Dave & Busters (aka Chuck e Cheese for adults and with adult beverages) appears to be the latest in news stories of Data Breaches including magnetic stripe and track 2 data.
From Wired “International Hackers Indicted for Sniffing Credit Cards from Dave & Busters”
“The government said the Dave & Buster’s hackers illegally accessed 11 of the national chain’s servers and installed packet sniffers at each location. The sniffers vacuumed up “Track 2″ data from the credit card magstripes as it traveled from the restaurant’s servers to Dave & Buster’s headquarters in Dallas, according to the indictment.”
In my post titled, “Encrypted Traffic from within the PCI Zone” I discuss that we have adapted OLS.Switch’s point-of-sale (POS) TCP/IP interface to accept POS payment messages across the store’s PCI Zone (Protected network zone where CC Data would transverse) but include an encrypted account number field or data element instead of the clear text PAN (Primary Account Number), in the PAN field. So this would act as a deterrent to network sniffing
That being said — it appears that there was a lack of montioring or mis-configuration or lax physical security around the POS, wiring closet, and network cable runs.
Again: I wouldn’t be surprised that if in future revisions of the PCI DSS - traffic from POS systems on private networks will be required to be transport encrypted in a tunnel or require encrypted fields/data elements.
BTW, Dave & Busters does have a pretty cool private stored value system and game card that you place in their games inorder to play and reload to play more.
EDIT: CIO has an article here: This is probably the best quote from the article.
Unfortunately for the criminals, Gonzalez’s code had some problems
In April 2007 it bombed its first test, on a point-of-sale server at the Dave & Buster’s in Arundel, Maryland. “The packet sniffer malfunctioned … and no credit or debit card account information was captured, ” Lynch said.
Even when the packet sniffer worked, the hackers were forced to keep returning to the Dave & Buster’s network and restarting their malicious software, Lynch said. A bug in the packet sniffer caused it to shut down whenever the computer it was monitoring rebooted.
