P.F. Chang's Breach: 6 Key Developments

No Indicators of Card Fraud Yet; Analysts Offer Insights
P.F. Chang's Breach: 6 Key Developments

While the restaurant chain P.F. Chang's China Bistro has warned customers that their debit and credit card information may have been compromised in a data breach, several fraud experts say they have yet to see a related increase in fraud.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

P.F. Chang's alerted its customers to the security breach June 12, based on the early findings of third-party digital forensic experts that it hired after receiving a breach tipoff June 10 from the U.S. Secret Service.

The restaurant chain's investigation is ongoing. Unanswered questions include how long the breach lasted, how much card data was stolen and which customers have been affected.

Here are six key developments in the breach's aftermath.

1. Target Connection Suspected

Security experts suspect that some of the card data stolen from P.F. Chang's has been advertised on Rescator, which is a black market e-commerce site devoted to selling stolen "dumps" of the code contained on the magnetic stripe of a card.

Timing-wise, the Rescator website began advertising a "Ronald Reagan" batch of dumps on June 9. The next day, P.F. Chang's received a warning from the U.S. Secret Service that its network may have been compromised, and card data stolen.

Rescator is also where a large amount of card data stolen from U.S. discount retailer Target appeared for sale, fraud experts say. To date, however, there's been no firm proof that the P.F. Chang's breach was the work of the same attacker or gang that hacked Target. "It is really too early to say," Bryan Jardine, product manager at anti-fraud firm Easy Solutions, tells Information Security Media Group. "It is always possible that there is a connection, as these guys are persistent. However there are many people out there capable of performing these types of attacks."

2. Rescator Promises Valid Cards

As of June 17, the "Ronald Reagan" batch of stolen card data that's suspected of being tied to P.F. Chang's was advertised on the site as having a validity rate of 100 percent. If that validity rate is accurate, it means card issuers have so far shut down few, if any, of the cards contained in the batch.

The validity rate is important because sites such as Rescator typically guarantee the accuracy of the advertised validity rates, in part by automatically testing a subset of information purchased by carding site shoppers, to see if the card data is still being treated as valid by card processors. The site can then issue a refund - as credit to be used for buying future dumps - based on the percentage of cards that fail. Alternately, buyers can submit and request credit for card numbers that fail to work as advertised.

"They have an interesting system," says Jardine of the carding sites, noting they have good reason not to lie. "The sellers have reputations to maintain, their card files are graded on a reputation and validity scale and that allows for the sellers to price them at a premium," he says.

3. No Signs of a Fraud Spike

Several fraud experts, speaking on condition of anonymity, say they haven't yet seen any increase in fraud from credit and debit cards used at P.F. Chang's, or from the Pei Wei restaurant chain, which is owned by P.F. Chang's and may also have been compromised by attackers. Accordingly, the payment card industry is closely monitoring cards used at all two restaurant chains for signs of fraud.

A P.F. Chang's spokeswoman declined to comment on signs that cards used at the company's other two restaurant chains may have been compromised, and said that all currently available information was released June 12 via the company's security compromise update page.

4. Fraudsters May Move Quickly

If the Ronald Reagan batch contains P.F. Chang's data, expect related fraud to soon spike, since it will behoove attackers to sell the data as quickly as possible, to maximize their potential haul, fraud experts say. "Often the valuation of a card decreases over time," says Jardine at Easy Solutions. "It is more cost-effective for the fraudsters to get them on the market as quickly as possible. This is easy money for them." As card issuers begin canceling cards and refining their fraud alerts, however, the validity rate will soon plummet.

To date, 1,650 Ronald Reagan cards are being advertised for sale on Rescator, with prices ranging from $18 for a prepaid Bank of America Visa debit card up to $140, based on card types and credit limits. Friday, however, the Rescator site began listing for sale bulk discounts of 100 dumps ($2,000), 200 dumps ($3,500), and 300 dumps ($4,500).

5. Manual Card Imprints Implemented

Many recent card data breaches have involved malware installed on point-of-sale terminals. At Target, for example, attackers apparently used a variant of the BlackPOS memory-scraping malware to grab data from cards as they were swiped, and before the information was encrypted. Given the Rescator connection detailed above, it's possible that P.F. Chang's was also compromised using POS malware.

P.F. Chang's investigators - based either on early findings or else simply prudence - seem to have come to a similar conclusion, since the restaurant chain last week stopped swiping cards using its POS terminals. "We provided manual credit card imprinting devices to all P.F. Chang's China Bistro branded restaurants in the continental U.S. to prevent any further potential exposure of our guests' credit and debit card information," the company said in a statement released June 12. "This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues."

6. Unembossed Cards Won't Imprint

One wrinkle with switching to manual imprints of credit cards, however, is that not all credit cards today have the embossed - meaning raised - letters and numbers needed to leave an imprint on carbon paper. As a result, they can't be manually imprinted. Or as noted by MasterCard, "MasterCard Unembossed has been designed to manage risk by working only in your electronic terminal."

As that highlights, the risks facing card issuers continue to evolve. Embossing, notably, was originally introduced as an anti-counterfeiting feature, because it was tough to duplicate.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network