
Chipotle Reports Findings from Investigation of Payment Card Security Incident - rigden33
https://www.chipotle.com/security
======
heywire
Hopefully this pushes more and more restaurants towards using separate chip-
reader (EMV) pinpad devices. I've noticed several area restaurants switching
lately (Arby's, Wendy's), and I hope it continues. These devices use point-to-
point encryption, meaning that even if the POS machine is comprimised, no
sensitive card data can be stolen. The POS machine never sees raw card data.

~~~
mmanfrin
Chipreaders are terribly slow, I don't understand how they could not develop a
secure payment system without 10-second~ delay times. My local grocery store
installed new chip readers and within a week had taped over time in favor of
the more-expensive but quicker stripe processing.

~~~
saidajigumi
Hilariously, using contactless EMV payment (i.e. Apple/Android Pay) with _the
same POS terminals_ is lightning fast.

But this gets filed as "infrastructure is hard". A related example: If you get
a chance, try the IC card system used by the train and transit systems in
Japan; they're delightful.[1] At peak rush-hour, commuters are darn near
running through the (many) pay stations tapping through without breaking
stride -- including display of remaining balance!

Yet, the relatively recent transit tap card system where I live is laughingly
slow. At a much more modest walking pace, it's easy to pull away from the
reader before it's confirmed the transaction. Seconds per commuter, for system
that's considerably newer than the IC card system.

~~~
heywire
Something to keep in mind is that Apple/Android Pay support both MSD (magnetic
stripe data) and EMV contactless modes, which can result in different timings.
EMV contactless also drops significant portions of the EMV contact
requirements. This is why banks generally won't let you get cash back, or make
large purchases on contactless, there's a trade off.

~~~
rconti
I've actually found it to be _better_ ; no tradeoffs.

I haven't tried cash back as I use credit cards rather than debit cards. I've
used Apple Pay in the US, Canada, NZ, Australia, Germany, Sweden, and Denmark,
and it's ALWAYS preferably to using the actual card, particularly for an
American.

If you have a US based bank, even with EMV the bank prefers a signature, which
means you have to sign the damn receipt. This is more inconvenient than doing
so in the US because:

1\. The merchants aren't used to it, so it's a surprise/hurdle 2\. It's not
common, so you have to sign an actual receipt, not an electric display 3\.
They don't seem to waive the signature requirement for small purchases
($25-$50) as they do in the US. So you're signing for EVERYTHING.

Magically, if you try to use your US-card-with-a-PIN (assuming you set one up)
in an unmanned scenario like in a parking garage, SUDDENLY YOUR PIN WORKS!
(quelle surprise!)

I also fell in love with the convenience of Apple Pay+Watch when I was skiing
in Whistler; no need to take off my gloves, unzip a pocket, reach in, find,
card, use card, sign receipt. Just a quick double-tap on the side button
without even undoing my glove gauntlet, velcro closure around the wrist of my
jacket, or any of my 5 layers of clothes (yes, it was cold).

Paywave was the most-commonly accepted in Australia of everywhere I've been
recently, to the extent that they even tap your credit card to the machine
first, assuming it will work, and are surprised when it doesn't. Yet they were
VERY surprised by the watch, often saying they had never seen anyone use their
watch before. I'm not sure if contactless+phone would have been as unexpected
or not; I never tried.

------
torturedcardboy
Just because someone is forcing you use the chip __DOES NOT MEAN THAT IT 'S AN
EMV TRANSACTION __

There is no way too know if you are actually doing and EMV transaction.

The EMV spec has nothing at all to do with security. PCI controls security. I
can read the card data via the chip and it's all in the clear. EMV is about
process integrity, and the integrity testing is ridiculous. Chip cards are
harder to forge, but that's about it. The new rules about liability puts the
liability for processing a forged card on the merchant, if the transaction
isn't done with EMV.

~~~
heywire
Are you saying that you know of systems which use the tag 57 (track 2
equivalent data) to read an EMV chip and process the transaction manually? I'd
be surprised if most banks would even approve those transactions (no CVV/CVV2,
etc).

------
frikk
My area was hit, and I did get hit with credit card fraud. I suspected a
different vector (shady medical vendor and coincidental timing). The card that
got hit was indeed used at Chipotle, but a week after the supposed "time
range" indicated on the security site. Maybe the time range isn't absolute.

~~~
tyingq
Typically, the hackers that get the data sell it off, versus using it
personally. That can take a while.

~~~
frikk
I just mean that I didn't use my card during the time period, but a week
later.

~~~
heartbreak
I used my card multiple times at multiple affected locations in four states,
and I haven't seen any fraud on the card. Just a datapoint. Perhaps yours
really was that shady medical provider.

------
Splendor
No doubt the timing of releasing this news on the holiday weekend was
deliberate; intended to reach as few people as possible.

------
robbiemitchell
Here's a list of all US locations affected:
[https://docs.google.com/spreadsheets/d/1_lFhMPaRBn8JbqxR9rEq...](https://docs.google.com/spreadsheets/d/1_lFhMPaRBn8JbqxR9rEqRgtezp3wM9ZPF-23Z-NomDU/edit?usp=sharing)

------
icelancer
Why is there no legal recourse here outside of spending my own time/resources
to cancel cards and deal with all the BS that occurs with that whenever this
happens? There should be financial repercussions, each affected individual
should be awarded monetary compensation for their time.

~~~
dstaley
I believe that since Chipotle was still using magstripe credit card readers
that they are now financially liable for any fraudulent charges on your
account.

~~~
treyfitty
A bit misleading- Chipotle is responsible for Chipotle transactions that get
disputed as fraudulent. Not just any fraudulent charges (subsequent
transactions occurring after a swipe at Chipotle).

------
shoover
What was that thing? It looks like all the stores in my area were hit.

~~~
mark_element
Agreed. Looks like this a big deal™. Would love to know the method of
spreading across all their point of sales, were they running on windows?

~~~
bhhaskin
A ton of POS systems run on windows. Most on windows xp embedded

~~~
heywire
In the industry I am in (mostly grocery, convenience, some specialty retail),
most have moved to at least POSReady 7, and some are looking at Windows 10,
though there are other concerns with PCI compliance there. Most of the large
retailers are pretty good about keeping these things away from the general
Internet, but once an attacker is in your network, most bets are off. The most
important thing to do is to look for retailers who are using the standalone
pinpad devices (i.e., they don't take your card and swipe it in the keyboard
or on the display). These standalone devices encrypt card data before that
Windows-based point-of-sale ever sees it. You can't steal card data from a POS
which never sees card data.

~~~
shoover
> Windows 10

I'd be worried about the system rebooting to do a system update while I turn
my back for a minute to help a customer.

------
gnicholas
> _The malware searched for track data (which sometimes has cardholder name in
> addition to card number, expiration date, and internal verification code)
> ... There is no indication that other customer information was affected._

What other customer information could have been affected? Kudos on the
masterful PR spin — I guess by now Chipotle has had a lot of practice at
this...

------
pasbesoin
Anyone have the whole list? (I hate enforced drill-down selection for such
things.) How many locations?

~~~
heywire
A quick look at the chrome dev tools will point to a us.json which has what
you're looking for.

~~~
bpicolo
That's a massive list. 2249 restaurants.

~~~
acemv
I am appalled at the attempt by Chipotle to downplay the scope and scale of
the incident. The sentence which reads, " Not all locations were involved, and
the specific time frames vary by location", is a blatant attempt to deflate
the significance of the problem. This public disclosure should have been more
direct, and disclose in plain language the number of stores affected. Chipotle
should explain the full impact in plain language: "2,249 out of X,XXX Chipotle
restaurants were compromised."

~~~
pasbesoin
They are international now, right? I at least think I have memory of running
across them in Canada.

The file name in question (thanks, heywire) is "us.json". I'm left wondering
whether and how much of an international scope there might be to this.

While the version of their web site that I'm receiving by default seems to be
geo-centric to the U.S. and doesn't mention foreign locations, Wikipedia has:

[https://en.wikipedia.org/wiki/Chipotle_Mexican_Grill](https://en.wikipedia.org/wiki/Chipotle_Mexican_Grill)

 _Chipotle Mexican Grill, Inc. ( /tʃᵻˈpoʊtleɪ/)[6] is an American chain of
fast casual restaurants in the United States, United Kingdom,[7] Canada,[8][9]
Germany,[10] and France_

~~~
BillinghamJ
Card processing in Europe is secure and doesn't ever involve magstripe data,
so it won't have been a problem.

