IHG Hotels Announces Credit Card Breach

Last December Brian Krebs reported that banks said that there was a pattern of credit card fraud centered around the hotels of the Intercontinental Hotel Group, IHG.  IHG owns Holiday Inn, Crowne Plaza and Intercontinental, among many other brands.

At the time, IHG said that it only affected a dozen hotels or so.  IHG owns about 5,000 hotels.  Now four months later, IHG says that the breach affected over 1,000 hotels.  And still counting.

The breach affected front desk computers, which is unusual.  Typically, the credit card breaches hit the hotel restaurants and bars which are often outsourced to a third party and out of the hotel’s control even though they still get blamed for it.

This time, the breach is hitting the front desk.  While only some patrons eat at the hotel restaurant or drink at the bar, almost everyone give the front desk a credit card, even if it is just for “incidentals”.  That is what makes this breach nasty.

One good piece of news is that they say that the breach only ran from September 29 to December 29 of last year.  But they also said it only affected a dozen hotels, so consider the source.

They are saying that this only affecting franchised hotels, but they are having a bit of a challenge.  They are offering to pay for the forensics to check the franchisee’s computers but many of the franchisees are telling them to bug off (or something like that).

As of yesterday, Krebs is saying that of the 1,175 hotels that have been identified so far, 781 are Holiday Inn Express properties, so if you stayed at a Holiday Inn Express late last year, watch your credit cards.

Given that some number of franchisees are not cooperating, the number of affected hotels may continue to rise.

The only thing that IHG has said is that the malware is looking for the credit card data as it transits the hotel server.  That means that the hotel is not encrypting the data at the point of collection.  Bad Hotel!  If they had done that, this likely would not be an issue.

If you watch your credit card transactions and report the theft quickly, you have limited liability ($50).  For debit cards, which luckily are used much less frequently at hotels, the window for reporting the fraud is much shorter, so the key thing for you to do is watch your debit card charges and if anything strange appears, report it immediately.

Unfortunately, until businesses get serious about credit card security, we are going to see these breaches on a regular basis.    Just recently, Brian has reported about breaches at Shoneys and Gamestop in addition to this IHG breach.

IHG is not reporting numbers regarding the size of the breach, but we could speculate.  If the breach was active for 90 days and if each hotel swiped just 50 credit cards a day (which seems low), then 90 x 50 x 1175 = 5.2 million cards.  Maybe they will tell us at some time, but right now we are guessing.

Now for the other side of the story.

If you are collecting credit card information, you should be using a chip card enabled credit card reader (remember that many hotels have a credit card reader integrated with the checkin system and they swipe your card instead of dipping it.  That is the root of the problem.  With the new style readers the data is encrypted as it is collected and the hotel does not have access to the unencrypted data.  This means that hackers have to physically compromise the credit card reader.  This likely cannot be easily done remotely, meaning that the bad guys are just going to go elsewhere.

For online businesses or other card not present transactions (like over the phone), if you can, enter the data directly into the bank’s web site and do not store or save the data locally.  If you don’t save it, hackers can’t steal it.  The bank will give you an ID number and that should be sufficient if you ever have questions about the transaction.  In that case you will have to work with the bank to deal with it, but you are completely off the hook because that ID number, it turns out, is completely useless to the bad guys.

You would think, after all the breaches in the last 5 years like Target and Home Depot that we would get our arms around this, but apparently not.

Information for this post came from Brian Krebs and Computerworld.

More Healthcare Breaches, Record Fines and Other Issues

Another day, another healthcare ransomware attack.  Erie County Medical Center and Terrace View long term care in Buffalo, New York have been dealing with a ransomware attack for about 10 days now.  On April 9th, a Sunday, the computers got hit by what they are only calling a virus, but according to someone I talked to today, it is, in fact, a ransomware attack.  They have not paid the ransom and do not intend to, but from April 9th to the 15th, all systems were down.  They hoped to have the patient data part of their systems operational by the 15th at which point they would need to start entering the backlog of patient data and any data that was lost.

According to local media, the email system is also supposed to be up by that time.

After that is complete, they planned on working to restore systems such as payroll.

According to the person I talked to this morning, as of today, they are still working on recovering.

I am sure that they will complete a lessons learned exercise once people get some sleep, but from the outside, a couple of questions are obvious.  Their disaster recovery plan seems to be lacking if they are still recovering 10 days later.  We don’t know if their business continuity plan is sufficient.  They didn’t have to close the hospital, which is good, but what is the impact on patient care and staff workload.  Finally, how did this ransomware spread so widely in the organization that it is taking them more that 10 days to recover.

As a side note, the Beazley cyber insurance company says that ransomware attacks that were reported to them quadrupled in 2016 and they expect that to double again in 2017.  Half of the attacks were in healthcare.

The FDA is now shifting its focus to medical devices, like the ones from St. Judes, that the FDA slammed the firm over last month.


As if that wasn’t enough to worry about, Health and Human Services Office of Civil Rights levied more fines in 2016 than any other year to organizations that were breached.  They announced 12 settlements averaging $2 million in 2016 and three more in the first two months of 2017 PLUS a fourth case that had a fine of $3.2 million.

Some of these cases required the appointment of an external monitor or baby sitter, indicating that OCR didn’t trust those organizations to fix the problems without oversight.

These handful of cases, while significant, represent a fractional percentage of the roughly 17,000 cases a year that are filed with OCR.

In addition, OCR is finishing up a series of desk audits of covered entities and is about to start on auditing business associates.

While it is unclear what will happen under the Trump administration, OCR is funded mainly by the fines they levy, so it may well be the case that things run as they have for the last few years.  Stay tuned.

Putting all of this together should be a red flag to anyone in healthcare that they need to get very serious about cyber security.  It is not likely to get any better or easier any time soon.


Information for this post came from Disruptive Views and hrdailyadvisor.

Google vs. Banking Bots – The Bots Are Winning

The BankBot trojan is managing to keep Google Engineers on their toes.  The trojan sits, literally, on top of existing banking apps and captures your user name and password.

The initial target was Russian banks.  Then it was “improved” to include UK, Austria, Germany and Turkey.  Who knows what the next version will target.

The creators of this malware have been creative enough to foil Google’s software, called Bouncer, into thinking these are legitimate apps.

A handful of apps have been found that deploy this malware and they have all been taken down – but not before thousands of downloads were made.

BankBot can also steal credentials for Facebook, Youtube, WhatsApp, Uber and other apps.

BankBot can also intercept SMS messages often used in two factor authentication.  THIS is why NIST, has deprecated the use of SMS for two factor authentication.  Too easy to compromise.

In the source article below, there is a list of 424 banking apps that BankBot is targeting.  That is a large number of apps for one piece of malware to target.

One reason we may be seeing this more internationally than in the U.S. is that older versions of Android did not do as good a job of protecting against rogue apps “writing over” legitimate apps on the screen, which is how this malware works.  The user thinks they are typing into the real app because that is what they see, but in reality, the rogue app, sitting on top of the real app is what the user is entering their password into.

This points to another issue.  While Apple is very good about forcing users to upgrade to the current version of iOS, the Android market is fragmented and there is no one company in control.

Within six months of release, Android phones become “obsolete” and companies often stop patching them within a year or two of that release.  Users that continue to use those old Android phones don’t get patches and when those phones are compromised, personal and corporate data on those phones are also compromised.  Silently!

Right now there is a very nasty bit of malware that targets the Broadcom Wi-Fi chip.  It can even work if Wi-Fi is turned off.  Both Apple and Google have patched this in March (Apple) and April (Google), so if you have not installed a major OS upgrade this month, your phone is and will continue to be vulnerable to this attack on the Broadcom Wi-Fi firmware.  This is only one example of a recent attack vector that obsolete phones will remain vulnerable to.

The moral of the story is that companies and individual users of both Android and Apple phones and tablets have to come to grips with the fact that even though those devices still work, if the manufacturer and/or  distributor (like Apple or Verizon) stop supporting those devices, it is time to replace them.  Sorry.  It is a matter of security.  That is no different than the need to upgrade from Windows Vista (which is also not supported), even though it is functioning.  No support = much higher risk of compromise.

In places outside the U.S., old phones running obsolete, non-supported versions of the Android and Apple OSes are commonplace.  As is malware.  And trojans. And security breaches.

This week Apple got caught trying to silently end support for the iPhone 5 in the newest version of their OS.  They changed their mind when they were outed,  but make no mistake – the next version of iOS will likely NOT support the iPhone 5 and at that point, iPhone users are in the same boat as Android users running version 2,3,4 or 5 of the Android OS.

While you may not like this – if you are running one of these unsupported OSes, you either need to figure out if there is an upgrade path, buy a new device (AND DO NOT GIVE THAT OLD DEVICE TO ANYONE – unless, perhaps, you want to give it to someone you really, really don’t like) or stop using that device for anything sensitive like email or online commerce or banking.

Consider yourself warned.

Information for this post came from Bleeping Computer.

One Reason People Steal Medical Records

37 billion dollars.

Is that enough reason?

As health premiums increase, more people, especially healthy ones, are moving to high deductible health plans (HDHPs).  A feature of all HDHPs is the option to create a health savings account (HSA).  HSAs are tax advantaged in several ways, so most people who have HDHPs also have HSAs.

The estimated value of money stored in HSAs is about $37 billion in about 20 million accounts.  That is a lot of money – even to crooks. And the numbers are going up at a rate of about 20% a year.

The thing about HSAs is that people don’t think of them like bank accounts.  They don’t check the balance every day.

Since your legal protection is limited to a short period of time after the fraud (for debit cards, if you don’t notify the bank within 60 days of them mailing the statement, you have unlimited liability).

Since the amount of hacking is going up, the price of credit card data on the black market is going down.  If you merge credit card info with credit scores (higher scores tend to map to higher HSA account balances) and also with stolen medical info, you now have what is called a fullz (a full dossier) and those are selling for about $80-$100 a whack on the black market, assuming the bad guy doesn’t use it him or her self.

So, ponder this.

If you steal someone’s healthcare information (like in the Anthem breach), you probably have enough information to either hack into someone’s HSA or socially engineer your way in.

And, if the owner is not watching the balance, you might get lucky and not be detected for months.

So what this means is that if you have an HSA banking account, you need to watch it just like you would watch your checking or savings account.

If you HSA provider offers the option to send you text or email alerts when money goes into or out of the account, you should turn those options on.  AND, you need to read those emails or texts when they come in, not ignore them.

Yeah!  A new type of fraud to worry about.

Information for this post came from Dark Reading.


IoT Liability – Who’s Responsible?

When your Internet connected baby monitor fails you probably whine.  You may complain to the manufacturer or the store where you bought it.  Or, you may just buy a new one.

But if that IoT device is your car, well, that could be a bit more complicated.

If you buy a used car and the previous owner did not wipe the phonebook from the hands free unit in the car, the buyer may have access to data that he or she should not have.

But if you wipe the data, is it really gone?  That is way less clear.  Is the data backed up in the cloud.  Is the cloud account associated with the buyer or the seller.

What if the seller had access to the car (to say unlock it or start it) from his or her smart phone?  Does the buyer know if that “connection” between the seller and the car has been severed?  How would the buyer ever know?  Maybe the seller can still see geolocation data – where the car is at any time.

What if a house had a smart thermostat?  If the seller still had access he or she could turn off the heat in the winter or turn off the AC in the summer.  There have been a number of cases where, during a divorce, the displaced spouse did mischievous things.

What if the house had a smart lock and the seller decided to unlock it?  Randomly.  What if the house was burgled as a result?

Are realtors equipped to counsel buyers about smart homes?  I doubt it.  Many realtors have a hard time using their MLS software (certainly not all of them, but this is a pretty geeky subject).

What about home inspectors?  Surely they are educated enough to warn people.  Many home inspectors are retired handymen.  That is the wrong demographic to be providing advice on the Internet of Things.

In some cases, the IoT devices are not even visible.  Like, perhaps, a connected furnace or smart water heater.

In some cases, when the seller sells the house and takes their Internet connection connection with him or her, the device, of course, will go offline.  Does that mean the device stops working or is there a fail-safe in the device?

According to the National Association of Realtors, only 15% of buyers ask about smart homes.  What if the realtor says “I don’t know if this is a smart house”?  Does the buyer demand answers?  Probably in some cases, the seller probably doesn’t even remember if the water heater is connected to the Internet and if it is, how do you change that connection.

Underwriters Laboratories is working a a UL security seal, but that process is voluntary and maybe, in 10 or 20 years that may turn into something.

In this article I am talking about big, expensive, smart devices, but the prediction is that, by 2020, there will be 20 billion devices connected to the Internet.  Most of them small – a toaster or refrigerator or baby monitor or security camera.  What if, as some people do have, there are security cameras inside the house and the buyer doesn’t change the password that the seller provides the buyer.  That isn’t too far fetched.  It works and it is too hard to figure out how to change it.  Now the seller can watch the buyer in his or her house.  No telling what the seller might see.  Or capture.  Or post online.  Or share with friends.  Think about that one for a minute.

In the mean time, it is kind of like the wild west.  You are on your own and good luck.

I am not anticipating this changing any time soon.


Information for this post came from SC Magazine.

Why Hoarding Zero Days Is Bad Public Policy

This week Microsoft patched a zero day bug that affected Microsoft Word users.  Microsoft was alerted to the bug by the FireEye security firm several months ago.

What we did not know until today is that this bug was being exploited for at least several months.  WHO was exploiting it is less clear because hackers don’t always sign their names to the work, but it appears that both hackers and governments may have been exploiting the bug.

FireEye is saying that perhaps the hacker who discovered the flaw sold it to both other hackers and government actors.  Rarely is there any agreement from hackers to only sell a hack to one party, so if they did that, it is not really surprising.

It is also possible that two different people independently discovered the bug at around the same time.  That doesn’t seem as likely to me.

Hackers used different Word documents to entice folks to open the email attachments.  One was a military manual written in Russian, another was a document referencing the Russian Ministry of Defense and the third was a document that promised to reveal “top 7 hacker chicks”.  Seriously.

If people fell for it and opened the document they would get infected with the malware FinSpy made by the hacking firm FinFisher.  It is certainly possible that FinFisher, who makes spy tools and sells them to governments (and likely “others” for the right price) also bought the zero day.

As a testament to the international flavor of hacking, some of the servers hosting this delicious treat were in Italy while others were in Romania.

What is less clear is when our government became aware of this zero day.  Assuming they became aware of it, say, a year ago and decided to keep it secret, that is within the operating parameters of DoJ rules.

IF – and we don’t know if this is true – the government – our government – was keeping this zero day secret and hackers were, at the same time, using this hack against our businesses, that seems like a problem.

But that is a challenge the intelligence community and law enforcement face every day.

Do we tell?  Do we keep it secret?  Do we even know what is happening?  Do we want to watch the bad guys because we do know what is happening?  Do we not want to let the bad guys know we are watching them?  Life is not simple.  It would be nice if it were a little more simple, but it is not.

What does seem clear is that we can’t COUNT on the government to spill the beans, even if American businesses are being compromised by hackers.   Just warning you.

Information for this post came from Motherboard.