back to article Hilton hotels in credit-card-stealing malware infection scare

Someone has hacked the Hilton's sales registers, and made off with guests' credit-card details, it's claimed. The hotel chain confirmed today it is investigating the alleged breach of its computer security. Investigative journo Brian Krebs says malware in point-of-sale (POS) terminals is believed to have nicked the card …

  1. a_yank_lurker Silver badge

    Common theme

    Is there a common theme throughout these POS hacks? Somehow there seems to be an awful lot of sloppy security practices by companies that should have enough cash to afford excellent security. We are not talking about a local mom & pop store run by two computer illiterates who picked an incompetent to set up their system.

    1. Anonymous Coward
      Anonymous Coward

      Re: Common theme

      Is there a common theme throughout these POS hacks?

      Yes, the whole process of credit card payments is unsafe, and has been since the days of telephone sales. Everything else is just plastering over broken fundamentals, but you're not allowed to say that if you're in the card industry (hence the anon).

    2. Anonymous Coward
      Anonymous Coward

      Re: Common theme

      Posting anon because my partner works as a manager for Hilton. The common theme is having plenty of money for security and spending it all on not-security instead.

      Security at hilton appears to be piss-poor. Managers are meant to set passwords for their subordinates in order to minimise time spent at the service desk (which seems to be outsourced so various call centres with the usual script-drones). Whenever passwords are reset, it will break three or four other systems and lead times on getting those fixed are frequently measured in days, yet the user is still assumed to have full access to everything; when a member of staff is disciplined for not doing $something in $application and says "but my account is locked out and I'm waiting for it to be fixed!" then the official response from the higher-ups is always "well why didn't you ask $so_and_so for their username and password?". Don't know how well the POS systems are insulated from their windows crapola but most of the senior levels of staff have access to the some elevated credentials for performing some simple maintenance tasks (since it's frequently a 24hr turnaround on getting the POS systems fixed "properly"). There's no culture of security whatsoever and a frequently toxic working environment with exceedingly high staff churn of poor underpaid sods on zero-hours contracts.

      IT and security at hilton, at least at the level I've been exposed to by proxy, are so shit that it's a miracle this hasn't happened before. In fact it probably has and no-one's noticed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Common theme

        IT and security at hilton, at least at the level I've been exposed to by proxy, are so shit that it's a miracle this hasn't happened before. In fact it probably has and no-one's noticed.

        As a former security auditor having to stay in hotels a lot, let me assure you that the Hilton is in that regards really not an exception. Somehow, upper levels seem to have convinced themselves that managing to get people to work for the pittance they get includes not giving them the resources and training they need to actually do their job.

    3. Tom 13

      Re: Common theme

      Yes and no. Part of the difficulty is that most chains like this are franchise operations so you wind up with a hybrid of conhugecom-mom&pop. So some of the corp IT types probably get the security. Whether they can effectively communicate that to the bean counters is a different question, but there are better odds they can win over the bean counters than getting mom and pop who own the local franchise to properly understand what has to be done.

  2. thomas k

    Guess someone didn't get the memo ...

    that Hilton sent out maybe a year ago, to always check the backs of your computers to make sure no little dongles had been inserted between the USB cable from the c/c reader and the PC.

    Though, if this was from the restaurants and/or gift shops, that might be a different situation, for reasons I won't go into.

    1. Anonymous Coward
      Anonymous Coward

      Re: Guess someone didn't get the memo ...

      Guess someone didn't get the memo ...

      that Hilton sent out maybe a year ago, to always check the backs of your computers to make sure no little dongles had been inserted between the USB cable from the c/c reader and the PC.

      Most of the machines are built in so that only screen and keyboard are visible, and most staff would not be able to tell a dongle from a ferrite coil in the cable. It's a nice theory...

      1. thomas k

        Re: Guess someone didn't get the memo ...

        Unfortunately, not always built-in, hence the memo; someone could lean across the counter and fiddle with the backs of a couple at our property. Ditto the pictures on the memo showing what a dongle looks like, for the less computer literate. Of course, in keeping with the large corporate mind-set of being suspicious of employees, the concern was probably as much with insiders doing mischief as with outsiders.

  3. Tree

    USA Today

    I wonder if the USA Today newspaper at their hotels will report this. Does this affect those who reserved a room? One must enter account number to do so?

    1. jonathanb Silver badge

      Re: USA Today

      I'm not familiar with the systems at Hilton US, and my knowledge of Hilton UK systems is quite a few years out of date; but in the UK, the central reservation system is, or was, separate to the front of house system.

      However, you book a room using the central reservation system. Most of the time, you don't actually pay for it at that point, they just do an authorisation-only transaction for the amount so that they can collect if you don't turn up. When you arrive at the hotel, they will do another authorisation-only transaction to cover any extras you might take while you are there, using the front of house system, and you pay the bill when you check out.

      An airline who does a block-booking for staff or delayed passengers and doesn't allow any extras to be charged to their account would probably not be affected. Pretty much everyone else would be.

  4. Baudwalk

    Damn...

    ...that bed is a mess.

  5. phil dude
    Joke

    comedy gold: choose your ending...

    In 2014, Target, Home Depot, and UPS all caught infections in their tills....

    Punchline A: "Oo err, never heard it called *that* before"

    Punchline B: "Boy band convention caught in hotel sex scandal"

    Punchline C:"Corporations treat computer security as an SEP"

    P.

  6. x 7 Silver badge

    Paris needed more cash in a hurry?

  7. John Brown (no body) Silver badge
    Paris Hilton

    Oh, come oooonnnnnn!!!!

    Not a single relevant icon yet?

    Paris, because it's relevant for once ------------------------>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019