Skip to content ↓ | Skip to navigation ↓

Brian Krebs is reporting yet another potential retail breach, this time with sandwich chain Jimmy John’s. Fraud analysts at financial institutions have reportedly traced stolen credit card activity back to the nationwide chain and to multiple locations.  The company has not made a statement regarding the supposed breach, but did say they are currently working with authorities to investigate the situation.

If this is yet another mega retailer breach, it would add to the growing list of chains that have been victim to point-of-sale breaches resulting in massive numbers of credit cards being compromised joining Target, Neiman Marcus, Michaels, White Lodging, P.F. Chang’s, Sally Beauty and more recently Goodwill Industries.

At Black Hat (Booth #141), Tripwire will be hosting a presentation and book signing from Slava Gomzin, author of “Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions”  on Wednesday the 6th at 5PM. Slava will be discussing some of these recent hacks and now organizations can prevent them. We also have a free chapter from the book that outlines point-of-sale architectures and vulnerabilities.

Tripwire University
  • Kevin Detro

    I have seen PDQ POS in action at Jimmy Johns and task managed out of the software to see what OS it runs on, and can attest they use Windows XP as their base operating system. I called around to other stores and found they all use the same exact same system and have for quite a few years.

    In essence, every point of sale machine Signature Systems sells to Jimmy John’s franchises runs an unsupported operating system, which is a HUGE security breach. Total stores with PDQ POS is around 200o stores with 6 to 10 machines in each location, every one of them running XP, and every one of them a security breach of the Payment Card Industry Digital Security Standards (PCI-DSS) section that states that any part of a system or subsystem of the point-of-sale becomes unsupported by it’s original creator (which for XP was April 8, 2014), then it needs to be upgraded to a newer supported version or supported by a 3rd party.

    Furthermore, I found the article is only partially correct in that the system is not only suggested by Jimmy Johns corporate office for all new franchisees, but mandated. Imagine being told that you have to pay $30k for a POS and find it isn’t even complaint with the most basic of security standards, and is a giant lawsuit waiting to happen when breaches occur?