Malware caught checking out credit cards in 54 luxury hotels Add Starwood – owner of the Sheraton, Westin, W hotel chains – to the ranks of resorts infiltrated by credit card-stealing malware. The luxury hotel chain said on Friday that 54 of its North American locations had been infected with a software nasty that harvested banking card information from payment terminals and cash …
Good question. Another question is why is taking them so long to figure out they've been pwned along with the method? My opinion is that they just don't give a crap. Which, since they don't care, I won't stay with them.
I'm that way with the retailers that have been pwned also... Target, Michael's.... etc. They've lost my business.
The problem is the distributed nature of such devices. Physical and electronic security have been single layer since forever in the credit card world, and all the PCI policy waffle in the world cannot camouflage that a man with a screwdriver can compromise a reader or even a whole POS.
Why is that not fixed? Simple economics: (1) the cost of fixing this is astronomical with such a large number of devices, (2) the parties in this game who have the power to address it are the one part of the system which doesn't really suffer from fraud, so the economical decision is to do nothing and leave you with the pain.
Why is that purely an economical decision? Well, it's bank owned. Enough said.
"The problem is the distributed nature of such devices. Physical and electronic security have been single layer since forever in the credit card world, and all the PCI policy waffle in the world cannot camouflage that a man with a screwdriver can compromise a reader or even a whole POS."
If the next generation of devices is no longer static, but auto-updating, then the older ones can be phased out.
The idea that a device needs an engineer to fix it needs to be expanded to the device must keep its OS safe. With increasing connectivity, opportunities and standard-kits to hack it will keep getting easier to pwn smartmeters, POS-devices etc.
anyway: we'll see.
Monitoring needs to be addressed as well. Make someone responsible and periodically audit.
If the next generation of devices is no longer static, but auto-updating, then the older ones can be phased out.
Ah, but auto-updating something that is guaranteed to ALWAYS carry data worth stealing? I give the update source a week, max, before it's either breached from the outside (because, frankly, most protection on fin networks is politely described as "shoddy, aka "just enough for banks to avoid blame") or from the inside because they sack more and more workers to keep the bonus for the morons at the top intact.
The problems are structural. There are solutions, but they cost money (due to the global scale) and as long as the entities that must do this are not actually the ones feeling the pain when things go wrong I don't see this happen - nobody out there is big enough to force them..
IT stops spending money, workers are looking for their next job.
Oh wait, IT is out-sourced to Accenture and IBM Global Services.
Bet they are embarrassed.
Oh, never mind, they don't care anymore because Marriott is going to cancel their outsourcing contracts.
Couldn't happen to a nicer couple of ethical, honest service providers.
I just love Karma.
"What, they don't want to take cash? Their problem. There's the bill and there's cash being tendered to pay it. You've done your part."
Never had to deal with hire car companies had you?
My brother-in-law tried to hire a car (and we were leaving right away) but there was a screwup with a repayment so he had hit his credit card limit. Hands over cash, nope it has to be credit card. So, I take my plastic out and plopped it on the counter. Nope, card name has to be same as who's hiring.
No, just telling them to fuck off would be fruitless, as they're ALL like that, and more so, our ride had dropped us off and left us there. They don't hand out keys till you're done, and would most certainly call in the vehicle as stolen if you tried. Only other option was telling them to fuck off, aborting the long weekend trip and walking home, or well, finding a cab anyway.
So he spent 20 minutes with the bank via the phone transferring money, plus whatwever time it took for the "system" to update and recognise the update. We were about an hour late, meaning we also held up the others we were meeting with.
This happened some time back, so I didn't know any review sites existed back then, I would have been fucking scathing. Today, we know how the fuckers work - but it took that to find out how they worked.
The subject is POS in hotel chains. What has car hire got to do with the subject being discussed?
Furthermore you pay for car rental up front. Deal done, or no keys. Whereas you pay your hotel bill after services have been rendered, therefore the onus is on the hotel to take your payment or be out of pocket.
"By any chance, did the forum software """eat""" your <sarcasm> tag????"
Not only does it not have one, very few here get sarcasm, so you get marked down. Must be a few aspies here.
And before the aspies try to have a go at me, I have several aspie friends, and I have a few traits myself. However, if you're not sure, YOU'RE ALLOWED TO ASK. If you get it wrong and abuse me, you'll find out quickly enough. Ask my friends.
Wile Microsoft have several tonnes of cash abroad, they seem to issue debt and/or borrow from banks, it would be in banks own interest to secure Windows as a result of such a mandate. Much like insurance companies have been a force for change in other businesses. Either that or Microsoft onshores a pile of cash which should make governments happier.
My banks have proactively replaced my cards three times already this year, two at one, one from another, just from a sniff of shenanigans. Seems to be their rather smart response to online theft instead of leaving possibly compromised cards active.
Only gotcha is I don't know *who* was molested for my data - that's something I'd like to know since I don't randomly buy random items from random sites, my purchases are from biggish companies* with reputations to protect.
*Edited to say sites like Staples, Amazon, NewEgg, Dell, Cisco, etc
Exactly why I pay for my Hotels with a prepaid Credit Card. There is always enough money on the card to pay the bill but not much else. I do this because last year my card was cloned in Malaysia. 5 hours later the scumbags started spending on it in Brazil.
Thankfully it was easy to prove that I wasn't in S. America but it is a PITA to sort out.
Normally what happens is that the bank gets loads of complaints about fraudulent transactions. They notice that all the people complaining have used their card at one particular place - Heathrow Express was one example from a few years back. Once they figure that out, they will probably replace the cards of everyone who used that outlet within the suspected period of time regardless of whether there have been any suspicious transactions on that account.
"They notice that all the people complaining have used their card at one particular place - Heathrow Express was one example from a few years back."
What they need to do is go a step further & require compensation from the merchant. It would give them an incentive to tighten up. As things are, if it doesn't cost them anything to do nothing then nothing is what they'll do.
Paying by card at a payment terminal is now officially less safe than internet banking.
All you need to harvest is info that can be sen by all staff or which is easy to harvest via spyware anyway.
So why haven't the card issuers moved to a 10 digit auth code (at least for all large transactions) where each terminal asks for the nth, n + xth, n + xth numbers in the sequence where x is random?
Presumably because it might slow us down in our breathless rush to spend without hesitation. Much worse than fraud then.
Oh and btw, in the States the STILL haven't moved to Chip & PIN, instead of a PIN entry they use mag strip and have expensive touchpads that you put your signature into!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
