Keeping spirits high during holiday shopping season by protecting POS systems
Starwood, a hotel chain that includes W Hotels, Westin, Sheraton and Le Meridien, had 54 of its locations hit by a hacking system attempting to steal customers’ credit card information. The malware was designed to target the company’s point-of-sale systems at restaurants and gift shops, to obtain cardholder names, credit card numbers, security codes and expiration dates. This breach was only the latest in a long streak of attacks targeting the hotel industry.
In fact, Brian Krebs reported hearing that Hilton, one of the largest hotel chains and most recognized brands in the world, had fallen victim to a similar attack back in September of this year. In an article in KrebsonSecurity, he wrote, “Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States.”
The news was made public in late November when Hilton verified that the breach occurred in the company’s point-of-sale systems, and compromised, “cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).”
These attacks aren’t particularly shocking. According to Verizon’s annual Data Breach Investigations Report, the retail and hotel/hospitality industries combined are the single largest target of cyber attacks. Much like the service/hotel industry, retailers are prime targets for cyber attacks because the money is there. Also not surprising is the targeting of POS systems, which remain a significant vulnerability for many retailers and hospitality companies.
The recent rise in attacks the POS systems of hospitality and retail companies is certainly troubling considering this is the time of year when consumers are shopping, traveling and eating out frequently. Between Black Friday, Christmas and New Years, money is constantly changing hands in the form of credit and debit card transactions, which means that sensitive card data is most at risk. Customers’ credit card and personal information is readily available both at rest and in transit at many retailers, and the potential damage of a cyber attack is at an incredible high point.
For example, think about the massive data breach Target experienced in mid-December of 2014, just before the holidays. The hacking of Target’s systems was said to be one of the largest breaches in U.S. retail history. Over one hundred million customers were affected by the breach in which 40 million credit cards and close to 70 million customers’ personal information were hacked. Since Target announced the details of the breach, high-end retailer Neiman Marcus also made an announcement that more than 1 million of its customers’ credit card information had also been compromised.
The holiday shopping and travel season should be the time that retailers and hospitality companies are making the most money and highest revenues of the year. The good that comes with increased spending and traffic in stores, restaurants and hotels should not be spoiled by the potential badness of a cyber breach, which could cost these companies millions.
In preparation of the holiday buying season, retailers should have been taking every precaution to ensure its customers that their personal information was not at risk, especially at the point of sale.
When you consider vulnerabilities in POS systems, there are three key areas of importance: data in memory, data in transit, and data at rest. Card data exists in all three of these states as is makes it way through the payment system, creating the following vulnerabilities:
- If the POS terminal has a tampered card scanner, it could skim the card data and send it to a malicious device that can gather this data and send to the perpetrators. This is one point of vulnerability.
- If the terminal’s card scanner is clean, there are still risks. When a card is scanned at the POS terminal, the card data is kept in temporary memory. This is another point where hackers can obtain a customers information.
- The card data is then transmitted from the POS terminal to the in-store payment client. This is a third point of vulnerability.
- Finally, when card data is stored in local servers in the merchant data stores, it is data at rest. If that data is not protected properly, it is at constant risk of being compromised.
Companies and enterprises need to protect their sensitive customer information during the entire transaction, and in all of its forms. To do so, they need to take an intuitive, comprehensive approach to security that goes across the entire enterprise.
The solutions they should be considering across their organization should take advantage of a completely out-of-band solution that orchestrates credential flow away from malicious actors, an easy-to-use interface and process so that their customers transact easier, and a holistic solution that can generate a reputation or score (or have the capabilities to furnish answers to security challenges) so that quick challenge decisions can be made to lower the risk of fraud and other malicious acts.
The holiday shopping season is a time for retailers and hospitality companies to get into the black and bring in their highest sales of the season. They shouldn’t have to worry about those dollars flowing right back out of the door due to cyber breach and compromised payment accounts. But by protecting the entire transaction and securing data in all forms and states, enterprises can have a happy holiday, and sleep soundly knowing they won’t make it onto consumers’ “naughty list.”