CINCINNATI -- The data breach that struck Chipotle Mexican Grill and its customers nationwide this spring affected more than three dozen locations in Greater Cincinnati and brought into focus the vulnerability of old magnetic-strip credit card technology.
The Tri-State's biggest banks, Fifth Third, US Bank and PNC Bank, all say they back the ongoing -- if slow -- rollout of chip-reader checkout hardware, which lags far behind the number of chip-enabled cards. The issue for Chipotle, at least in the view of one local cyber-security expert, may have to do with speed weighed against risk.
"You know how fast it is to check out of Chipotle?" said Tim Rettig, CEO of Intrust IT, a Blue Ash-based information technology and cyber security company. He says the burrito giant perhaps couldn't stomach the somewhat extended time needed to process a chip transaction versus a magnetic-strip one.
"For someone to come in and steal a $10 burrito meal for them wasn't a very big risk versus the cost to upgrade all the chip readers across all their stores," he said.
Chipotle did not respond to a request for comment.
Chip-enabled cards are safer because they complete a transaction using a one-time code; magnetic strips surrender the card number, its three-digit code, your name and other data. But between the hardware needed at the register for the chip and the software needed to support that, Rettig said it can cost a few hundred dollars per register to roll it out across a chain.
The incident with Chipotle came when malware somehow got onto its point-of-sale software, as opposed to a skimmer, which is a piece of hardware that does the deed. The malware absconded with the information over a three-week period between March and April, and on May 26 Chipotle announced that it had been removed and listed the affected locations.
"The most likely scenario is that (a crime organization) figured out a vulnerability to this point of sale, introduced it to a bunch of different restaurants and Chipotle is the first one that found it," Rettig said. "It might be that we have some other ones that it shows up in, or Chipotle could have a proprietary system and it may have been a target, because they're pretty good sized."
Rettig said this breach is very similar to the massive one that hit Target in 2013. In that instance, an HVAC contractor's computer, unbeknownst to him, was infected with malware and spread when he tapped into Target's network. Conversely, Procter & Gamble set up kiosks in a cafeteria a few years ago and the kiosks had come from the factory infected, Rettig said.
For the banks' part, they are not reissuing cards automatically based on this breach and reiterate the need for cardholders' diligence, along with touting their own monitoring. Any fraudulent transaction that is flagged promptly by cardholders won't be held against them.
In the event of a need to toss a compromised card, the transition process to a new card is straightforward for most transactions, according to Fifth Third representative Laura Trujillo.
"If you push your payments from your account, which many recommend, then you do not need to change anything," she said. "Most payments that get pulled directly from your account are attached to your routing number and don't need to be updated by the card. However, if you have your card on file with an Amazon or online retailer, you will need to update it."
As for guarding against a data breach or theft, Rettig had these suggestions:
- Don't use a debit card for purchases, even one that doubles as a credit card. Because it's attached to your bank account, a thief can, in theory, drain that account if it's not caught in time. And the protections offered by banks for debit cards aren't nearly as robust as those offered for a credit card. Use a debit card only at the bank or its ATMs.
- If you use a mobile app, set it up to alert you to all transactions. That way, if you don't recognize a purchase, you can report it as soon as possible.