Hilton, Starwood. Marriott. Mandarin Oriental. Hard Rock. Trump. The list of hotels that have acknowledged breaches of their credit card systems goes on and on. This has real meaning for you, particularly so in the holiday season when hundreds of millions of us are traveling and staying in hotels.
Your favorite hotel is not on this list of breached hotels? Don’t breathe easily. Multiple experts insisted that many hotels may be breached—malware already has been loaded onto their systems—and they just do not know it. Few do much, if any, searching for malware on their systems.
Hotel breach reports—in just about all cases—originate not with the victim hotel company but with banks that find a pattern.
Don’t think it’s just US hotels either. Mandarin Oriental, for example, has reported breaches in hotels in Hong Kong, London and Geneva.
Several Canadian hotels are on the Starwood list of breached properties.
Matters just keep getting worse since hotel breaches were last reported on in these pages six months ago. More big hotel operators have been now been breached and more, almost certainly, will be breached. “There’s a reason for this,” said Robert Siciliano, identity theft expert with BestIDTheftCompanys.com. “Credit card breaches are cyclical. As one industry tightens their security, another falls victim to the latest unknown vulnerability. And so on.”
Hotels now are in the hackers’ crosshairs and that will continue until hotels toughen their security.
Hotels—their guests—also make for an ideal target. They almost definitionally are affluent, their credit cards are good (the hotel already checked), and they travel, so charges from here and there around the globe may not raise suspicions at credit card processors.
That last bit is important. Sources said more processors are declining more charges at a remove from the cardholder’s usual geography. If you live and work in zip code 85004 in Phoenix, a processor may decline a charge at an electronics store in 02139, Cambridge, Mass., just because what does a person in Phoenix need with a 60” flat screen TV in Massachusetts?
Good question. Except when the cardholder is a known traveler, which is what hotel guests are. Those far away charges may fly through, thus the attractiveness of their card info.
Also know this: most reported breaches so far do not appear to involve central reservations systems and the front desk. Much more commonly breached are bars, restaurants and gift shops in hotels.
How? The usual way malware is put on the systems is through a hack by a remote hacker. There also are instances, said sources, where criminals working in pairs enter a hotel gift shop, one distracts the employee (usually there is just one), the other slaps a contaminated memory stick into a POS port and that system is contaminated faster than it took to read these words.
Mark Brower, Global Director of Product Management, Enterprise Data Security for HPE Security – Data Security, made this observation: “Hospitality service providers face extraordinary challenges with customer data security at point of sale.
“Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.”
Are there fixes for hotels? You bet. They could encrypt all data involving guest credit cards. They could regularly scan systems for malware. Hotels could also introduce EMV (so called chip) terminals that, so far, seem to baffle crooks, but EMV terminals cost money. I haven’t seen any at hotel gift shops—have you?
Hotels also could plunge into Apple Pay, Android Pay and similar tokenized payment techniques, but so far there has been slender activity in that direction.
What safeguards do we suggest for travelers? First, do not use debit cards in hotels, nowhere, suggested Jason Steele, a credit card expert at CompareCards.com. That is because—at least in the United States—a debit cardholder’s protections are dramatically weaker than a credit cardholder’s when it comes to challenging fraud.
Second, it is retro, but really think about paying with cash in a hotel gift shop or bar. Maybe sign purchases to your room in a restaurant. Putting down plastic in either venue right now seems too high risk. Be prudent. Keep plastic in your pocket and your risks evaporate in hotels.