05
Oct 15

Trump Hotel Collection Confirms Card Breach

The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and Republican presidential candidate Donald Trump, said last week that a year-long breach of its credit card system may have resulted in the theft of cards used at the hotels. The acknowledgement comes roughly three months after this author first reported that multiple financial institutions suspected the hotels were compromised.

Trump International Hotel and Tower in Chicago.

Trump International Hotel and Tower in Chicago.

In a Web site created to share details about the hack, The Trump Hotel Collection said the breach affects customers who used their credit or debit cards at the hotels between May 19, 2014, and June 2, 2015.

“While the independent forensic investigator did not find evidence that information was taken from the Hotel’s systems, it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems. Payment card data (including payment card account number, card expiration date, and security code) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected.

The Trump compromise is just the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments. In March, upscale hotel chain Mandarin Oriental disclosed a compromise. The following month, hotel franchising firm White Lodging acknowledged that, for the second time in 12 months, card processing systems at several of its locations were breached by hackers.

On Sept. 25, this author first reported that the Hilton Hotel chain is investigating reports of a pattern of card fraud traced back to some of its properties.

The Trump advisory named the individual properties that were hit with the card-stealing malware, including Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto. The hotel collection said transactions on the point-of-sale terminals at the Las Vegas and Waikiki properties may also have been intercepted by card thieves.

This tracks almost exactly what I heard from banks in June of this year, who told me they had little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — were dealing with a card breach that appeared to extend back to at least February 2015. Turns out, it was quite a bit longer than that.

Many experts I’ve interviewed believe that the huge number of card breaches at U.S.-based organizations over the past year represents a response by fraudsters to changes in the United States designed to make credit and debit cards more difficult and expensive to counterfeit.

Non-chip cards store cardholder data on a magnetic stripe, which can be trivially stolen by malware designed to infect point-of-sale devices. The data is then sold to thieves who can copy and re-encode it onto virtually anything else with a magnetic stripe and use the counterfeit cards to buy stolen merchandise from big box stores.

Effective October 1, 2015, U.S.-based merchants that have not yet installed card readers which accept more secure chip-based cards assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers) cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.

For more on chip card technology and why most U.S. banks are moving to chip-and-signature over the more widely used chip-and-PIN approach, check out this story.

Tags: , , , ,

23 comments

  1. Has anyone discussed that the POS card reader itself is actually comprised either at the time of manufacture, by the technicians installing it or at the distributor that sells and installs the devices?

    Just curious …

    • There are several examples of “Cow chip in Pen” compromise, but I’ve provided the links so many times on KOS that I give up fighting it. I’m finally resigned to the fact that it is coming, and just hope it can be made better as well.

      The chip itself has hardly changed since the late ’80s when I first learned how to program them in school. That was so long ago, that I don’t even remember the details, but it did seem as if they could be cracked just like any other EEPROM or CPU in a cell phone or what have you. Of course it is more complicated than just that – as a concept – but we shall see soon enough, I’m afraid.

    • Card readers are insecure by design, you wouldn’t need to comp them at all, you just need to issue the commands you want, which usually means either bad guy doing slight of hand while he pays, or comping the POS with malware.

    • No need really, it would be a much more difficult attack to pull off. And not only would you have to get into that supply chain, you would have to make sure you only infected /some/ readers, else it would quickly be determined that all the dissimilar breaches all used card reader brand A. Not to mention, it would be much harder and less reliable to get the stolen data from the reader back to the criminal. A large number of readers, while connected to the local network, can’t communicate with devices that don’t have a proper encryption certificate, and in some cases they can’t talk to other devices / the internet at all. It is much easier to breach the POS register terminal, as many run windows. The card device passes the data to the pos register (where it gets stolen by malware) and then on to the bank. This way you can collect all the cards and then transfer them back to your server on the internet, and you can affect all, or a large number of, registers in a company. Physically swapping out readers with rouge ones does happen, but those are smaller scale criminals, and they have to touch a device, in person, to compromise, where you can infect the pos with malware without ever stepping foot in the store, or even the United States.

      You could also affect some sort of breach at the chip manufacturer, but again, crime, like most things, takes the path of least resistance + least likely chance to be arrested – and that is currently pos malware.

  2. I’ve noticed that electronic signature touch pads have become very ubiquitous in my local US market place. It seems that if a good signature recognition algorithm were included in this model, a better authentication system could be launched. Touch pads can also measure pressure although most do not – so in that scenario a card holder could sign, and replay would be impossible – but the only hurdle would be an AI that can recognize signature patterns reliably. I’ve said for a long time this could be augmented, because I truly believe in it – this tech has actually been with us for over 40 years, but never implemented. Now seems like the time to finally do it.

    • Given the poor-quality signatures produced by most of the PoS terminals I’ve used, seems to me that the odds of implementing a reliable system using this technology is close to nil.

    • I use a smiley face myself. I dislike having digital copies of my signature all over the place. Clerks have been laughing at it for years. On the other hand, it’s a pretty distinctive one. Probably more consistent than my actual signature.

  3. Is Brian voting for Donald Trump?

  4. Kathleen Andrews

    Enjoyed this article – thx. Found it very informative from the tech side. I liked the first four posts I read in the comment section as well.

  5. He’s fired.

  6. Aargh, just had to do cmd, and ipconfig /flushdns to be able to get to krebsonsecurity.com. Someone does not want me to read your column?

  7. I just got back from Las Vegas, didn’t stay at Trump, but an interesting thing happend there. I didn’t notify Chase that I was going there before hand. My card got declined at a drug store (fraud early warning, kudos). The thing that happens next though, was disturbing. I called Chase, identified myself, said how long I was going to be there, and said I use Apple Pay when possible. I don’t key in my pin, I want my card used as credit.

    The agent, tried to tell me that the ATM use (versus using Visa) of the card was “more secure” and completely protected against unauthorized use. After she said that, I told her that I’d just use AMEX (via Apple Pay) and electronically pay my AMEX off after each day. Why would a bank try to promote ATM use? I understand the two part security factor, but over a touch less system so no point for a skimmer to come in contact with the card? I don’t know, but I was not impressed.

    Every single retailer, show and cab had the ability to accept Apple Pay, with the exception of CVS. They had the receiver, but didn’t allow transactions to go through using Apple Pay (as of September 2015).

    Maybe Brian can provide some light on this topic.

    • Maybe CVS is part of that consortium that is trying to put together a fake debit card / loyalty card network that bypasses the credit card companies. I’m afraid I’ve forgotten the name of the card / network. I thought I read somewhere that the merchant agreement for that required them to refuse Apple Pay, Google Pay, etc.

  8. ^ ATM use is cheaper for banks vs. paying Visa/Mastercard a fixed or variable per swipe. Using your Visa/Mastercard also grants you fraud protection, unlike the use of your debit. If you’re debit information is stolen, you will have to jump through flaming hoops to have account refunded versus the almost instantaneous refund through the use of credit.

    • I had my debit card info stolen, and someone used a cloned card to take money out of an ATM 100 miles from my location. I called my bank and the money was credited back to me by close of business that day, no hoops, no hassle.

      • 1. If you’re a company instead of a person, you have fewer protections.
        2. If you have other interleaving transactions and something bounces, then it isn’t as simple as getting the money refunded.

        • It’s also worth noting that not all banks treat all customers the same way. Some banks are simply not nice to deal with on fraud, since they regard you as a suspect and generally put hoops in your path hoping you’ll give up and pay the fraudulent charges. Others are nice to their preferred customers but most customers get the third degree.

          When I had my card cloned from a breach, it took two weeks for a new card to arrive and over a month for all the fraudulent transactions to not show up under my account. Essentially they closed my account and created a new one, but both accounts were still in my name, and it took a month for them to decide whether or not to pass those fraudulent charges on to me.

          In the end they did do the right thing but I had to sign off on paperwork they physically mailed to me and then physically return to them before even my replacement card arrived. Though in fairness the fraud was committed locally, starting just a few miles away from my workplace, which probably raised the suspicion level.

          The jackass in question apparently had a very thirsty SUV since he filled up the tank multiple times along a highway heading out of town over a single night. He got X miles along the road, stopped, filled up, drove X miles, stopped, filled up… until his charges got denied. Apparently he had to resort to a life of crime to keep his Hummer’s tank from running dry.

  9. $d American Airlines reservation system SW woes adding cars, hotels (S 17 4)

    f/m Bug in Windows-operated vacuum-operated toilet system fails throughout London’s One Aldwych Hotel (R 23 20)

    !h Woman electrocuted in hotel; faulty air-conditioning? (S 20 5:9)

    $SHI Beijing Hotel managers embezzle $9K by rigging billing records (S 19 4:13)

    SHP Hotel minibar keys open Diebold voting machines (R 24 43)

    $SHP Hacking a London hotel TV system (R 23 95; S 30 6:23)

    SP Hotel telephones give identity of called room occupants (R 20 93)

    SPf Risks of hotel STSN Internet access (R 21 91)

    SHP 243,000 Hotels.com credit-card numbers stolen (R 24 31)

    – Old bounced checks jail hotel employee on visit from Barbara Bush (S 17 3)

    Illustrative Risks to the Public
    in the Use of Computer Systems
    and Related Technology

    Added complexity introduces more points of failure.