back to article Malware caught checking out credit cards in 54 luxury hotels

Add Starwood – owner of the Sheraton, Westin, W hotel chains – to the ranks of resorts infiltrated by credit card-stealing malware. The luxury hotel chain said on Friday that 54 of its North American locations had been infected with a software nasty that harvested banking card information from payment terminals and cash …

  1. Anonymous Coward
    Anonymous Coward

    Are rolling updates to devices the best solution?

    All these static devices are not really up to connectivity without getting compromised.

    Monitoring should be addressed as well, though pwned devices can easily send false information.

    1. Mark 85 Silver badge

      Re: Are rolling updates to devices the best solution?

      Good question. Another question is why is taking them so long to figure out they've been pwned along with the method? My opinion is that they just don't give a crap. Which, since they don't care, I won't stay with them.

      I'm that way with the retailers that have been pwned also... Target, Michael's.... etc. They've lost my business.

    2. Anonymous Coward
      Anonymous Coward

      Re: Are rolling updates to devices the best solution?

      The problem is the distributed nature of such devices. Physical and electronic security have been single layer since forever in the credit card world, and all the PCI policy waffle in the world cannot camouflage that a man with a screwdriver can compromise a reader or even a whole POS.

      Why is that not fixed? Simple economics: (1) the cost of fixing this is astronomical with such a large number of devices, (2) the parties in this game who have the power to address it are the one part of the system which doesn't really suffer from fraud, so the economical decision is to do nothing and leave you with the pain.

      Why is that purely an economical decision? Well, it's bank owned. Enough said.

      1. Anonymous Coward
        Anonymous Coward

        Re: Are rolling updates to devices the best solution?

        "The problem is the distributed nature of such devices. Physical and electronic security have been single layer since forever in the credit card world, and all the PCI policy waffle in the world cannot camouflage that a man with a screwdriver can compromise a reader or even a whole POS."

        If the next generation of devices is no longer static, but auto-updating, then the older ones can be phased out.

        The idea that a device needs an engineer to fix it needs to be expanded to the device must keep its OS safe. With increasing connectivity, opportunities and standard-kits to hack it will keep getting easier to pwn smartmeters, POS-devices etc.

        anyway: we'll see.

        Monitoring needs to be addressed as well. Make someone responsible and periodically audit.

        1. Anonymous Coward
          Anonymous Coward

          Re: Are rolling updates to devices the best solution?

          If the next generation of devices is no longer static, but auto-updating, then the older ones can be phased out.

          Ah, but auto-updating something that is guaranteed to ALWAYS carry data worth stealing? I give the update source a week, max, before it's either breached from the outside (because, frankly, most protection on fin networks is politely described as "shoddy, aka "just enough for banks to avoid blame") or from the inside because they sack more and more workers to keep the bonus for the morons at the top intact.

          The problems are structural. There are solutions, but they cost money (due to the global scale) and as long as the entities that must do this are not actually the ones feeling the pain when things go wrong I don't see this happen - nobody out there is big enough to force them..

  2. Anonymous Coward
    Anonymous Coward

    Look What Happens When Your Company is on the Auction Block

    IT stops spending money, workers are looking for their next job.

    Oh wait, IT is out-sourced to Accenture and IBM Global Services.

    Bet they are embarrassed.

    Oh, never mind, they don't care anymore because Marriott is going to cancel their outsourcing contracts.

    Couldn't happen to a nicer couple of ethical, honest service providers.

    I just love Karma.

  3. Doctor Syntax Silver badge

    Cash

    Just pay by cash. But don't get cash from the in-house ATM.

    What, they don't want to take cash? Their problem. There's the bill and there's cash being tendered to pay it. You've done your part.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cash

      try paying by cash when your hotel bill is in excess of $1000

      1. Doctor Syntax Silver badge

        Re: Cash

        Their problem. Cash is on the counter, demand a receipt or failing that a written statement that they won't take your cash. If in doubt record the incident.

    2. John Tserkezis

      Re: Cash

      "What, they don't want to take cash? Their problem. There's the bill and there's cash being tendered to pay it. You've done your part."

      Never had to deal with hire car companies had you?

      My brother-in-law tried to hire a car (and we were leaving right away) but there was a screwup with a repayment so he had hit his credit card limit. Hands over cash, nope it has to be credit card. So, I take my plastic out and plopped it on the counter. Nope, card name has to be same as who's hiring.

      No, just telling them to fuck off would be fruitless, as they're ALL like that, and more so, our ride had dropped us off and left us there. They don't hand out keys till you're done, and would most certainly call in the vehicle as stolen if you tried. Only other option was telling them to fuck off, aborting the long weekend trip and walking home, or well, finding a cab anyway.

      So he spent 20 minutes with the bank via the phone transferring money, plus whatwever time it took for the "system" to update and recognise the update. We were about an hour late, meaning we also held up the others we were meeting with.

      This happened some time back, so I didn't know any review sites existed back then, I would have been fucking scathing. Today, we know how the fuckers work - but it took that to find out how they worked.

      1. Two Lips
        WTF?

        Re: Cash - Never had to deal with hire car companies had you?

        The subject is POS in hotel chains. What has car hire got to do with the subject being discussed?

        Furthermore you pay for car rental up front. Deal done, or no keys. Whereas you pay your hotel bill after services have been rendered, therefore the onus is on the hotel to take your payment or be out of pocket.

  4. Anonymous Coward
    Linux

    Banking harvesting malware

    The solution is simple, ban the use of Linux and move to the industry standard Microsoft Windows.

    1. Fatman Silver badge
      Joke

      Re: Banking harvesting malware

      <quote>The solution is simple, ban the use of Linux and move to the industry standard Microsoft Windows.</quote>

      By any chance, did the forum software """eat""" your <sarcasm> tag????

      1. John Tserkezis

        Re: Banking harvesting malware

        "By any chance, did the forum software """eat""" your <sarcasm> tag????"

        Not only does it not have one, very few here get sarcasm, so you get marked down. Must be a few aspies here.

        And before the aspies try to have a go at me, I have several aspie friends, and I have a few traits myself. However, if you're not sure, YOU'RE ALLOWED TO ASK. If you get it wrong and abuse me, you'll find out quickly enough. Ask my friends.

    2. Jack of Shadows Silver badge
      Thumb Up

      Re: Banking harvesting malware

      Wile Microsoft have several tonnes of cash abroad, they seem to issue debt and/or borrow from banks, it would be in banks own interest to secure Windows as a result of such a mandate. Much like insurance companies have been a force for change in other businesses. Either that or Microsoft onshores a pile of cash which should make governments happier.

    3. Stoneshop Silver badge
      Coat

      Re: Banking harvesting malware

      industry standard Microsoft Windows.

      Industry Standard: that would mean the widely used and broadly supported Itanicium too, instead of x86 or ARM. Lets those payment terminals double as handwarmers.

  5. 404 Silver badge

    Replacement card policy

    My banks have proactively replaced my cards three times already this year, two at one, one from another, just from a sniff of shenanigans. Seems to be their rather smart response to online theft instead of leaving possibly compromised cards active.

    Only gotcha is I don't know *who* was molested for my data - that's something I'd like to know since I don't randomly buy random items from random sites, my purchases are from biggish companies* with reputations to protect.

    *Edited to say sites like Staples, Amazon, NewEgg, Dell, Cisco, etc

    1. Anonymous Coward
      Anonymous Coward

      Re: Replacement card policy

      Exactly why I pay for my Hotels with a prepaid Credit Card. There is always enough money on the card to pay the bill but not much else. I do this because last year my card was cloned in Malaysia. 5 hours later the scumbags started spending on it in Brazil.

      Thankfully it was easy to prove that I wasn't in S. America but it is a PITA to sort out.

    2. jonathanb Silver badge

      Re: Replacement card policy

      Normally what happens is that the bank gets loads of complaints about fraudulent transactions. They notice that all the people complaining have used their card at one particular place - Heathrow Express was one example from a few years back. Once they figure that out, they will probably replace the cards of everyone who used that outlet within the suspected period of time regardless of whether there have been any suspicious transactions on that account.

      1. Doctor Syntax Silver badge

        Re: Replacement card policy

        "They notice that all the people complaining have used their card at one particular place - Heathrow Express was one example from a few years back."

        What they need to do is go a step further & require compensation from the merchant. It would give them an incentive to tighten up. As things are, if it doesn't cost them anything to do nothing then nothing is what they'll do.

  6. Nifty

    The 3 digit payment auth code is the big joke here

    Paying by card at a payment terminal is now officially less safe than internet banking.

    All you need to harvest is info that can be sen by all staff or which is easy to harvest via spyware anyway.

    So why haven't the card issuers moved to a 10 digit auth code (at least for all large transactions) where each terminal asks for the nth, n + xth, n + xth numbers in the sequence where x is random?

    Presumably because it might slow us down in our breathless rush to spend without hesitation. Much worse than fraud then.

    Oh and btw, in the States the STILL haven't moved to Chip & PIN, instead of a PIN entry they use mag strip and have expensive touchpads that you put your signature into!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019