Credit card breech: Trump Hotels hit for the third time in two years

[thewayne]

Anyone who doesn't expect Trump facilities to NOT get hit more in coming years raise your hand. Bueller? Anyone? It's been documented that Trump's facilities have lousy IT practices and terrible WiFi security, but hotels are particularly problematic. American hotels seem to be stuck with using card swiping technology rather than ECV chip readers, which greatly increase security through strong encryption. Until they upgrade, we'll be seeing hotel breeches regularly.

https://krebsonsecurity.com/2017/07/trump-hotels-hit-by-3rd-card-breach-in-2-years/

Comments

[elf]

I'm not sure if chip-readers would fix hotel card security issues - you have to enter a credit card number online when you reserve a room, and there's no chip reader possible for that. I think they're willing to "bill the card on file" instead of swiping or chip-reading at checkout time.

...Or is that an entirely different security issue?

[thewayne]

Broadly speaking, there are three ways that cards get compromised. 1. Malware infiltration of the point of sale system or deeper into the target's IT network, such as the Target hack a few years ago. B. Hardware hack/insert or an overlay of a card swipe system, the former common on gas pumps.III. Poor security practices/violation of card processing standards and the merchant stores card information with poor/no encryption: merchant gets hacked, database gets stolen, and all of the card information gets sold. 1 and III are both poor IT security practices: in Target's case, an HVAC contractor who had access to their billing system had their account compromised which gave the crooks access to Target's network, and Target did not segment their network to subdivide it and make it harder to compromise the whole thing.  Once they gained admin access to one part, the whole thing was owned by the crooks.

Regardless of the methodology, once the card gets stolen, the numbers are sold to "carders" who either code the information on to empty cards and used to loot accounts through ATMs, or the numbers are used to buy valuable merchandise online then returned to physical stores.  Money mules are used to receive the merchandise, return it to the store, then ship the money overseas less their commission. You bring up a good point.  I use a hotel 1-3 times a year, tops.  Seems to me that last time (December last year) that they did swipe the card when I checked in.  I did use online reservation which required the three digit CVV numbers on the back of the card, which is an additional level of verification.  But I think the card was swiped when I checked in.  THAT level is not difficult to compromise with malware.  I'm not sure exactly how Trump Hotels do things: I've never stayed at one and would never set foot in one. What's interesting is there have been hotels compromised where either the front desk side or the restaurant side has been hacked, but not the other, because one side uses the chip reader and the other did not. Some of the new card readers are programmed that if your card has a chip, you CANNOT use the swipe!  But not all of the ones with chip readers have the chip reader enabled!  The point of sale vendors had a terrific scam going on: they got merchants to buy the new terminals because Mastercard/Visa was requiring it, but they didn't tell them that activating the chip reader was an additional upgrade!  Ding 'em twice for installing one unit!

Gas stations are the big hold up in upgrading the USA to chip-only technology.  The cost and labor to do the upgrade will be tremendous, so MC/Visa is backing off on the deadlines to require the conversion.