Unwelcome guests: hotel point of sale hacks spiraling

Starwood Worldwide, Mandarin Oriental, Hilton and Trump hotels all experience card processing system calamities.

PoS malware becoming a pitfall for many hotels
PoS malware becoming a pitfall for many hotels

Starwood Hotels & Resorts Worldwide has this month disclosed that malware designed to help cyber-thieves steal credit and debit card data was found on Point-Of-Sale (POS) systems at some of its hotels. POS systems – what consumers often call the checkout system – are often the weak link in the IT chain and the natural low-hanging fruit of choice for malware.

POS systems should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Recently acquired by Marriott International, Starwood's debacle is the latest in a recent string of hotel chains to acknowledge credit card breach investigations. Earlier this year the BBC reported news of Mandarin Oriental properties in Europe and the US confirming credit card data has been stolen in a hack attack on the company's network.

Starwood hotel group has issued a list of affected hotels spanning the length and breadth of the United States with exact locations and dates covering the period of the known hack. Over fifty Starwood hotels from Honolulu, Hawaii to Orlando, Florida were impacted.

Hilton Hotels group is also reported to have experienced hacks through its POS systems in recent times. A Hilton spokesperson told TechTimes, "We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today's marketplace.”

Trump Hotels is also reported to have been hacked in its POS systems in a similar manner.

The deeper hacking in these instances comes on the back of worries many individuals face when using credit card-style hotel room keys. Hotels around the world claim that guests' details are wiped and that credit card keys are safe for reuse.

According to Snopes.com, rumours had been circulating that when you turn your key card in to the front desk, your personal information is there for any employee to access by simply scanning the card in the hotel scanner. The site's CardSharks blog refutes these claims that an employee can (potentially) take a “handful of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense”, but it does say that if you are still concerned, keep and destroy the card yourself - you'll rarely be charged for a lost keycard.

Commenting on the breach at Starwood Hotels, Ryan Wilk, director at NuData Security told SCMagazineUK.com that when we all set out on vacation, we like to think we're getting away from it all and our only worry should be making flight connections.

“While we can't know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we've seen, over 100% increase since February 2015,” said Wilk.

Mark Bower, global director of product management for enterprise data security at HPE Security, argues that card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in.

“Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information,” he said.

HPE Security's Bower says that it's important to note, especially going into the busy holiday season, that hospitality organisations as well as retailers and any businesses using POS systems can avoid the impact of these types of advanced attacks.

Bower explains that ‘proven methods' are available to neutralise this data from breaches either at the card reader, at the POS, in person, or via web booking platforms.

“Risks of theft from point of sale (POS) malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. If it's GammaPOS, Abaddon, Dexter or other variations of malware designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale, the attackers get only useless encrypted data."

Will Culbert, manager of solutions engineering at Bomgar, says that keeping all POS terminals secure and up to date is essential; the challenge here is how this can be done effectively remotely. Managing, updating and troubleshooting these systems across tens or even hundreds of locations means that remote access is essential.

“The issue isn't the technology itself, it's more a case of poor management of the technology, if it is managed at all,” said Culbert. “Locking down remote access so that only a sanctioned tool can get access can help protect against attack. At the same time, disallowing other protocols from running should also help stop attacks. For example, if you standardise on RDP, then why would UDP access in or out be required?”

Culbert concludes that it is worth knowing who is allowed access to these kinds of devices. “Employ the rule of least privilege to ensure users only have access to the systems and devices they need. This is particularly important if you allow third parties access to the POS devices for support purposes. Many retailers outsource their IT support, so keeping track of this is vital to ensure security,” he said.