, victims could experience second- and third-order consequences for years to come.
Of all the advice I have to give on this topic, that leaves only one option: use cash or prepaid cards. That’s a pretty ridiculous state of affairs in the year of our lord 2019 when I can use a telephone to buy a drone and have it delivered to my house before I get home, all while video calling a friend in Thailand.
The first massive data breach that seemed like it might change things was in 2013, when something like 110 million Target shoppers discovered that there was a bluelight special on their private information. Like the Earl Enterprises attack, there was little that customers could have feasibly done to protect themselves. At the time, there was concern that consumer backlash might sink the company.
That didn’t happen, and it didn’t happen for any of the other subsequent breaches that made headlines. Target took a hit and paid out some cash, but it has stayed in business. There also weren’t devastating consequences for any of the other subsequent breaches that made headlines, nor have we seen true financial pain when a company behaves badly and abuses the private information of its customers (looking at you, Facebook!). In fact, this kind of betrayal of customers has become so commonplace, it didn’t make sense for PCMag to cover the Earl Enterprises attack. It simply did not warrant the attention.
No amount of consumer self defense is going to stop this kind of fraud, and apparently no amount of bad press over security breaches is going to damage a corporation enough to for them into adequately protecting customer information. To my mind, that leaves one option: regulation.
Consumer Protections Protect Consumers
Corporations must be held legally and financially accountable for security breaches that affect customers. There need to be fines, investigations, and court-ordered consequences. Money needs to be spent on lawyers—a lot of money. The current model where customers have to spend their own money and energy to bring lawswuits to bear is unreasonable. As is the energy required protecting ourselves from petty fraud, or, worse, trying to put our lives back together after identity theft.
Companies also need to take threats seriously and plan for attacks. The barest minimum of customer data should be stored, and whatever is stored should be kept encyrpted or in some other means to render it useless were it stolen. The creators of payment systems also need to start taking the threats seriously, which I am sure they would if there was a demand from merchants for more secure devices.
For quite a while now, I have suspected that the sheer volume of private information that has been exposed in the last decade means that everyone has been or will hurt in some way. That can’t be acceptable. Speaking for myself, I’m on my second debit card of 2019, because the first two had their numbers compromised. It’s April.