Shostack + Friends Blog Archive


Privacy is Security, Part LXII: The Steakhouse

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a scheme to buy and resell cases of vintage French wine, Louis Vuitton handbags, Cartier jewelry and even a Roy Lichtenstein lithograph of Marilyn Monroe.

Seven waiters, he said, used lipstick-size electronic “skimmers” to extract data from the magnetic strips of American Express Centurion, or “black,” cards and other high- and no-limit credit cards belonging to patrons. Such customers, used to high credit card bills, would probably not have immediately noticed or been alerted by card companies to any suspicious activity on their accounts, Mr. Vance said. (“28 Indicted in Theft of Steakhouse Patrons’ Credit Card Data“, Noah Rosenberg, New York Times)

Patrons who kept their credit limit private were safe, as those who ate at Peter Luger’s, because Luger’s only accepts, nice, private cash.

Oh, and since I want to post this to New School, we would be unable to discuss this data point anecdote if the police hadn’t disclosed the modus operandi. And without disclosure from American Express, we can’t tell if this was caught by Common Point of Purchase analysis or something else. (It sounds like purchase type analysis would likely not work.) Maybe we’ll learn that during the trial, or maybe they’ll discuss it in meetings with their competitors at Visa and Mastercard.