back to article Malware-flingers check out credit card data from Rosen Hotels

US chain Rosen Hotels & Resorts has become the latest to confirm a malware-based breach of its payment processing systems. The breach covered an extended period between September 2, 2014 to February 18, 2016 - or almost 18 months. The unauthorised access was tied to certain locations, primarily at its restaurants. While Rosen …

When you say "almost 18 months"

Do you mean 17 months by any chance?

1
1
Anonymous Coward

I hope these people get free credit file monitoring.

What is going to happen when nearly everyone on the planet already have credit monitoring?

0
0
Anonymous Coward

Why are POS even getting this info? Assuming by POS they mean the actual till, then there is no reason for it to even receive the full card details. It's simple, the till sends the total value to the card terminal, which sends back an authorisation code and maybe the last 4 digits of the card, to print on the receipt.

If the card readers have been infected, then that raises more concerns over how something like that can be accessed. It should only be able to be updated by physical connection, preferably using proprietary connectors tucked away inside the casing. Add to that a pin code to be entered with an engineers card inserted, to put it into maintenance mode, otherwise it is bricked. Out of maintenance mode, phone home to confirm the update.

0
1
Anonymous Coward

You are making the common mistake of assuming cards in the US are chip enabled. The majority are still not and even those of us who have chip-enabled cards never use them in that setting because the terminals have not yet been upgraded. I have yet to use any of my chip-enabled cards in that mode in the USA.

I stay at hotels throughout the US for work (multiple times monthly) and the POS terminals still all use the mag stripe. I also get my primary business card cloned 3 or 4 times a year (presumably because of that).

Other observation is that marriott, hilton, and sheraton have all been breached. As soon as Holiday Inn get pwned (may have happened already), that will be all of the business hotel chains in the country.

2
0

In addition, in the US if the vendor needs to challenge the challenge from a user, you need full details on the purchase. Yes you are legally obligated to destroy the data after 90 days (maybe down to 30 if they've sped up the dispute resolution process, but it was 90 when I worked on it), but until then you need the full card data.

0
1
Silver badge
Linux

Malware infections of Point of Sale terminals

Does anyone remember when ATMs and POS terminals couldn't be reprogrammed without the presence of a dongle and two technicians entering two unique serial numbers.

0
0
Anonymous Coward

Expense account Rule # 1

Never order the most expensive bottle of wine, always go for the one just below it.

Oh, and if scammed: let Accounts sort it out.

0
0
Anonymous Coward

It's about time that all commercial entities wake up to reality

We are living in the digital age and failure to properly secure any commercial or governmental computer systems is simply unacceptable and grounds for prosecution of those who are negligent in providing the proper digital security for their operations.

0
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018