Slashdot Mirror
Best Western Loses Details On 8 Million Customers
Albanach writes "Scotland's Sunday Herald newspaper has an exclusive report that the Best Western hotel chain has lost the personal details of each and every guest who has stayed at any of its 1300 hotels in the past 12 months. This amounts to details on 8 million customers and includes information such as name, address, credit card details and employment details. The data even includes future booking details, causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied. A Best Western spokesperson is quoted as saying 'Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected.'"
The Sunday Herald article is amazingly unclear about the scope of this breach. Which hotels are affected? The article says all "continental hotels". Does that, from a British Newspaper, mean european continental hotels only?
I stayed at Best Western in the US late last year. Luckily, I have since then changed to a different credit card than the one I used at the time.
The last time when a company I did business with lost my credit card details, I decided I wouldn't do anything about it until I really saw an unauthorized withdrawal from my account. Because in the past, when there was an unauthorized withdrawal (only happened to me once), a single phone call to the credit card company had been enough to get my money back (some 300 Euro). They said they would start to investigate it, but because it could take a long time, "here's your money back as a first measure."
With the recently stolen card info, I got a notice from my bank a few months later that they had to disable my card because there was an attempt to commit fraud with it. I got a new card with no further action required on my part.
Either way, this could turn out to be a big hassle for Best Western. If only they could let me know if my personal data was affected.
The article isn't too clear on this point, does it affect every Best Western Hotel or just in Europe?
As someone who's stayed at one within the past 12 months in the US, I'm curious to know.
From TFA:
This sounds a bit exaggerated to me. Greatest Cyber-Heist? WHat's the odds they just hadn't bothered to encrypted the details or had done something silly with the encryption keys?
They had them and now they don't. What are they going to do without them? I hope they find them.
I didn't see what the problem was, until it got the part of "compromised accounts", etc. I thought they just lost it, like a hard disk died or they shredded them accidentally. Took me until half the page until I realized they "lost" it to someone else
I wonder if the burglars will leave a mint on my pillow when I go on vacation.
The summary is misleading:
The details wern't "Lost", the server was comprimised and they were stolen.
This doesn't affect all Best Western hotels, just some European ones.
The details stolen are from 2007-2008 (up to 20 months)
'Best Western took immediate action to disable the compromised log-in account in question...
WHAT? In that case, they haven't lost the data due to carelessness (which I can just about forgive)- they've failed to secure their systems, which is criminally negligent.
Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations
We all know that's a very difficult attack when Windows is involved! Amazing cleverness here.
you had me at #!
If a business or government body is not taking due care with the private information they hold on the public which could lead to identity theft then they are at risk of being sued.
Get copies of the antivirus scanner logs from any business or governmental for their desktops and laptops. You will have a large list of all the malware that was cleaned up post infection. That malware was actually executed and run on the same computers handling your sensitive data. Some of that malware even exploited vulnerabilities in Microsoft applications and operating system prior to an update fix being made available by Microsoft.
In comparison to any MacOSX or Linux based desktop, Microsoft's desktop operating systems and Microsoft's desktop applications face a disproportionate higher risk of being "infected" with hostile malware. Just relying on third party antivirus software to prop up a Microsoft flagging security record in no way puts you any closer to the level of security that a switch to another vendors desktop platform can provide. ( Just updating to Vista is no guarantee of better security in comparison to another vendors platform )
A business or government body is not taking due care with the private information they hold on the public if they continue to use Microsoft desktop OS environments or Microsoft desktop applications. That is your credit card data, banking details , health care info and social security information. If switching to Linux or MacOSX based desktops would greatly reduce the risk of further intrusion why should not organizations be "encouraged" to make the move.
If anyones customers are at greater risk of being sued for using a vendors product it is Microsoft's own customers.
From here :
Unlike other chains, which are often a mix of company-owned and franchised units, each Best Western hotel is an independently owned and operated franchise. Best Western does not offer franchises in the traditional sense (where both franchisee and franchisor are operating for-profit), however. Rather, Best Western operates as a nonprofit membership association, with each franchisee acting and voting as a member of the association.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
As I booked using a false ID and credit card got through identity fraud...
BTW that is a joke, I'd never stay in a Best Western Hotel. ;)
Best Western?
More like Worst Western amirite.
What if it is 2 people watching TV or listening to a 3rd voice on the radio?
--- You shall know the truth, and the truth shall make you mad- Neal (not Cowboy) Boortz
Great troll!
- Completely and totally unrelated to the article you're posting under.
- MS vs. everyone else.
- Suggesting class action lawsuits.
You sir, are a master troll. I give you a 9.0. A 10.0 can be achieved by adding in either some conspiracy theories, and adding some length to the post, and possibly using some "M$"'s.
I don't respond to AC's.
We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere. Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor? Because, well, did you see anything happening out of it? I didn't.
These companies cause problems to their customers by their careless handling of personal and financial data. At the very least, they subject their customers to the threat that their credit card data is in the hands of a criminal, ready to use it whenever they please. When are we going to see some laws that mean consequences if you can't handle your customers' data?
Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"the Sunday Herald understands that a hacker .. succeeded in .. placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored"
..
more likely someone got local access to plant the torjan, one of the night staff hired at minimum wage, for instance, a high turnover in staff, people hired off the street, with no security clearance.
The 'security' system at a tourist hostel I was familiar with, kept customer records on a database in a locked room, except you could map into the machine from reception and get full access to the database, the passwords being kept in the clear, the same password was used to create swipecards for the electronic door system. I wrote it up, but there was no-one in management who would could read, I guess it's still the same
davecb5620@gmail.com
Please note The Sunday Herald is not really written with the "Internet Crowd" in mind. Think more along the lines of well-to-do Scots from the West Coast of Scotland who like to read something interesting with their breakfast and tea rather than the data protective, mainly american, slashdot user.
Taking this into account, the details will be a little lighter than you would wish, for fear of boring the target audience of the paper into buying "Scotland on Sunday" instead. Well-to-do Scots from the West Coast of Scotland would also consider the use of the word "continental" to mean Continental Europe, rather than British Isles, as is common in this part of the world.
The issue is not so much that the data were stolen, though obviously that is bad; but that the hotel made it worse by keeping data on hand that weren't necessary. "Employment details"? WTF? I recognize that certain data are unavoidable in such a system; but I would like to see substantially greater penalties for those who compromise customer data that they don't even have a good reason for keeping.
Incidentally, when did we start using the term "lose" as a polite synonym for "fuck up in fine style"?
Someone got hold of an admin acount, someone wrote a script to automate the downloading of the entire database. No-one noticed until the details popped up for sale on the web ..
davecb5620@gmail.com
"What of the risk to Microsoft's own customers from continuing to use Microsoft's demonstratively more insecure products?"
..
Yea, what imdemnification does the software provider give to the end user in such an eventuality. I mean, after all, they do imdemnify you against getting sued (by who), as long as you use a 'covered' product
davecb5620@gmail.com
what best western needs to focus on is a uniform standard for property and database management and then put their foot down when their sources shirk the standards. perhaps that would be a step toward fixing the myriad of problems.
the corporate bigwigs insist on a punch-card timekeeping system for labor-hours, to give you an idea of their misdirection of energies
pnorf
The best interests include paying for a private security detail for the peoples homes while they're away.
The closing of the account AFTER the information was stolen is priceless. The chickens have already flown the coop and you close the door anyhow. Lovely.
.. get new credit cards every half year or so. You're not charged for the change, it secures any leakage you may have left behind and it ensures that data theft isn't a problem. If you think 6 months is too long (you could be travelling a lot), do it more often. And it means costs for the credit card company so maybe they start to come up with a better approach (or pass teh costs to the failing merchants, also a good incentive IMHO).
Personally, I'm waiting until one of the token manufacturers gets a deal with VISA and Mastercard. After all, a credit card is but a reference number to the contract you have with a credit card provider, and a token can do that just as well. But it could change the static challenge-response PIN with something smarter, and some tokens I've seen are even capable of working securely over a standard web browser.
Let me translate that last one for you: no more "secure" terminals needed (which is where some hacks now happen), using a token could be as simple as integrating an iframe right into the POS display. Also means safer shopping at home, btw.
And the technology exists already - it's just a matter of reaching the point where fraud is more costly than fixing the problem. Not needing secure terminals could mean that point is reached a lot earlier that originally thought. We're talking months here IMHO, followed by a few years while the terminals are phased out.
Insert
Ask your doctor if Seroquel is right for you.
I agree, I think you raise the most important point here. I previously worked in a business receiving card data and I'm sure, like most businesses, once we have your data (or your dollars - more specifically), we don't really do *that* much to protect it. As long it is perfectly legal to be negligent, it'll be the case that exploitation is rife.
I record my sleeptalking
Is it really necessary to store that much data all in a central spot, accessible to the outside?
I record my sleeptalking
And isn't that a prime example for what we have a government at all? Here's something that is of general interest (i.e. keeping data secure from people who could abuse it), but not in the interest of the person holding it (because no company really "cares" about its customers, they care about your business, if that). What else do we have governments for if not to make sure that the general, public interest is upheld?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Do not put your info on a Window's based server. 40% of https but 90% of the theft. The only problem with this is companies will access these servers using Windows boxes which leaves corporate routes to steal passwords to the *nix/mainframe box, which is what accounts for the other 10% theft.
The wording for this leaves a lot to be desired. The data about all the customers was not lost. When you lose something, you don't have it anymore. Similarly, the article states that their identities were stolen, which is not the commonly accepted usage of identity theft. Their identities could be stolen at a later time using the information that was compromised, but that is not what the article was trying to state.
- The article states thats the passwords were leaked via a Microsoft desktop OS compromised by a password sniffing Trojan spread via a virus.
- Microsoft's OS and applications are disproportional at a far greater risk of being compromised than any other platform. That is a fact!
- Class action lawsuits are a valid method for the public to change the behavior of both large business and governmental agencies. For example, the EFF have been involved with many Class action lawsuits, to change the behavior of both business and governmental agencies.
Microsoft has been hinting that organizations deploying Linux are at risk from Microsoft's so called patents, however those same Microsoft customers face a much greater risk and loss from compromised Microsoft desktop systems.
And You Sir, are just another gutless Nym-shifing Microsoft Astroturd who is not even worth rating.
Credit card numbers and other personal information is easily stolen, as this article makes clear. The credit card companies and others, like Best Western, who store their customer's personal data call this "identity theft" to make us consumers think that we are the victims, and must pay the price for the theft. A better name for what is happening is "information theft". Private information has been stolen from the company, and it is the company who should suffer the consequences.
I watch my credit card charges carefully. If I see something I don't recognize, I tell the credit card company to charge it back to the merchant. It was the merchant who was defrauded, and possibly someone else who leaked the personal information that enabled the fraud. I am not at fault and shouldn't have to pay.
If some inaccurate information should get into my credit report because of somebody pretending to be me, I would write a letter to the three credit reporting agencies explaining that their records are inaccurate: the person who took the reported action was not me. That should be all that is necessary to "clean up" my credit record.
I feel that keeping careful track of one's transactions is a necessity in today's world, and I have no problem doing it to protect myself.
Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor?
Criminal neglect?
Unless you have proof that their server getting hacked = criminal neglect, maybe you need to switch to decaf.
These companies cause problems to their customers by their careless handling of personal and financial data.
What article did you read where Best Western was portrayed as careless? /. tradition, but /.ers usually ground it in some type of fact.
Did you RTFA?
I realize hyperbole is a
[Fuck Beta]
o0t!
The neglect is not in their servers being hackable. It's unreasonable to assume that a server is unhackable, no matter how it may be secured. The neglect is in the data being still available for the criminals to gain after a year has passed. How long do you need to process some credit card transaction? I would not complain (that much) if a month's worth of customer data was stolen. You need this information for possible complaints and booking changes. But a year's worth of data available for retrieval by a reservation terminal is anything but security conscious.
This is what I call neglect.
Now, it's reasonable to have the data on a backup tape. It is not reasonable to keep this information available online because it's convenient. And it certainly is not reasonable to make this information trivially available for anyone in the company from any terminal that's basically a POS terminal, not a terminal used internally where you can impose quite different security protocols.
This is what I call careless.
Yes, I did RTFA. And I know that it's common practice to do it this way because it's convenient for the company. But just because everyone does it doesn't mean it is in any way acceptable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Most of the time, when I read a story along these lines (lost data, stolen data, client personal details incl. credit info), I have to ask myself "do they really need to archive all this data on their customers?"
Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!
I agree with parent 100%. And the best part? You can't use the services these companies offer without them storing your details. Ever try to lodge in a reputable hotel without providing personal information? Even if you pay cash, they wont' sell you a room with out name, address, drivers license number, etc.
I regularly go on surf trips with some of my less-financially-able friends, and we pack 6+ people into a Motel 6 room. We've never had a problem.
I think you're full of shit.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
They need to let the public know that the data has been found. A group of criminals has it safely stored away (and for sale).
The only reason I can think they would keep that information is so they can get more money when they sell it to marketing groups. It is not enough that they make money off me staying there, but they sell the information they get while I am there. That to me is greed and I don't like to deal with people or companies that are that greedy (although that is hard not to do).
--
My parents went to Slashdot and all I got was this lousy sig.
...why the spokesdrones for so many major companies are allowed to spew the most outrageous bullshit ("We care about our staff"; "The privacy of our guests is our number one concern", etc.), and nobody in the mainstream press ever calls them on it.
Even politicians, for whom lying is as easy and natural as breathing, are rarely so brazenly, in-your-face dishonest.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
The records involving elected officials should be unusually valuable.
If some of those are published, that could be interesting.
Yet we have "data loss" on an almost weekly base and nothing happens.
This is why I am resisting my company's new policy of storing online and in a filing cabinet every employees credit report, retail theft report, criminal check report, fingerprints, passport, birth certificate and self declaration of any crimes for the last 7 years including minor traffic violations. They intend to show this to any current or prospective clients (mostly large banks, many of whom lose that sort of data on a weekly basis) and also to release it if any of our customers audit us.
Unfortunately, I am now pretty much the only one resisting, so I guess I will be fired for not releasing information to the company that is none of the company's or any of the company's customers' business.
If you are not allowed to question your government then the government has answered your question.
What business is google in, if not the information collecting business?
I always give the hotel a business address - like that some criminal does not know where to go while I am at the hotel. I do the same with labels attached to luggage when flying. I have done this for years.
When will people learn to give the minimum of personal information that is absolutely necessary ?
I'm guessing this applies to those that were taking business trips and thus had additional info (company sponsored, conference room, etc).
br
I don't think I've ever been asked where I worked when booking at a Best Western (not that I use them often).
Those Large corporate companies rely on anti-virus products to protect Microsoft OS desktops. There is no equivalent Linux plague of viruses in the wild to be concerned about. Even the threat to MacOSX based desktops systems is minute in comparison to the Millions of Microsoft-targeting virus out in the wild.
Microsoft's most widely deployed platform and applications have not been secured. The XP platform has still has 30 unpatched vulnerabilities, the latest version of Internet Explorer still has 10 unpatched vulnerabilities, and Outlook 2003 ( the most widely deployed business version of Outlook ) still has one vulnerability outstanding from . Microsoft Office 2003, still the most widely deployed version of Office, has four outstanding vulnerabilities which put the desktop at high risk of being infected. These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product, not to mention all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.
In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats.
Fact: Using a Microsoft based desktop put you a far high risk of being hack than either a Linux or Mac based desktop.
Any computer connected to the net can be compromised given a sufficiently intelligent/lucky hacker and enough time. The question you should be asking is did they take all reasonable and practical precautions to protect the machines?
Yet we have "data loss" on an almost weekly base and nothing happens.
Who do you expect to fix it? Governments, particularly the one in the UK, are more incompetent about protecting their data (posting CDs, leaving things on trains etc) than most companies. Given that these are the people writing the laws do you really expect them to come down hard on the companies? It would be shooting themselves in the foot.
Best Western wasn't deprived of their backups, were they? So by famous Slashdot Meme-Think, the info "wasn't stolen", it was "infringed"!
Since people don't make money by selling their personal details anymore, you can always go to their houses for live performances!
Since the "making available" theory is in trouble these days, we look for actual proof of data download... which we have, right? Then can we get the FBI to go after these guys for statutory damages of 3*$1*8M = $24 Million? (Because many songs have shorter lyrics than what a hotel collects)
Grand Theft Prosection FTW!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Corrected link for Outlook: System access, From remote, Unpatched, Known since 2004-07-12.
"Losing data" would be an operational mess for the organization.
"Disclosing data to criminals", which is what happened, is a mess for its customers.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Also from a more abstract point of view, read Increased security through open source.
I consulted briefly for Best Western in the US several years ago. I have also worked for a couple of other similar hotel chains for several years. I can tell you that at the time BW was years behind the other chains, and I would assume nothing has changed since then. They wasted millions of dollars on system upgrades that went nowhere, and since I left they have apparently offshored nearly all IT.
It is reasonably safe to assume that they only 'lost' European customer info from the numbers of hotels listed.
We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere.
Such laws arn't even applied to all actual terrorists either. Probably because it's too embarrassing for those in "authority" to admit that not only is terrorism a risk of the level of "freak accidents" (at least in North America and Europe) or that the majority of actual terrorists can't be fitted into the Al Quada conspiracy theory...
Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor?
At least part of the difference is that there is often little effective law enforcement directed at "corporate people". Even when applicable laws actually exist. Even though the economic losses due to "corporate crime" are so large that a dedicated police force would probably pay for itself within a few years.
These companies cause problems to their customers by their careless handling of personal and financial data. At the very least, they subject their customers to the threat that their credit card data is in the hands of a criminal, ready to use it whenever they please. When are we going to see some laws that mean consequences if you can't handle your customers' data?
Or even something like if a retailer stores credit card details without a good reason they forfit their merchant accounts, charged all costs involved in those credit cards being reissued, are denied access to any other bank accounts for a month, etc.
Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!
In many cases the information is of little use to either the customer or the business. Even though it might be very valuable to criminals. A basis of effective data protection is "Don't collect and store it, unless you absolutly need to". However even places which have strong data protection laws tend to lack effective enforcement.
They didn't LOSE the data, they lost a COPY of it,
The neglect is in the data being still available for the criminals to gain after a year has passed. How long do you need to process some credit card transaction?
The only details which actually needed to be held in the system would be those of current individual guests for theft/damage. Even for than such information only needs to be available to the specific hotel.
I would not complain (that much) if a month's worth of customer data was stolen. You need this information for possible complaints and booking changes.
But you don't need credit card data for this. Deposits are typically non refundable and if someone needs to increase their booking they can give card details there and then. Even with a hotel chain it tends to be perfectly possible for a customer to deal directly with a specific hotel too.
This is why I am resisting my company's new policy of storing online and in a filing cabinet every employees credit report, retail theft report, criminal check report, fingerprints, passport, birth certificate and self declaration of any crimes for the last 7 years including minor traffic violations.
What do they need this for in the first place? Who keeps the time sensitive part up to date? Unless the employee is driving for the company how are "traffic violations" even remotly relevent? (What about an employee who dosn't even drive to work?)
We need a Corporate Death Penalty. And since no actual human beings would be put to death, it should be applied fairly liberally. Seriously, a company that fucks up this badly doesn't really deserve to continue operating in any capacity.
If such a penalty were in existence you'd see all of these stories disappear overnight, and I don't mean because the guilty parties would be covering up their transgressions. I mean they would do whatever's necessary to protect their shareholders (the owners) from losing their investment. Security "best practices" would undergo a sea change almost overnight. Not that I expect the lobbyists to allow it to happen, of course.
Since I was booked to stay with one of my GFs over the next weekend I have to stay home and pick up the call before my wife answers them and open the Pandora's box. damm! the credit card company may as well call on the home number.
What do they need this for in the first place?
I don't believe they need it at all. Supposedly they need it because we work with healthcare information and they say HIPAA requires it. HIPAA in and of itself does not require much of anything specifically. So everybody and their brother interprets it according to their own whim.
Who keeps the time sensitive part up to date?
The employees are supposed to let the company know if anything happens, such as a speeding ticket, bankruptcy or other change in credit report, if they get sued, if they get busted, etc. I also forgot that they also want us to take a drug test even though I just had a drug test at my previous employer. Also, they know my salary and should be fully aware that I can not afford drugs.
Unless the employee is driving for the company how are "traffic violations" even remotly relevent?(What about an employee who dosn't even drive to work?)
Again, I don't think that it is any of the company's business. Traffic violations are not singled out as special. In fact it is the fact that they are excluded provisionally that makes them special. We are supposed to report everything including misdemeanors EXCEPT "traffic violations under $150". In my state and county the only traffic violation under $150 is driving or transporting a front seat passenger without wearing a seatbelt. So the minor traffic violation exclusion is not even an exclusion.
If you are not allowed to question your government then the government has answered your question.
Best Western responds: http://tinyurl.com/5863g8 Partial reprint, PR gobbledy gook removed: Posted 6:37 p.m. EDT Aug. 24, 2008 "The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated. Claims reported about our Central Reservations customer records are not accurate. [snip] The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel [snip] We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper. Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure. [snip] ...and again, we delete credit card information and all other personal information upon guest departure.
SOURCE: Best Western International"
I've got to get back to work. When I stop rowing, the slaveship just goes in circles.
I just stayed at two continental Best Westerns. Feh.
Pay in case. Change hotels if they don't accept it.
If enough people did this then there would not be this kind of problem.
Before anyone wants to get on their high horse: Yes, I've experienced this problem before. Yes, every time a hotel clerk asks me for my photo ID, wants to photo copy it, or demands anything else I do ask "Why is this required?".
Interestingly, most of the time they say: "Safety - we need to know who is in the building if it catches fire". This was an interesting conversation one day as I took this one apart and they resorted to "If you don't like it then don't stay here". I later found out that the reason who this was due to the amount of backpackers, with the appropriately proportioned thieves and loose hangers on, that came through the place."
Most of the time I say to them: You have my credit card. What more do you need? Want to know it's me? Sure, sight my licence.
If it's just me then normally I'd say that I don't drive, I don't drink and generally don't fly; alternatively that I've lost my wallet but can pay up front in cash as I always travel with spare and just happen to have enough to cover my stay.
Not only are you the only poster who points out here the bane of the universe that Windows truly is, you're the only person on the planet besides myself who seems to think it's time to hold Microsoft accountable for the sheer crapitude of their software design. Microsoft may have been passably competent before the intertubes came along, (bringing the Russian mafia to our doorstep) but at this point they're criminally negligent.
The main reason these holes exist in Windows is because Microsoft put profit and market dominance ahead of the interests of their customers.
There must be blood paid for this criminal negligence!
-- thinkyhead software and media
.. demonstrated in the UK: a wholesale transfer of liability.
Formerly the company had to prove it was you who authorised the transaction (i.e. fraud was their cost), now you have to prove it was NOT you who authorised the transaction - i.e. *you* carry the cost of fraud where they can get away with it.
Given that you have nil control over the systems where such data is held (nor are you to be assumed a security specialist who can spot a rigged terminal) I think the word "bastard" you use is justified. The problems are:
1 - you need credit cards if you have a normal life (note: card, NOT credit - that's the game you want to stay out of)
2 - is two companies in the whole world really enough not to be called a monopoly?
(1) is IMHO hard to fix, not because of hardware but because of coverage and size. There is no way to avoid those two. (2) is something that has always amazed me - why has this been left alone by anti-monopoly agencies?
Insert
This is now the 3rd of 4th "lost data" article here on /. and all where about "copies leaked". How long until the /. editors take note of the difference.
But then: maybe there are no /. editors - they are just a myth - maybe it's just a random number generator which pulls random articles off the Firehose....
Martin
You're first on my shitlist is what you are. I place people that waste the first post spot with drivel like this and that are not posting anonymously on my foes list, which allows me to easily ignore you completely in the future.
Thanks for identifying yourself.
Hmmm, I haven't seen anyone else post this yet so here is a response from BW:
http://www.marketwatch.com/news/story/best-western-responds-sunday-herald/story.aspx?guid=%7BA87F9682-AC67-4803-A135-B6ACF42C0956%7D&dist=hppr
The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary.
It just could be a damage control response, but I'd say they have bigger problems on their hands if they denied it and it ended up that the original article was accurate.
If they've "lost" the records, how do they know it was 8 million people?
8M affected, and "call this number if you have any concerns".
Egad. Methinks they just sent their local telephone switch into meltdown.
-- Brad Felmey
We need laws like:
1) The storing of credit card details after a successful transaction has completed should be made illegal unless the customer explicitly agrees to each instance. There's no reason why Best Western or most other sellers should need to retain credit card details once theyve got their money.
2) It should be illegal to store or hold personal data on others without their express consent for each instance of addign to their record.
3) It should be illegal to persistently store personal data of others in anything other than a military-grade level of encryption.
4) If the only way to get comapnies to tighten up security is to have them face a risk of going under, then so be it. Companies should be subject to autmoatic damages for loss of personal data. Anyone whos data is lost or otherwise compromised should be automatically given a significant payment for stress, inconveneince and risk. I'm thinking of a minimum of $5000 to each person is appropriate.
Just called their customer service folks and was told that after investigation they find the issues mentioned in the article "unsubstantiated". We'll see. I'll contact my card company and warn them, then see what happens.
You must be the change you wish to see in the world - Ghandi
That more or less suggests that MC & Visa are about the only point of cohesion, and are in a good place to drive improvements. However, there is, of course, the observation that the sheer volume may create a challenge - it will at least happen slower.
I wonder what factors will drive up the cost of fraud to a point where there is active interest - at the moment it appears more to be considered the cost of doing business. That's no consolation for those that have to face the hassle and, in some cases, the costs and risks that come with a breach..
Insert
That's because a certain amount of fraud is part of the cost of doing business. Stores occasionally take returns of goods which were perfectly OK (until the buyer got their hands on it...), insurance companies occasionally receive claims for a house where the owner perhaps might know a little more about the fire than they claim to. And banks occasionally find people trying to defraud them of money.
The nature of that fraud may or may not involve someone on the inside. Given the number of people employed by most banks, it's practically inconceivable that every single employee is 100% honest. The fraud may be a million people stealing £1 or one person stealing £1 million, but it will always be there.
Fighting that fraud costs money. If a bank calculates that a new measure to fight fraud will cost £10 million but is only expected to save £500,000 worth fraud per annum, enacting the measure makes no sense.
Replacing every customer's credit card with something akin to an RSA SecurID card would mean reworking your systems so they don't expect a single, unchanging card number to tie to the account.
It would mean working with Visa to have such a card accepted as a Visa card worldwide.
It would mean updating every merchant terminal in every merchant in the world to work with the new system.
In cases where the merchant has decided not to use terminals and instead integrate accepting cards directly with their PoS system, it would mean asking these merchants to update their system or they won't be able to accept such cards.
This would be obscenely expensive and have obscene risk because it's not an incremental change like chip & PIN was. I can't see it being even remotely practical.
I said there were solutions, but I can't really talk about it because I work with the vendor that does IMHO the best solution (the main reason we're talking) - whatever I say will be deemed biased.
Instead, let me spell out what is interesting: you no longer NEED the secure terminal - all you need is a computer (or an iPhone) which can show Javascript, Flash or Animated GIF based images.
That means you can leave the POS designers to it - all you need is a window on the Web (read: you also use the same security at home, because you're using something that was originally designed to be used for private banking via the Internet). Man in the browser/middle, keylogging and trojans are thus no longer vectors of attack.
What this means is that that "price of fraud" suddenly acquires an unexpected component: the cost of upkeep of a secure terminal network falls away. Not big bang, gradually. In addition, retaining token numbers (formerly credit card numbers) will get you nothing because the number itself is useless without the support server.
Might be worth a spreadsheet model at Visa - the volume itself makes it interesting.
Insert
I just got new credit and debit cards so I'm safe from this issue! Security by theft (patent pending.)