Breaking NewsIndustry ObservationsVulnerabilities

Whole Foods, Sonic Drive-in… POS System breaches. Why are we still seeing breaches like this?

In this week alone we’ve seen two announcements of breaches occurring on point-of-sale (POS) systems. The first being Sonic Drive-In which announced Tuesday that potentially millions of credit numbers had been compromised from people that ate at Sonic Drive-In restaurants. The likely culprit is a breach of their POS systems, whereby hackers find a way into Sonic’s network and drop some malware that is run on the POS systems.

Then just this morning Whole Foods made an announcement that its in-store restaurant and taproom POS systems likely have been breached as well, exposing anyone who used a credit card at these locations to fraud.


The question is, why does this keep happening? We can cite many more examples of POS machines being compromised, from the massive Target breach to Home Depot. You can find report after report after report of POS machines being compromised and millions of peoples’ credit card information being stolen. But why? Weren’t there supposed to be measures to protect us?


Credit cards have long been a favorite target for attackers. A malicious user can sell large quantities of credit cards for a pretty nice sum of money with very minimal effort in some cases. The credit card companies have attempted to fix this by rolling out chipped credit cards. Chipped cards work by creating a one-time transaction number at the time of purchase between the POS system and the credit card processing system. This transaction number can never be used again. If an attacker were to gain access to this transaction number, it would be useless as the transaction would have already occurred and the number will have been retired.


So why are we still seeing these massive breaches? Well, as anyone who has been to any location that accepts credit cards knows, it’s an extremely slow process to roll this technology out. Chances are when you go shopping, you still find POS terminals that do not yet have the chip active. Couple this with the fact that not all credit card companies have issued chipped cards to all of its users, and you still have an extremely large attack surface of people using the old, extremely dangerous, magstripe. It will also likely stay this way for some time. Think about gas stations — have you been to any gas stations that allow you to use a chip? Probably not, which means hackers will continue to have a playground to attack.


The other method of gaining access to a lot of credit card numbers is to breach the database of an online retailer. Online sales are still almost entirely done by the old-fashioned credit card number, expiration date, name and CSV number. This data is a gold mine for attackers and there’s very little credit card companies are doing to prevent this. Visa has tried to roll out the “Verified by Visa” program where users create a password which is needed before an online transaction can go through. This program, however, only works on 12,000 participating online retailers, so we yet again have a problem.


So what can be done? How do we stop this from happening? First and foremost, we need to put more pressure on the credit card companies and retailers to completely phase out the magstripe. Yes, locations will still need to support it because of international customers that have yet to get a chipped card, but by completely supporting chips in the US, we greatly reduce the risk. We also, as an industry, need to start thinking about the best way to protect credit card information online. Just like we have the one-time transaction with the chip, we need to embrace the same concept in the online retail world. Ideally, we’d stop taking credit card numbers online and move to one time transaction numbers. It’s going to take a lot of time and effort and consumer demand to get there. For now, we will almost certainly see more breaches like Whole Food and Sonic Drive-In.