Jul 15

Banks: Card Breach at Trump Hotel Properties

The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and now Republican presidential candidate Donald Trump, appears to be the latest victim of a credit card breach, according to data shared by several U.S.-based banks.

Trump International Hotel and Tower in Chicago.

Trump International Hotel and Tower in Chicago.

Contacted regarding reports from sources at several banks who traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels, the company declined multiple requests for comment.

Update, 4:56 p.m. ET: The Trump Organization just acknowledged the issue with a brief statement from Eric Trump, executive vice president of development and acquisitions: “Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

Original story:

But sources in the financial industry say they have little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — are dealing with a card breach that appears to extend back to at least February 2015.

If confirmed, the incident would be the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments. In March, upscale hotel chain Mandarin Oriental disclosed a compromise. The following month, hotel franchising firm White Lodging acknowledged that, for the second time in 12 months, card processing systems at several of its locations were breached by hackers.

It is likely that the huge number of card breaches at U.S.-based organizations over the past year represents a response by fraudsters to upcoming changes in the United States designed to make credit and debit cards more difficult and expensive to counterfeit. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

emvkeyMagnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers) cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.

For more on chip cards and why most U.S. banks are moving to chip-and-signature over the more widely used chip-and-PIN approach, check out this story.

Tags: , , , , , , , , , ,


  1. Sweet Marley's Daytona Beach Fla

    You’re fired !

  2. That’s terrible! I am not apologizing because what I said was the truth.

  3. It’s okay. Donald’s ‘really rich’ and can just pay the banks back for all their losses.

    • But will he pay back all the CARDHOLDERS for their losses (e.g., debit card use), or will he just assume that those are campaign contributions?

      • Actually the banks eat the loss. Not the consumer. Reg E.

        • The banks pass on the cost of fraud back to the consumers in a byzantine web of extra charges and fees. It’s not the insurance companies that have to stomach it – nor the banks – it’s the consumers.

          • This is not the case for all banks. We have not changed our fees and services charges for YEARS. We are a small institution with not much fraud, but the fraud we do have is a direct loss to us along with fees from our processor.

            • No matter how you cut it, the consumer always pays in the end. Fraud losses get passed on — they have to — there’s always a consumer at the end of the chain who pays for everything up the chain..

              • Fraud is covered in myriad ways despite the fact that the bank covers it. Some of it in form of higher interest rate and fees depending on the type of consumers using their product.

            • I absolutely agree with JM – even if there is no direct “fraud’ charge – the cost of it has to be offset somewhere. In terms of a direct loss to your bank – are you not insured? – and if you’re argument is that ultimately the bank stomachs the cost of the insurance (Insurance companies – like any business operating a sustainable model – is an end0-financial organism – taking in more money than it ever pays out) – the same argument could be applied to the consumer and the bank – so long as the bank is in profit, no?

              • Are you not insured? Absolutely not. The deposits of customers (checking, savings – the balances in these accounts) are insured up to $250,000 per customer per account type, etc. But the individual transactions which the customer reports as fraud definitely do result in a “loss” to the bank. Visa doesn’t eat it, Walmart doesn’t eat it, your bank eats it.

    • Recent data breach studies show that the cost per record compromised is in average $217.00! Seems like more losses to Mr. Trump!

    • Trump didn’t get rich by playing by the rules and paying bills.

  4. LMAO – Well – Maybe “The Donald” should take some of his ego and use it to protect his properties’ infrastructure. I’m actually glad he joined the “Republican Clown Car” – can’t wait to hear who did this to him: Immigrants, Obama, whoever else – just once I would love to see this BlowHard admit fault for ANYTHING!!!

  5. Hotel chains being broken left and right doesn’t surprise me in the least. These companies are, for the most part, unbelievably cheap when it comes to accounting systems, personnel, etc., even at the “world class” properties. So by and large they’re running ancient systems that are likely missing a decade’s worth of updates and patches with underpaid people whose passwords could probably be bought for $20.

    The only real surprise is that it’s taken this long to happen and / or come out.

  6. I’m surprised it took this long to crack Trump’s business, as I’d think it would be a major target. I suppose chip-n-pin is inevitable, lacking a better system, but why can’t Gibson Research’s SQRL image authentication work for credit cards? I realize the camera on ATMs can be compromised, but what about the ubiquitous cell phone, as backup? Perhaps I’m not understanding Steve’s suggestions; but some one here with more knowledge can perhaps bring opinion to the discussion as to why this can’t be adapted over to any device or card service?! I welcome any criticism.


    • I also would love some smart info on Gibson’s technique. Can’t quite fathom all the PKI? stuff. I read his site almost as religiously as Brian’s. He is another warrior.

    • I would also love some comment on Gibson’s techniques. I read his site as religiously as Brian’s, but the crypto gets my head spinning. He is another warrior.

    • For those who don’t understand PKI, which can be a daunting concept, let me try to help a little.

      One pair has a public and a private key. They are exactly what they sound like. The public key is something you share and the private key is kept secret, only the owner knows it.

      If I want to send a message that validates who I am, say a digital signature, I send it encrypted with my private key. Presumably, I am the only one who has that, so it is validated as me. Anyone with my public key can decrypt the message and be relatively confident (legally confident) that it is from me.

      If you want to send me a private message, you encrypt it with my public key and I am the only one who can decrypt it, as presumably, I am the only one with my private key. My public key will not decrypt something sent with my public key, so again, I am presumably the only one who can decrypt it. Now, I have no way of authenticating who sent the message, only that it was sent to me and for my eyes only. If someone also encrypted it with their private key, I could use their public key to validate their identity and receive both a private and authenticated (signed) message.

      In the example of SQRL, it appears they are using this message exchange to hide a destination, such as a web site, which would help authentication (sent with my private key and decrypted with my public key to determine the user) and avoid a MitM or redirect (DNS poisoning, etc) attack. Theoretically this could work with credit cards, but they would have to have some compute power, not just a random number generator. It would work much more effectively with tap to pay using NFC/phones/tablets.

      Certainly not a comprehensive look, people teach week long classes on this stuff, but I hope this is helpful. If not, sorry for wasting your time.

      • “In the example of SQRL, it appears they are using this message exchange to hide a destination, such as a web site, which would help authentication” — thanks for that.

  7. I guess this is the consequence when you pay people $3 to build your websites…

    Trump presidential announcement speech: “And remember the $5 billion website? $5 billion we spent on a website, and to this day it doesn’t work. A $5 billion website.

    I have so many websites, I have them all over the place. I hire people, they do a website. It costs me $3.”

  8. Well my bank recently issued chip and pin cards they are not enforcing use. Most stores that I visit that have chip and pin readers still accept the swipe quite happily. Since I’ve been curious since i got my card if I had to use chip and pin or if it would let me continue to use it as normal and so far its as normal.

    • Many stores have POS terminals with the slots for EMV, but haven’t turned them on yet.

      The theory is that once they do turn it on, the terminal will ask you to use the EMV slot if you have an EMV card.

      • Not at Walmart. This is the only store I’ve come across that has actually activated the chip reader, but it will accept the card either way. On the upside, they were quick about turning it up. It has been working for at least 3 months.

        • Several Walmarts here reject the stripe and ask you to insert. Like you, Walmart is the only one using chip reader I have seen -North GA. Hopefully Kroger and Home Depot follow soon. I presume the advantage of all this, even with the stripe on the card, is that compromised readers can’t break the chip compared to the stripe? So maybe we can scrape the stripe soon?

      • This is true. Fortunately acceptance is getting better (Home Depot and some Targets now, as well as smaller businesses) according to the recent contributions to the map that I have that’s tracking this:


        • Thanks for that link! The Internet is a wonderful thing. I hope the miscreants don’t destroy it.

    • Come October 1st of this year, merchants will have to upgrade their system to accept EMV chip card or they will eat the fraud charges. The NFC will be part of the equation for Apple Wallet and Android Pay.
      I’ve been making use of my phone pay for things as my bank have not issue the EMV chip. The ones without it, I use a prepaid card to pay for things and I’ll know immediately if a transaction occurs. I had an employee at a store marveled at the technology used to pay for things. I replied that it is much secure than to use a mag stripe card.

      It will take about over two years before everything is in place.

  9. Ridiculous that this still happens. Solutions like unit7software.com can prevent breaches from POS.

    Lazy admins and apathetic users are the only reason this still happens. The tech is there to stop this.

  10. What is the compromised period of data breach in Trump Hotel Properties

  11. Its political cyber warfare. All it takes is a mild suggestion from someone to instill a potential presidential candidate into a tailspin.

    This is a way for one of the potential presidential running candidates to have mud on their face. This hack could have been planned, and buried until the time was right. Now that Trump has inserted foot in mouth earlier this week, even though what he says is documented, what a better way to make him look less appealing than to add more mud.

    In the US Military service, should some one have a boatload of cash, there is a good chance that they would be administratively discharged from the service. If you sit down and think about that, its a good idea. That person won’t be bugged continuously for cash. That person can’t simply just give up in particular situations and just walk away from a his or her primary job.

    So, now why do the Republicans and Democrats have one candidate each that bolsters an insane amount of money, and is running for President? Its ludicrous. It should not be allowed. One of them runs to try and prove they can do better than the other half. The other one runs simply to attract their names in lights to boost up the company name.

    It will be as always. Pick the candidate who “looks” the least corrupt.

  12. We have seen this pattern before, “they have little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — are dealing with a card breach that appears to extend back to at least February 2015.” Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report from Verizon. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years. Unfortunately, current security approaches can’t tell you what normal looks like in your own systems.

    I think that we need to focus on protecting our sensitive data itself. I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is “Market Guide for Data–Centric Audit and Protection.”

    I recently read another interesting Gartner report, “Big Data Needs a Data-Centric Security Focus,” concluding,” In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach.

    Ulf Mattsson, CTO Protegrity

  13. Question: my American friend swipes their card and 1 in 3 times they are asked loads of questions (phone number, DOB, address, social security number, ZIP etc…)?

    I know how easy fake card, ID, and signature is. But how do they answer the above when rescator.so etc provide such little info?

    • Typically the breaches are at whatever aggregator collected both sets of information (the credit card stripe + the zip the user entered) instead of just the place with the individual piece of information (the swipe head).

      Imagine someone could tap the cable between your keyboard and your computer, or they could take over your computer instead. If they tap your keyboard, they won’t see your mouse, if they take over your computer, they will. The same applies to POS systems — you could tap the magstripe reader, but if you need other information, then it’s not the right thing to attack. Besides, typically these attacks are network based (i.e. someone broke into the network and attacked the terminal which is connected to the reader), instead of physical (where someone puts a reader in front of the ATM reader).

      • I understand that. But as I said, most black market sites I’ve read about sell tracks do not include anything else I don’t think?

        • Historically, they didn’t.

          There are basic laws of economics… if your product is as good as everyone else’s and gets enough money, there’s no need to increase your production costs unless you want to increase marketshare by offering a “better” more compelling product.

          One problem Rescator faced was that there was a glut of “product” on the market, and thus its value was dropping (because there’s a availability to cash out the product). Rescator chose to increase the value of their product proposition (which did increase their baseline cost) so that they could increase marketshare and command a higher sale price.

          Once that happened, my understanding from this site and others is that more of the recent products for sale have included similar data.

  14. Here we go again. By now the pattern is predictable. Lax top management, sensational headlines, “We take security seriously” press releases, followed by more press releases with words like “sophisticated crime syndicate” or “nation-state.” Anyone in the know inside the Trump organization will probably hear, “you’re fired” if they talk about it. What a shame. It doesn’t need to be this way. This stuff is preventable. Take a look at this blog post:


    – Greg Scott

  15. “Like virtually every other company these days”

    Ah yes, poli-speak.

  16. Also, no matter what you do or say, we will maintain the hackers were Kenyans, period.

  17. Mr. Krebs, I needn’t finish reading this one, it’s old school type attack, besides I am not a great fan of Mr Trump. But you hit the nail on the head. The problem with magnetic stripes is that they are too easy to read, and it is too easy to write to magnetic strips and create clones of valid cards using tools purchased from eBay.

    Skimmers are after two things: the data on your card’s magnetic strip and your personal identification number (PIN).

    Attackers can also use small kits that can be placed over the ATM card reader slot to copy the magstripe data as the card is ejected from the machine.
    The responsibility of protecting a customer’s vital information is on the merchants, in this case, the hotel, not the bank.

    Banks must stop issuing low-cost magnetic stripe cards. Most credit card fraud can be prevented through the implementation of “smart cards” on bank cards, called EMV: “chip and pin”, which is now profoundly adopted in European banks.

    • Many banks are issuing chip cards in time for the October 1st switch over or the fraud charge are eaten by the merchants if they do not upgrade their POS system. It will take about two years when fully implemented. You also have technology companies pushing people to use their phone to pay for things such as Android Pay and Apple Wallet.

  18. I was looking forward to chip-enable credit cards. I should have known better. After all, I read Spam Nation and knew how US business enables the bad guys. It’s happening again.

    At least in my area chip cards are worthless, intended to satisfy requirements without fulfilling their purpose or offering the user any security. My cards each have the chip but are the type that use electrical contacts and requires you to insert them into the reader. All the local stores (and all the stores in Canada, which has used the chip for years) with chip readers are tap-type with no slot for inserting the card, so despite having the chip I’m still forced to swipe the card. Great security.

    When I called Bank of America to ask about getting a card with a usable chip I was told that the industry and stores would be using insertion type readers in the near future. Yeah, right. After stores are forced to spend millions rolling out tap-type readers they’re now going to spend more millions on changing the readers to insertion type? I won’t see it in my lifetime.

    But isn’t this business as usual for American banking? Give the suckers smoke and mirrors while pretending to do something for it, not to it.

    • Where do you live that most businesses support NFC? I live in a major city and the vast majority were magstripe only until places started upgrading to support EMV. If anything you should be upset that we’re only doing chip and signature and not chip and PIN.

    • Apple Pay, Google Wallet (Android Pay), are going to be what you want to use. They are compatible with the Canadian readers you speak of, and you’re right, is more secure than a contact chip card.

      If you want to use contactless chip, your best bet is to use one of these smartphone payment methods, as that is the method most banks in the US are going for contactless payments.