Chipotle Data Breach and Your Credit Card Security
Another day and yet another credit card data breach. This time hackers targeted Chipotle Mexican Grill at various locations throughout the U.S. (if you believe you might have been a victim of this crime, Chipotle provides information on the specific restaurants affected here). Evidently, the black hat hackers used malware to detect what’s known as track data. If you swipe your card through the magnetic reader, the track data provides a summary of information, such as the name of the cardholder, the card number, and other “discretionary data” to be transmitted between the merchant and financial institution for verification purposes.
Indeed, a simple search on Google using the phrase “how to parse credit card track data” yields instructions for anyone who is interested in trying to access this type of information. This should serve as a wake up call for those continuing to swipe their card using the magnetic strip rather than the EMV chip technology. Every time you use the outdated magnetic strip method, you’re increasing the likelihood of someone stealing the information.
Though Chipotle states they have no evidence to support that “customer information was affected” it’s wise to take the following steps in the event your data is hacked.
Access your credit card account and review the charges carefully. Most credit cards have fraud protection which covers you in the event of fraudulent charges. This means you aren’t liable for what’s been charged to your credit card. Their customer service/fraud detection department will ask you to complete certain steps in the process.
Contact the credit card company and ask for them to reissue a new credit card. Their fraud detection or fraud protection department may already do this for you when you report possible fraud. In Chipotle’s case, the track data was the target. This means their customers’ credit card number might have been accessed. Despite any companies’ reassuring tone about what was and wasn’t stolen, you need to protect your own best interests.
Change your credit card PIN. You should do this periodically anyway. Different financial institutions have separate recommendations for what “periodically” means. But, if you’re a heavy credit card user -- especially if you use the EMV method with PIN verification for payment -- then creating a new PIN every six months makes it harder for hackers to keep up with the changes. Remember, they want easy and vulnerable targets. The more you become a “moving” target, the less energy they want to expend in targeting you.
Usually, the track data isn’t related to your social security number. However, it’s a smart idea to continuously monitor your credit report as that highly sensitive information is being stored in a financial institution’s database. Certainly, nothing was mentioned in the Chipotle incident as having affected the credit card companies. But Docusign has also been breached recently as well as UNC Health Care and Gmail. These are only a few of the worst known data breaches of 2017. And it isn’t a complete list. Every day over four million data records are lost or stolen. This number isn’t decreasing; it’s increasing.
To be completely forthright, hackers are constantly penetration testing new technologies. While EMV chips are safer than the magnetic strips, Business Insider reported there is a way to hack the hardware used for those technologies at the point of sale. Granted, the fraudulent individual(s) would need to physically alter the device by hooking up a Raspberry Pi computer. But, all it would take is an employee willing to be risk their job to access your data.
Yet, all is not lost. In the same Business Insider article, Apple Pay is a recommended alternative due to their strong encryption technology. If you have an iPhone, you’re aware of Apple’s multifactor authorization process. Multifactor means you use more than one method to access your phone or payment methods. For example, the newest iPhones come with a biometric sensor where you can unlock the phone by placing your thumb on the touch ID pad. Since someone would need to have the device and your unique thumbprint, it makes hacking all the more challenging. There are additional plans for the fingerprint scanner to be replaced with a face scanner.
While the banks, merchants, and other financial services providers, such as PayPal continue to update their cybersecurity to make it harder for hackers to access your data, sites like the Digital Guardian offer over 100 tips for you to safeguard your personal information.