Hilton Hotels Admits Hackers Planted Malware
[dropcap style=”font-size: 60px; color: #000000;”]L[/dropcap]ast night, Hilton Worldwide issued a statement confirming that malware had found its way onto point-of-sale systems and stole payment card information. That stolen information includes cardholder names, payment card numbers, security codes and expiry dates. However, addresses and PINs have not been exposed.
Hilton isn’t currently sharing any information about how many or which hotel locations may have been affected by the breach, but is telling customers to review their payment card statements – particularly if they used their cards at a Hilton Worldwide hotel between November 18 – December 5 2014 or April 21 – July 27 2015.
When we set out on vacation, we like to think we’re getting away from it all and our only worry should be making flight connections. But hackers don’t take vacations, and they are just as excited about your vacation as you are. Why? Because while you’re enjoying yourself, they will be too when they skim your credit cards while you’re there.
Last night, Hilton Hotels disclosed that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale systems at some of its hotels. This credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels.
While we can’t know for sure what hackers long term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximize their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we’ve seen, over 100% increase since February 2015.
If the information is out there, it’s only a matter of time before it’s tested and used. Instead of waiting for that shoe to drop, or bemoan how frequent these thefts are, as if it’s simply the unavoidable cost of doing business in the digital age, it’s time to up our collective game. Behavioral analytics, using passive behavior detection that doesn’t rely on personally identifying information, protects customers transactions and companies from fraud with the same surety of knowing you locked the front door before you left on holiday.
Once again with last night’s news of a payment card data breach at Hilton Hotels, we see that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS).
Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.
However it’s important to note, especially going into the busy holiday season, that hospitality organizations, as well as retailers and any businesses using POS systems, can avoid the impact of these types of advanced attacks.
Proven methods are available to neutralize this data from breaches either at the card reader, at the POS, in person, or via web booking platforms. Leading travel related organizations, airlines, and travel booking aggregators have adopted these data centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.
Point of sale (POS) systems, what consumers often call the checkout system, are often the weak link in the chain and the choice of malware. They should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
Risks of theft from point of sale (POS) malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. If it’s GammaPOS, Abaddon, Dexter or other variations of malware designed to steal clear data in memory from POS applications, resulting in the loss of mag stripe data, EMV card data or other sensitive data exposed at the point of sale, the attackers get only useless encrypted data. No live data means no gold to steal. Attackers don’t like stealing straw.