Tag Archives: Credit Cards

by | December 6, 2010 · 7:15 am

Hospitality Industry Credit Card Risks: Hotel Owners And Management Must Store “Credit Card And Guest Receipts” In Secure Locations To Prevent Identity Theft

“… (the defendents) found boxes of monthly credit card receipts from previous hotel guests. Box by box, they and others lifted them from the hotel, officials allege…”

The receipts, officials say, helped the men manufacture counterfeit credit cards in document “boiler rooms” and card “chop shops,” which they then used to buy $300,000 worth of merchandise in Texas, Oklahoma and Louisiana.

The merchandise, which included tow trailers, televisions, all-terrain vehicles and tires, then was resold or pawned.

The hotel didn’t learn of the thefts until August 2008, and since then, federal investigators have learned at least 17,000 receipts were stolen in what they say is San Antonio’s largest identity theft case.

Details had remained sketchy until the ringleader, Ruben “Hollywood” Costello, 36, recently pleaded guilty to ID theft fraud conspiracy, access device fraud, and conspiracy to launder money, and documents in the case were unsealed.

They identify Jones, 34, as his partner in the crimes and name him and Flaharty, 31, as two people who helped take the records from the Emily Morgan.

They also reveal Costello used a network of associates, methamphetamine addicts and others to maintain the scheme, and used an Elmendorf trucking company he ran, RD&N Hauling, to launder the money.

The cardholders never realized their credit card accounts had been compromised until months, even years, after they stayed at the hotel. But the damage made it hard for some of them to get loans and left lingering headaches in trying to straight things out, officials said.“When you look at these types of crimes, you may think the victim is the vendor or the credit card companies,” Assistant U.S. Attorney Tom McHugh said. “What we see is that the person whose identity is stolen, his problems may go on for years.”

For more:  http://www.mysanantonio.com/news/local_news/article/Ringleader-pleads-in-S-A-s-largest-ID-theft-case-859510.php

Comments Off on Hospitality Industry Credit Card Risks: Hotel Owners And Management Must Store “Credit Card And Guest Receipts” In Secure Locations To Prevent Identity Theft

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , ,

by | November 25, 2010 · 7:48 pm

Hotel Industry Cyber-Crime Risks: Hotels Are #1 Target For Credit Card Data Theft As Centralized Processing And Economic Downturn Delay Encryption Software Upgrades

 “Because of the downturn in the economy, a lot of industries have stopped upgrading their software,” he said. “So they’re very open for being hacked at any point.”
A recent study shows the hotel industry is especially open for being hacked.
 
“The main reason is they’re such a central hub for where people run their cards,” Jones said.

 
Recent studies show hackers steal credit card data from hotels more than any other industry. 

“It’s not if it’s going to happen, it’s when it’s going to happen,” said John Sileo, a Denver resident who had his credit card information stolen on a recent business trip. “The Driskill Hotel had an entire database of customer information stolen. Mine was one of them.”

“Because of the downturn in the economy, a lot of industries have stopped upgrading their software,” he said. “So they’re very open for being hacked at any point.”

A recent study shows the hotel industry is especially open for being hacked.

Ryan Jones, a data-security consultant with Trustwave, has been watching a steady increase in hotel hacking.

Trustwave found that out of all the hacking cases they investigated last year, 38 percent involved hotels, well ahead of financial services (banks) at 19 percent and retail at 14 percent.

Destination Hotels and Resorts, headquartered in Englewood, is just one of the major chains that got hacked.

This summer, they told guests at 21 hotels across the country that their credit cards might be compromised.”Because of the downturn in the economy, a lot of industries have stopped upgrading their software,” he said. “So they’re very open for being hacked at any point.”

A recent study shows the hotel industry is especially open for being hacked.

Ryan Jones, a data-security consultant with Trustwave, has been watching a steady increase in hotel hacking.

“The main reason is they’re such a central hub for where people run their cards,” Jones said.

Trustwave found that out of all the hacking cases they investigated last year, 38 percent involved hotels, well ahead of financial services (banks) at 19 percent and retail at 14 percent.

Destination Hotels and Resorts, headquartered in Englewood, is just one of the major chains that got hacked.

This summer, they told guests at 21 hotels across the country that their credit cards might be compromised.

For more:  http://www.thedenverchannel.com/money/25881609/detail.html

Comments Off on Hotel Industry Cyber-Crime Risks: Hotels Are #1 Target For Credit Card Data Theft As Centralized Processing And Economic Downturn Delay Encryption Software Upgrades

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Risk Management, Theft

Tagged as , , ,

by | September 9, 2010 · 3:46 am

Hospitality Industry Information Security: The Key To Cyber-Security Is Adopting Encryption AND Tokenization, But Payment Processors Must Adopt Standards First

“Encryption is a process that jumbles personal data into unreadable letters and numbers every time a credit card is swiped….

…Any info about that credit card going forward … none of the credit card information is stored, it’s the token that is stored.”

“Encryption fundamentally is a math algorithm, but it’s a very complicated math algorithm,” Roman said during a recent telephone interview. The information can only be deciphered with a key.

“When an encrypted signal is sent to the intended party, the intended party’s encryption has a key to decrypt and read the message and display it on the screen in readable alpha numerics,” Roman said. “It’s built into the receiving end of each encryption software.”

Encryption jumbles information as it’s transmitted from one system to the other, but it doesn’t necessarily account for data that’s being stored. That’s where tokenization comes in, said Chainrai Waney, an IT consultant who’s worked in data center operations for more than 25 years.

When that card is swiped there’s some sort of a front-end application that generates a token (a line of random numbers) that has nothing to do with that credit card number,” he said. “Any info about that credit card going forward … none of the credit card information is stored, it’s the token that is stored.”
 
A token is a globally unique identifier, generated randomly, and it only has meaning to the sender who provides it and to the processing center that’s purchased it, Roman said.

Noble has yet to adopt tokenization, Garrido said. The company is waiting for payment processors to make the next move.

“They’ve talked about being able to take the data out of the property,” he said. In other words, the processing companies would store the data and send a token back to vendors. No definitive solution has yet been approved, however.   ‘

For more:  http://www.hospitalitynet.org/external/4048209.html

Comments Off on Hospitality Industry Information Security: The Key To Cyber-Security Is Adopting Encryption AND Tokenization, But Payment Processors Must Adopt Standards First

Filed under Crime, Insurance, Liability, Risk Management, Theft, Training

Tagged as , , ,

by | August 7, 2010 · 6:55 am

Hospitality Industry Data Theft: Hotel Owners Must Prevent Breaches Of Credit Card Processing Systems By “Cyber-Criminals” Who Install “Malicious Programs” To Steal Data

“… remote attackers installed a malicious program into the card processing system of Englewood, Colo.-based hotel chain Destination Hotels & Resorts. Guests at 21 Destination properties may have been subjected to credit card theft…”

“..the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach of its POS systems dating back to 2009. Also, between November 2008 and May 2009, the computer systems of some Radisson hotels in the United States and Canada were illegally accessed. And the computer systems of Wyndham Hotels & Resorts were accessed on two separate occasions by cybercriminals who stole customers’ card numbers, expiration dates and other data…”

Cybercriminals last year targeted hotels more than any other industry for credit card theft, according to a recent report by data security company Trustwave. Hotels are being targeted because they have large amounts of credit card data and frequently neglect to implement the most basic security precautions, such as changing default passwords or ensuring programs are up to date, said Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs.

As a result, attackers commonly gain entry into a hotel’s network by exploiting default passwords on point-of-sale (POS) applications, added Dave Ostertag, manager of investigative response at Verizon Business. From there, customized malware is loaded onto the hotel’s transaction server that steals credit card information as a transaction occurs.

In March, the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach of its POS systems dating back to 2009. Also, between November 2008 and May 2009, the computer systems of some Radisson hotels in the United States and Canada were illegally accessed. And the computer systems of Wyndham Hotels & Resorts were accessed on two separate occasions by cybercriminals who stole customers’ card numbers, expiration dates and other data.

For more:  http://www.scmagazineus.com/rampant-hotel-data-theft/article/174579/

Comments Off on Hospitality Industry Data Theft: Hotel Owners Must Prevent Breaches Of Credit Card Processing Systems By “Cyber-Criminals” Who Install “Malicious Programs” To Steal Data

Filed under Insurance, Liability, Privacy, Risk Management, Theft

Tagged as , , ,

by | July 18, 2010 · 12:13 pm

Hospitality Industry Cybercrime: Hotels And Restaurants Combine For Over 50% Of All Credit Card Data Theft Because Of Their Dependence On Credit Cards And Focus On Servicing Guests

“…According to a recent study, 38% of all credit card breaches occur in hotels…financial services industry accounts for 19% of breaches… Retailers 14%, and restaurants at 13%…”

Hotels are easy targets because they are all credit card-based. It is possible to reserve a room without providing a credit card number, but they don’t make it easy. And hotels themselves certainly aren’t fortresses designed to keep bad guys out. They’re designed to be open and inviting, with, at best, a bellman whose focus is assisting guests rather than guarding the front door. Maybe that mentality exists in hotels’ IT security departments, too.

The root of the issue is the hotel industry’s insufficient security measures to prevent data breaches. Many rely on older point of sale terminals and outdated operating systems, which are more vulnerable to hackers. When the recession hit, many hotels cut back and decided to hold off on upgrades.

While their defenses were down, hackers slithered into their networks to steal guests’ personal financial data. Once thieves have accessed this data, they can clone cards with the stolen numbers and use them to make unauthorized charges.

For more:   http://www.finextra.com/community/fullblog.aspx?id=4286

Comments Off on Hospitality Industry Cybercrime: Hotels And Restaurants Combine For Over 50% Of All Credit Card Data Theft Because Of Their Dependence On Credit Cards And Focus On Servicing Guests

Filed under Crime, Insurance, Liability, Theft

Tagged as , , , ,

by | July 8, 2010 · 11:46 am

Hotel Information Security Risks: Hotel Management Must Invest In Data Security Systems To Prevent Point-Of-Sale Theft Of Credit Card Data

“Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to properly store or transmit, this kind of data, and that starts with the point-of-sale credit card swiping systems.”

A study released this year by SpiderLabs, a part of the data-security consulting company Trustwave, found that 38 percent of the credit card hacking cases last year involved the hotel industry. The sector was well ahead of the financial services industry (19 percent), retailing (14.2 percent), and restaurants and bars (13 percent).

Why hotels? Well, to paraphrase the bank robber Willie Sutton, hackers hit hotels because that is where the richest vein of personal credit card data is. At hotels with inadequate data security, “the greatest amount of credit card information can be obtained using the most simplified methods,” said Anthony C. Roman, a private security investigator with extensive experience in the hotel industry.

“It doesn’t require brilliance on the part of the hacker,” Mr. Roman said. “Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to properly store or transmit, this kind of data, and that starts with the point-of-sale credit card swiping systems.”

For more:   http://finance.yahoo.com/news/Credit-Card-Hackers-Visit-nytimes-3300094848.html?x=0

2 Comments

Filed under Crime, Insurance, Risk Management, Theft

Tagged as , ,

by | June 24, 2010 · 11:39 am

Hotel Internet And Cybercrime Risks: Texas Hotel Management Company Is Targeted By Thieves Who Steal Dozens Of Customer Credit Card Accounts From Accounting System

“…the thieves made off with the credit card information of dozens of customers who ate at various Destination Hotels & Resorts properties, which are located in a total of 15 states…”

The Austin Police Department said thieves hacked intoThe Driskill Hotel management company’s accounting system and stole customer credit card information.

Authorities said they do not yet know exactly how many victims may have been affected, however, locally, police have received about three dozen complaints of fraudulent transactions, averaging $2,000-$3,000 each.

Losses are expected to total hundreds of thousands of dollars.  The United States Secret Service is also investigating.

For more:   http://www.news8austin.com/content/headlines/272023/driskill-hotel-customers-affected-by-credit-card-theft

Comments Off on Hotel Internet And Cybercrime Risks: Texas Hotel Management Company Is Targeted By Thieves Who Steal Dozens Of Customer Credit Card Accounts From Accounting System

Filed under Crime, Insurance, Liability, Theft

Tagged as , , ,

by | April 14, 2010 · 5:41 am

Hospitality Industry Risk: “PCI Security Standards” Should Be Implemented By Hotels And Restaurants To Protect Customer Data

The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.

(From a PCIsecuritystandards.org posting)   The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.

Ongoing development of the standard will provide for feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input, during the creation and review of proposed additions or modifications to the PCI DSS.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for QSAs and ASVs. The PCI Security Standards Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on this Web site.

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

4 Comments

Filed under Crime, Liability, Theft, Training

Tagged as , , ,

by | April 7, 2010 · 6:37 am

Hotel Cybercrime: Debit Cards Do Not Offer Same Protections As Credit Cards If Account Information Is Stolen

Jacque Tiegs of Clair Shores, Mich., had a similar experience a few years ago. She used her debit card at a hotel in Milwaukee for incidental charges and found out on her next month’s bank statement that someone had run up a $3,500 bill at another hotel of the same brand in Chicago. Her bank couldn’t (or wouldn’t) solve the problem, and the hotel claimed she had run up the charges. Only by threatening to go to the police and offering proof that she had been out of town on a work assignment was she able to get the charges reversed.

(From a WalletPop.com article)   Don’t think that the same protections you get from your credit card apply to your debit card. If someone steals your credit card number and runs up a big bill, you won’t be responsible for the fraudulent charges — at least not until the card company completes its investigation and probably not at all if they find evidence of fraud. But if someone steals your debit card information and starts charging away, you’re on the hook. The money comes straight out of your bank account. Not only are they your funds — with no one there to cover for you — but getting the money back can be a huge hassle that can easily take a month, if not more, to resolve.

Even if your money is only locked up temporarily, as Greg Meyer’s was, it can still be devastating, especially if you don’t have a large balance to tide you over. Not only that, but if the hold is greater than your balance, it can trip an overdraft protection and subsequent transactions can be denied or add to your overdraft woes.

So how do you protect yourself – and your debit card? “Be alert when there’s an opportunity for so-called ‘skimming’ or where people can look over your shoulder to track your PIN number,” says Tim Lukens, a senior vice president at Affinion Security Center, a company that makes anti-cybercrime software for big banks. Also, think twice before using your debit card at a restaurant, where you don’t actually see the server swiping it, or at gas stations, where surveillance cameras can record you keying in your PIN.

http://www.walletpop.com/blog/2010/03/31/debit-card-disasters-what-to-do-when-you-get-burned/

Comments Off on Hotel Cybercrime: Debit Cards Do Not Offer Same Protections As Credit Cards If Account Information Is Stolen

Filed under Crime, Liability, Theft

Tagged as , , ,