Tag Archives: point of sale

Three More Hotel Chain Credit Card Breaches

This is getting a bit crazy.  I am thinking about paying cash next time I stay at a hotel.

UPDATE:  The Hutton breach is tied to another breach from last week, HEI Hotels.  The Hutton is managed by HEI.  HEI also manages hotels for Intercontinental, which owns Kimpton.

Also, Noble, which owns Ocean Key, below, is now saying that 10 of its properties were breached, not just the Ocean Key, from Florida to Seattle.

First comes Ocean Key Resort and Spa.  One more time, the hotel did not know that they had been breached until the Secret Service came knocking on the CEO’s door and ruined his day.

They seem to have discovered it pretty quickly – which means, since Ocean Key didn’t know about the breach at all, that the hackers were actively using the cards that they stole.  The time window for the breach was April 26, 2016 to June 8, 2016 – about 6 weeks, but remember that short time window was likely due to the fact that the hackers were actively using the stolen cards and it became easier to figure out the common denominator.

In this breach they are saying that both restaurant and hotel credit card users are at risk – likely because of a common credit card system or lack of isolation between two systems.

The second hotel chain announcing that they have joined the club of hotels that have been breached is the Kimpton chain.  For them, about 50 properties were affected including properties from coast to coast.

Kimpton heard about the breach on July 15th – they did not say how – and started investigating.  The breach ran from February 16 to July 7, 2016, so this one ran longer than the first – about 5 months vs. 6 weeks, but neither of them take the prize; that is reserved for the last hotel in the trio.

Again, the breach affected both front desk and restaurant computers.  I am not sure why we are starting to see the front desk affected more of the time than we were seeing before.

In both of these cases, for many users, they do not have the name of the card owner in order to notify them, so they will not be notifying you.

This means that you are responsible for checking your payment card charges.  Depending on the type of card, you typically have up to 60 days to notify the bank of fraudulent charges by law.  If you notify them after that, it is up to the bank if they want to credit you or not.

The last entry into the club of breached hotels is, in my opinion, the winner.  It is the Hutton Hotel in Nashville.  Their breach also affected both the front desk and the restaurants, but the length of the breach is the breathtaking part.    The food and beverage breach ran from September 19, 2012 to April 16, 2015 or about 30 months.  The front desk breach ran from September 2012 to January 2015 but was reinfected between August 2015 and June 2016 or almost 40 months.

The Hutton breach was a little different in that the hackers were able, apparently, to capture the cardholder’s name as well as the card info;  that may allow them to notify cardholders.

Hutton also said that the breach affected everyone who used a card to reserve rooms or pay their room bill may be affected.

The common theme here is that point of sale systems appear to be way too soft a target for hackers to ignore.

This also means that if you run a POS system, that cyber breach insurance is probably a smart purchase, but make sure that the insurance covers events that started before you bought the insurance.  Given that the Hutton breach was active for almost 4 years, if they bought insurance three years ago, but it didn’t cover exists breaches, they would not get reimbursed.

It also means that you should be asking a lot of questions regarding how your vendor is protecting you and what liability they have if the system is breached.  If the answer is that they are not liable, I would start looking for another vendor.

Information for the Ocean Key breach came from Databreaches.net.

Information on the Kimpton Hotels breach came from Kimpton’s web site.

Information on the Hutton breach came from Softpedia.



Next Credit Card Attack Target – Service Providers To Stores

As companies like Target and Home Depot begin to clean up their credit card protecting acts, the cyber thieves are moving on to a different class of victim.

This week, Service Systems Associates acknowledged that they had been hacked and as a result, some of their clients systems were compromised.

How this works is this:

Let’s say a small business, in this case a Zoo gift shop, wants a snazzy point of sale system to keep track of inventory and collect sales data and such.  They consider the cost to support such a system, which is not insignificant, and they decide this is a great thing to outsource.

They go to a company like Service Systems Associates.  Among other services like running your zoo cafeteria, SSA will manage that POS system for you – like adding new items, updating the software and such.  For this, they charge a monthly fee.  Of course, SSA doesn’t want to have to send someone out to your zoo to do this work, so they access it remotely.

The problem is that no one at the zoo is a security expert – except maybe when it comes to keeping the tigers in their enclosures – so they didn’t ask “how, exactly, do you secure this remote connection?”  Likely, they use one of the many commercial or open source remote control software packages and protect it with a userid and password.  Many vendors use the same userid and password for all of their customers – that makes life easy for them and those connections are open 24/7.

While SSA is not handing out many details other than the period when their customer’s customers were vulnerable (March 23 to June 25), what likely happened is that one of their people got hacked, maybe by a phishing attack.  That person stored the password to SSA’s customer systems insecurely.   Alternatively, once that person got phished, the attacker installed a keystroke logger and captured the userid and password that way.

What does appear to be true is that SSA did not do what would be a reasonable practice – and which customers should insist on – and that is to use two factor authentication.  That way, if the password got compromised, the attacker could not log in to their customer’s systems.

While two factor authentication is not bullet proof, it certainly is significantly more bullet resistant than a userid and password.

From a hacker’s standpoint, going after vendors like SSA is way more lucrative than going after any one zoo and probably about as difficult.

Just one more reason why you need to include cyber due diligence as part of your vendor selection process.

Krebs lists the zoos that were likely affected in his article, but they are all over the country  from San Francisco to Baltimore.


Information for this post came from Krebs On Security.

Donald Trump Hotels Newest Credit Card Hack Victim

BBC is reporting that several of the Trump hotels point of sale systems likely have been hacked.  Trump’s initial response to questions was to decline to comment.  Later, after the news of the breach was published, Eric Trump, Donald’s son, said that like “virtually every other company these days” they had been alerted to suspicious activity and are in the midst of a “thorough” investigation.  They also reminded the media that they “are committed to safeguarding all guests’ personal information”.

Before I fly off the handle, there really isn’t a lot that they can say as they investigate the breach.

However, saying that “like virtually every other company …” reminds me of the old Tom Peters (In Search Of Excellence and many other books) quote.  Peters,  in lamenting how poorly most American businesses were run, said that most businesses fundamental operating principal was “we’re no worse than anyone else“.  That seems to be the principal that the Trump chain is using.

And, to be clear, while there are many, many credit card breaches every year, to say that virtually every other company has had their credit card data hacked is a bit of a stretch.  Even if it were true, to use that as a justification of why they were hacked is probably not going to sit well with the high end customers that his hotels court.

Brian Krebs wrote, in his coverage of the Trump breach, that maybe hackers are doing one last effort to grab credit cards before the October 15 deadline for liability for credit cards.  I would like to dissect that statement because it is problematical.

(a) The October 15th date is when merchants start absorbing liability if they do not have credit card machines that accept chip based credit cards – that the rest of the world has been using for years.

(b) The new cards that your banks will issue will still have a mag stripe on it.  That means, at least to a degree, those cards are still vulnerable.

(c) We will have to see if merchants stop swiping (and therefore collecting) mag stripe data on cards after that date.  IF THEY DO STOP SWIPING THE MAG STRIPES then that data will no  longer be collected and therefore no longer available to hackers.  We are going to have to wait and see what merchants do.

(d) There is no law or rule that will stop merchants from swiping your mag stripe after October 15th and, in fact, many merchants will not have new credit card readers by then, so they will continue to swipe your card.

(e) Banks are worried silly that if it is a little bit harder to use your credit card  you might pay cash (and possibly get a discount!) and they will lose out on the fees.  As a result, they have decided both to leave the mag stripe on the new cards and not require you to use a pin with your chip card – as the rest of the world does – and instead use the totally ridiculous option of having you sign your virtual receipt.  Since NO ONE checks your signature (again, for fear that you might bail on the transaction) this will reduce certain types of fraud but it will not reduce other types.

(f) The October 15th deadline does not apply to a variety of merchants such as gas stations, and, I expect, banks will not have all ATMs upgraded by then either.

(g) The chip card has no effect on Internet based sales and most people expect Internet fraud to go through the roof as hackers move their efforts to ecommerce web sites once it becomes harder to hack places like Trump’s hotels.

This migration to chip cards – and hopefully, eventually, to chip and pin, will take years.  Many years.

Both BBC and Krebs are saying that this breach goes back to February.  If so, this is July, which means that it only took the banks 3 or 4 months to detect the breach and, Trump’s response seems to indicate that they were not aware of the problem at until until the banks told them about it.  Believe it or not, that is pretty quick.

While I am beating on the Trump chain pretty hard, as Tom Peters said, they really ARE no worse than anyone else.

My two cents.

Information for this post came from BBC and Brian Krebs.