Passports coins

Credit Card Hackers as Excited About Your Vacation as You Are

When we set out on vacation, we like to think we’re getting away from it all and our only worry should be making flight connections. But hackers don’t take vacations, and they are just as excited about your vacation as you are. Why? Because while you’re enjoying yourself, they will be too when they skim your credit cards while you’re there. The recent credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels. The Trump Hotel Collection confirmed this week that their systems were breached from May of 2014 through June of this year. Hotels in Chicago, Las Vegas, Honolulu, Toronto, New York, and others were affected by what they say was malware that infected point-of-sale machines at restaurants, gift shops and other locations as well as the front desk terminals of the chain. It was first reported by Brian Krebs months earlier, based on sources in the banking industry, who regularly find themselves taking reported fraud claims and backtrack them to the common source point. Information compromised included account numbers, expiration dates, security codes and possibly also cardholder full names. But the Trump Hotel Collection is only the latest of these hotel hacks. In September, Hilton Hotel chain and its franchises, which includes the chains Embassy Suites, Doubletree, Hampton Inn Suites, and Waldorf Astoria Hotels & Resorts, revealed they too had been affected by a malware that ran undetected from at least April to July of 2015, but potentially going back as far as November 2014. That malware breach was contained to point-of-sale machines in and around the properties but not the front desk/registration. Before Hilton and Trump, the Mandarin Oriental chain announced a breach in March of this year of all of its American locations that began before Christmas of 2014. Before that, White Lodging, a parent company that maintains many national hotel brands, also confirmed a breach, and confirmed a second breach of the same kind, point-of-sale terminals, again this spring. Beginning in 2013 and culminating in 2014’s Year of The Data Breach, hackers made big headlines by hitting large retail chains like Target, Home Depot, Neiman Marcus, Sally Beauty, and others. While we can’t know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximize their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card testing scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we’ve seen, over 100% increase since February 2015. And par for the course,  affected hotel chains are offering 12 months of free identity theft protection, but these are temporary measures and don’t really protect against identity theft, just alert you after-the-fact. They are little better than automated canaries in the coal mine. If the information is out there, it’s only a matter of time before it’s tested and used. Instead of waiting for that shoe to drop, or bemoan how frequent these thefts are as if it’s simply the unavoidable cost of doing business in the digital age, it’s time to up our collective game. Behavioral analytics, using passive behavior detection that doesn’t rely on personally identifying information, protects customers transactions and companies from fraud with the same surety of knowing you locked the front door before you left on holiday.