Are Franchisees The New Sweet Spot For Card Data Thieves?

The payment-card breach revealed on January 11 by 560-store restaurant chain Zaxby's throws a light on what may be the near-future of major breaches. The chain said it found malware on systems at 108 stores across the southeastern U.S. after card processors identified the stores as common points of purchase for fraudulent card activity.

But Zaxby's doesn't operate any of the stores—they're all franchisees, putting both the company and the franchisees in a worst-of-both-worlds situation.

The company said it helped the franchisees check their servers after the common-point-of-purchase notifications. "During the course of its forensic investigation, Zaxby's Franchising Inc. identified some suspicious files, including malware, on the licensees' computer systems at certain Zaxby's locations. Because those files could have been used to export guest names and debit card numbers, Zaxby's Franchising Inc. informed appropriate law enforcement authorities of the potential criminal activity," the company said in its statement.

The infected stores were in Virginia, Kentucky, Tennessee, Georgia, North Carolina, South Carolina, Alabama, Mississippi, Arkansas and Florida.

Zaxby's added that the investigation hasn't determined whether card data was stolen and that the breach appears to be due to an external attack. The company also said it was working with all franchisees to beef up security.

Zaxby's didn't report an estimate of the number of card numbers stolen or give a timeframe for the notifications and investigations. But it posted the addresses of the infected stores on a separate Web site that the company created last November, suggesting the problem was already significant at that point.

This isn't exactly a novel attack, but it may mark a shift in how thieves are going after card data. Attacks on servers were all the rage five years ago, when Albert Gonzalez was ripping through the data of large chains that included TJX, Target, 7-Eleven and JCPenney. Then PCI clamped down and big chains' networks and servers were hardened—and in recent years, POS tampering has been the preferred way to customers' card numbers.

Now there appears to be a new sweet spot at the disconnect between franchises and franchisees.

"The new attack vector tends to be platform based more than chain based. Once they find an exploit on a certain POS or server, [attackers] try to identify everyone in the world that runs that platform," said StorefrontBacktalk Franchisee columnist Todd Michaud. "That being said, they are definitely looking at franchise systems, because the disconnect between corporate and a franchisee (is less likely to be well protected), coupled with the fact that if they have an exploit on that platform, they can get many locations."

Ironically, the more standardized the payments system a franchise recommends or requires (usually in the name of a consistent level of security), the more likely the whole chain will be subject to attack if a security hole is exploited. If franchisees all chose their own systems, security would likely be more of a mess—but it would be a more diverse mess and less convenient for attackers looking for wholesale card plunder.

If the franchising chain sets standards but doesn't have skin in the game itself by running restaurants—as is the case at Zaxby's—it's at least one level removed from any problems that show up.

And if the franchising chain sets standards that aren't followed, that can open new security holes that the chain doesn't expect.

Although Zaxby's helped franchisees hunt for malware once the systems were under a cloud, the fact that the individual franchisees are essentially small businesses means they really need the help—they're unlikely to spot suspicious activity themselves.

"Because the biggest risk for the hacker is accessing the system, and because these chains process fewer transactions than the big guys, they are forced to let their code remain active for a longer period of time to try and gather as many cards as possible before they get them," Michaud said. "There is a chance that an admin or firewall might catch the entry and, therefore, each time they come get the cards, they risk getting their honey-hole shut down. So franchise systems are good for software that can sit unattended for long periods of time without being noticed."

Marrying the security of a mom-and-pop shop with the standardized systems of a regional chain? That's got to be highly attractive to attackers and potentially much easier to exploit than traveling across the country tampering with PIN pads. It won't be surprising if a lot more franchisers see their stores breached—and if still more such breaches fly under the processors' and card brands' antifraud radar.

Then again, big chains aren't off the hook. They process a lot more cards—and there will always be PIN pads.