28
Dec 16

Holiday Inn Parent IHG Probes Breach Claims

InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations.

An Intercontinental hotel in New York City. Image: IHG

An Intercontinental hotel in New York City. Photo: IHG.

Last week, KrebsOnSecurity began hearing from sources who work in fraud prevention at different financial institutions. Those sources said they were seeing a pattern of fraud on customer credit and debit cards that suggested a breach at some IHG properties — particularly Holiday Inn and Holiday Inn Express locations.

Asked about the fraud patterns reported by my sources, a spokesperson for IHG said the company had received similar reports, and that it has hired an outside security firm to help investigate. IHG also issued the following statement:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations.  We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support.  We continue to work with the payment card networks.”

“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements.  If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Tags: , ,

49 comments

  1. Doh! Just stayed at an Intercontinental. Looking forward to more details and watching my card.

  2. IRS iTUNE cards (real)

    It’s the same breach scenario over and over again

  3. Would be interested to know if these were franchised locations or actually managed by IHG. They have come a long way on security in the past few years, but there are still a lot of opportunities in hotels.

  4. I stay at IHG properties in WA frequently. My IHG branded Chase card was just compromised for the second time this year.

  5. Any idea of the date range of this possible compromise?

  6. Brian,

    I’ve been reading your blog for years, and, as I read the list above, I couldn’t recall ever reading and thus wondered if any of these breaches occurred outside the USA, where paying via chipped cards is the norm.

    It would be interesting to see a contrast between card fraud that starts in the states vs overseas.

    • Doesnt matter if you pay with chip or not since the Opera installations and configurations aren’t PCI-DSS compliant and CC’s are stored in DB for ever.

      The large amount of CC’s aren’t coming in by the terminal/swipe but instead by booking sites using myfidelio.com that allows insecure transmissions of CC’s.

      If the installations were made By the book, this would have been a much smaller problem for all.

    • As the article mentions, a majority of these high profile breaches are driven by malware installed at point-of-sale. Chip cards don’t do anything to prevent that type of breach, as the credit card data is still present on the computer (in memory) for a brief moment in time, where the malware collects it to be sent off to the crooks.

      Point-to-point encryption (aka tokenization) is the primary method for dealing with this problem, as the credit card data is never transmitted or stored in plain text. The entity taking your payment (in this case a hotel) never has access to your credit card number. They can see the “token” for reference purposes, but nothing more.

      However, credit card information manually entered at a terminal (via a keyboard) could still be stolen. In order for P2PE to function, the card must be swiped/inserted into a properly tokenized credit/debit pad. Adding to that, Point to point encryption has no impact on credit card skimmers.

      Obviously there is no silver bullet for this problem, but it would have been nice if more institutions pushed the importance of encryption as much as they do chip cards.

      • I still think an easy solution to the POS hijackings is to have a firewall that restricts access to just the payment company and device support only. There is no excuse for allowing a POS general internet access, just none.

      • I agree that EMV tech doesn’t inherently protect the card data from malware/RAM scraping, but it does change the impact: EMV cards use dynamic CVVs, while mag cards don’t. The things the thieves can do with EMV transactions scraped as they’re flowing through the system is smaller, right?

        I think there is a difference between tokenization and encryption, and it hurts things when people confuse them. I believe point to point encrypts first, and returns the token second. It doesn’t tokenize at the swipe (there is no token vault in the card reader, and the processor wouldn’t be able to reverse the token in that scenario – instead they get the encrypted card data and decrypt it, and return you the token). Would love to see a detailed analysis of this.

        • Amateur – Correct – P2PE has an asymmetric key on the card swipe/dip terminal that allows for remote key injection (RKI) used to place a card encryping symmetric key on the swipe/dip device. These keys are controlled by the payment processor so the merchant taking the payment never has the keys. The authorization data is encrypted in a blob and sent encrypted across the payment terminal and out the merchants network to the payment processor (or 3rd party encryptor) transaction is approved/declined which is sent back the the POS. The token is generated on the processor side and sent back to merchant. This is sent back for settlement and held for any disputes/chargebacks.

          The cost of this protection is a small percent on every transaction, so the decision point for implementing this is when the fee charged is less than the cost of a breach loss. Problem with this is the insurance/warranty question – do you guarantee to pay x% more for a what if scenario? CEO and board are guaranteeing profit loss and rolling the dice on not getting breached or if breached that it costs less than the P2PE solution across the years not breached.

  7. When are they going to learn that the tired old excuse of “taking customer security seriously” means nothing! If they took it seriously we would not be seeing the same old breach, over and over again. To me this is a perfect example of just not caring about security, when you can’t even look around you and see the writing on the wall!

    Wake me up when they find out the crooks took a completely different approach to compromising yet another hotel chain.

    • They take it as seriously as they need to. What are the consequences for them? A one-time charge for monitoring services for those affected, and a little bad publicity. It probably won’t materially affect their business. Why put out a lot of cost and effort to implement more secure operations when they can take a chance on not paying anything at all, or at worst still paying less than the annualized cost of more security. The real culprit here is the notion that a shared secret can be kept secret.

    • If they take security so seriously, why have they not upgraded their POS terminals to EMV standard?

  8. The scary part of this is that the single Point of failure in all above mentioned cases are running (former Micros) Oracle Opera PMS system and no one seems to make anything about the problem with badly installed and configured booking-system at the hotels.

  9. When will they release the dates of the breach? I recently stayed at a Holiday Inn Express back in October in New Jersey, and would like to know if i need to take preemptive measures to secure my credit card by canceling it.

    • It sounds like they’re still in the early investigation stage, so you’re not likely to get an answer to this question for a while. And once they do announce a hard timeline for when the breach occurred, its very common for those dates to be expanded as the investigation continues.

      That said, its usually a good idea to proactively take steps to protect yourself. While you’re not going to be liable for fraudulent charges on your credit card, it can still be a hassle.

      • Just set up email and text alerts on each card you have and set the transaction warning to zero dollars or the lowest limit it will let you. No one should use your card without your knowledge and you’ll know immediately. With my Discover Card I get a text literally before I have to sign the receipt.

        • I get SMS alerts from AmEx the split second the transaction is approved.

          Unfortunately my USAA Visa card takes 3-4 DAYS to send me alerts. Not as useful and they’re usually very proactive in many areas.

  10. Would data from “dipped” chip cards, vs. swiped non-chip cards, be protected from such POS malware?

    • Not really…EMV (dip) doesn’t really protect the 16 digit credit card number of ex date. It does use dynamic card verification values vs the static ones on mag stripes. In that sense, thieves could not create a mag card clone from stolen EMV data (like they obviously do from stolen swipes), but they can do other types of payment fraud with the PAN and ex date.

  11. It seems that credit card data was safer when they had to do transactions via the old method of swiping the card via a manual credit card imprinter onto carbon purchase sales slips. Like IRS iTUNES Cards says above “It’s the same breach scenario over and over again”… So maybe what has to be done is make the POS machines so that one can’t install any software, i.e. upgrade by replacing a fusible link prom. But that leads to a weird side thought, going along the lines of what used to be rumored about McAfee antivirus back in the day.

    Back after the bank bailout I had a $500 hit on a debit card done at a local bank branch from the ATM. My bank is a “too big to fail” bank. After reporting, the bank refunded the money but wouldn’t report the incident to the police nor would they provide a video or picture of the alleged fraudulent ATM withdrawal. Really? That’s fraudulent transaction is a felony level crime where I live. Within a week, that too big to fail bank posted an eight billion dollar profit. All of a sudden, there was a distinct smell of fishing boats that hadn’t been washed in a while wafting about…

    • “After reporting, the bank refunded the money but wouldn’t report the incident to the police nor would they provide a video or picture of the alleged fraudulent ATM withdrawal. ”

      I’d have called the police from their lobby…

    • «At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.»

      http://krebsonsecurity.com/2014/06/p-f-changs-confirms-credit-card-breach/

      • back in the day, the merchant would call an 800 number to insure the client had adequate credit to cover the charge, and that the card was not stolen.

        we’re so much more sophisticated than that now, while adding shareholder value every day! customer service, not so much…

    • No debit PINs are ever stolen – why? Because they use true end to end encryption. We should do the same with credit cards – merchants just don’t want to pay for that tech, and developers for POS software are lazy. If we used the same tech/process as debit PINs for PCI data, we wouldn’t be here. And we’d get the benefits of instant authorization (vs the old paper method).

  12. Like John my IHG credit branded credit card was also compromised twice. Makes since that there was a breech now.

  13. Callin’ it now. RawPOS strikes again.

  14. Meanwhile in russia ukraine or former soviet union countries…
    ..vladimir…or dimitry..or maybe olya..maybe. julia…or else.
    Just got new amg g wagen.mercedes.and will see how it work.
    As we know money is created by debt. More money equals more debt..more debt more money. Debt keeps inflation away*

  15. We can blame all this for middleclass…biggest consumers.
    Becouse of them credit cards existing. Couse tgey want shopping nice life..and so on. Middleclass is guilty!!! They are the ones who spend more they have. Fraud is existing couse greed of middlesclass people. When we finally get rid of middle class then no more fraud and no more poverty !!!
    Middle class are patasites…endless consumers. They are credit addicted.beggers.they use what they dont have!

  16. I’m not a. . . .

    but I did stay at a Holida . .

    Well, you know the rest.

    Sorry. 🙂

    Free credit monitoring for life for everyone!

  17. “Krebs on Security” – annoying Internet miscreants and testing “stress testing services” since 2010!

  18. Unbelieveable! We see the same attacks over and over and over again. If any Krebs on Security readers are looking for material to give to your CEOs on what to do about this stuff, take a look at this six minute slideshow I made yesterday. I have plenty more, but here’s as good a start as any.

    http://www.bullseyebreach.com/russian-crooks-find-invade-bullseye-stores/

    – Greg Scott

  19. After all the previous hotel and retail chain credit card incidents, I know that many security companies have been marketing their services to hotel and retail chains like crazy. IHG probably received dozen of security services offers. I’m guessing that IHG turned down every offer.

    The problem is not that these credit card incidents can’t be prevented. It’s that these companies have no interest in spending funds on prevention.

    • Until the CEO / CFO of these companies are held personally liable, nothing much will change. As soon as they, and the board, have their own skin in the game, investments will be made.

  20. How can you tell if a company is taking their IT Seriously, some legitimate companies could be penalised – My question will always be – How can you protect from a type of attack that has never happened yet and would the first company to be exploited by an unknown method then be penalised … ?

  21. Any company that uses a 4 digit pin as their website password does not take security seriously in the slightest.

  22. Weird, me and a colleague have just stayed in the Holiday Inn Newport Beech, and both our company credit cards have been used in attempted online purchases.

    Suffice to say they were blocked immediately as we are not based in the states.

  23. The improvement in security from using EMV is not from the chip technology itself but from moving to a point-to-point encryption solution where the merchant does not have access to card data in their systems.

    Hotels, travel agencies and hospitality in general are really far behind in terms of security and PCI compliance. Even here in Scandinavia where virtually all merchants from the biggest retailers to the smallest food-truck use PCI compliant point-to-point encryption solutions, most hotels still use non-compliant insecure systems.

    With all the major breaches happening, it’s strange that the major card brands aren’t doing more to push for PCI compliance in the hospitality industry.

  24. Why Blame the Brand and Business Outkets? Why do the credit card companies issue cards to their customers that have the built in technology to safeguard their clients and facilitate their customers to purchase. The Banks who receive are not ready to receive the Chip and PIN information. Businesses are at mercy of banks and credit card merchants. Businesses are just middle people of the transactions. How about all businesses refuse to take credit cards and make it an all cash economy? This is a two way street and businesses are spending tone of money for credit card companies and banks to earn their commissions and fees and interest on those that do not pay their credit card statements on time. Have you all considered why businesses must or have to accept credit cards. All want to blame the businesses but not credit card companies that issue unsecured cards or banks that do not provide technology or machines to secure the information from swipe to them receiving the information. Who is in this business called Transactions it is the Credit card companies and Banks businesses paying these companies to facilitate them. All businesses are interested in payment. So if businesses facilitate the customer it is the businesses fault? 2017 all should think fairly from all directions.

  25. Hello
    The rape is mainly in the months of October and November, be aware in their statements. I think this can be useful for changing cards

  26. I’m disappointed. Based on these comments, Krebs’ readers don’t seem to know as much about payments as they used to. I need to clear up some misconceptions I am reading here.

    Get this straight: EMV, P2PE, and tokenization are three separate technologies, and the use of any one of them does not imply that the others are being used. P2PE does not include tokenization, and neither does EMV. And a P2PE terminal does not necessarily support EMV. A merchant can purchase any one or a combination of these, depending on whether they are supported by their processor and/or their acquirer. They each require an investment by the merchant; with P2PE and tokenization there is often a fee per transaction. Also, P2PE does not require the card to be present. There are P2PE terminals which have an encrypted numeric keypad, allowing more secure mail orders/telephone orders (MOTO).

    If you want better card security, you need to use all three of these technologies together. And they are available for the most commonly used hotel POS and property management systems.

  27. former_IHG_Security

    Ok, I used to work at IHG and was a senior IT person. We all knew that Micros, and then Opera were sorely deficient in security, but the claim was “the hotel owners will not pay for better”.
    Despite that, IHG laid off most of the Infosec and IT teams in 2009 so they could save some money by hiring contractors.

  28. Brian, Good Sir.

    Your legacy is filled with nothing but gibberish.
    I note you named my software in your little tag posting of an icon but failed to mention how I for one am well.. heh. Am not behind bars, I broke no laws, and showed the falasy of your operation.

    In those few events you took down those whom I may not have have known, but they ran operations I was well, aware of. You got them arrested, and in return got a record setting DDoS attack against you.

    Wake up, and honestly, I am not even upset of the overall result, I knew what I was doing, but man, from what I know of you, you got people to think about.

    ONE DAY your gonna pick the wrong target Brian, and that is never good. Someone sent a funeral reef to you and other gibberish… And you did not take the lesson then.. SMH.

    I would never encourage it, but it would not in any surprise me if someone took action against you good sir.

    Best Wishes. – Armada – aka John.

  29. @Armada
    Nothing would surprise me if people know about you and all your asshole friends. I would not be surprised if someone took action on you, and your families.
    Good sir
    No best wishes, you are fake news.

  30. And the fraud has begun. Just had fraud out of PA today and the card had been used only once since issued at (drum roll) Holiday Inn in Oct 2016. Oh joy