FTC Files Complaint Against Wyndham For Hotel Data Breaches

coondoggie writes "A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."

Sounds nice, I'd like to go there

[jandrese]

A data beach sounds like a wonderful place to go during the summer. You say the Wyndham has these? My bits have been looking mighty pale, they could really use some sun.

Re:Sounds nice, I'd like to go there

Yea, but the problem is any "land" would be sovereign land of the country. Sealand was possible because it was technically still protected by the UK but it could not be claimed by it. An island in the same location would have been claimed land. An island further and unclaimed by a nation would also be unprotected (meaning any nation could just attack you, you'd have to have your own military to defend it)

Re:Sounds nice, I'd like to go there

[MickyTheIdiot]

We just all need to calm down. The only thing leaked were those videos that end up on sites like "my-ex-girlfriend.com".

Re:Sounds nice, I'd like to go there

so THIS is where all the +3, Funny went: to -1, Offtopic.

also, asperger's.

So fine them money they already didn't spend?

[gelfling]

I suppose morally or ethically this is needed but the idea that they should be fined money they already either didn't have or didn't want to spend in order to remediate this seems short sighted. Maybe a Wall Of Shame that requires them to post signs everywhere and on their websites, that Wyndam is REALLY bad and indifferent to security and they have and will probably again lose your data is what's needed.

Re:So fine them money they already didn't spend?

[drinkypoo]

If they didn't want to be fined money they didn't have, they shouldn't have done something they couldn't afford to do without exposing their customers to risk.

Re:So fine them money they already didn't spend?

[Stan92057]

Its called punishment. Its a business so taking its money is one of the things that can be done. I personally think the CEO should be jailed or whoever signed off on not securing the network

Re:So fine them money they already didn't spend?

[justdiver]

Regardless of whether they a). didn't have the money to properly secure their networks or b). had the money but didn't want to spend it they are responsible for the loss of data. They either knew their security was lax in which case don't offer wifi or they didn't know their security was lax in which case still don't offer wifi.

Re:So fine them money they already didn't spend?

I suppose morally or ethically this is needed but the idea that they should be fined money they already either didn't have or didn't want to spend in order to remediate this seems short sighted. Maybe a Wall Of Shame that requires them to post signs everywhere and on their websites, that Wyndam is REALLY bad and indifferent to security and they have and will probably again lose your data is what's needed.

Companies only do what they need to to make money. Fining them serves as a warning to the company, and others, that it is expensive not to protect your customers' data.

I like the "wall of shame" idea, but I doubt it could be enforced without an act of congress (and congress doesn't act much, these days.) Fines are relatively simple.

Re:So fine them money they already didn't spend?

[BaileDelPepino]

I actually read some of the complaint. Surprisingly, it has nothing to do with the fact that they only offer unencrypted WiFi. It's the fact that they actually lied to consumers, saying they use "industry standard practices" to protect customers' privacy, but actually do nothing of the sort. In fact, their level of incompetence seems impressive.

Here are some of the salient details from the giant list of Wyndham security screwups (ellipses and emphases mine)

a. failed to use ... firewalls
b. allowed ... storage of payment card information in clear readable text;
...
d. ... permitted Wyndham-branded hotels to connect insecure servers to the ... network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities;
e. allowed ... well-known default user IDs and passwords ... easily available to hackers through simple Internet searches;
f. ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase “micros” as both the user ID and the password;
g. failed to adequately inventory computers connected to the ... network;
h. failed to ... conduct security investigations;
i. failed to ... monitor ... network for malware used in a previous intrusion; and
j. failed to adequately restrict third-party vendors’ access to ... property management systems ...

Re:So fine them money they already didn't spend?

[Gaygirlie]

The thing with fining companies is that there is no guarantee that the company will change its behaviour. Naming and shaming doesn't really work either, there's just so many different ways of spinning PR around that your average Joe won't be any smarter in the end, and besides, naming and shaming still doesn't protect e.g. credit card data. What I mean is that FTC levying fines is merely a slap on the wrist and doesn't actually help the customers themselves. Wouldn't it then be more productive if the companies in question were instead forced to hire an FTC-appointed network security inspector and apply any and all changes the inspector tells them to at their own cost? It would still be a hassle for the company, it would be an indirect fine, it would be a punishment for them, and in the end it would actually, really serve a proper function in protecting their customers. (Tbh, I don't think FTC has the power to do this kind of a thing, but that could likely be fixed via a new law.)

Re:So fine them money they already didn't spend?

[pnutjam]

Think I might have to draft up a mailer for the hotels in my area. Drum up some business.

Re:So fine them money they already didn't spend?

[netwarerip]

Wouldn't it then be more productive if the companies in question were instead forced to hire an FTC-appointed network security inspector and apply any and all changes the inspector tells them to at their own cost?

In theory that would work, but in reality they will just end up getting someone a lot like the OCC, FRB, and state banking authority auditors. They are ridiculously uninformed and ignorant about security practices and IT in general. They will go thru a generic checklist, demand stupid policy documents, and basically waste time and money on both ends (the gov'ts and the company's).

Re:So fine them money they already didn't spend?

[uigrad_2000]

Hotels are a well-known "wild west".

If you are linux, turn on firewall logging, and check out the results. If you are on Windows, fire up Zone Alarm. You'll probably be hammered on port 445 with worms/viruses attempting to propagate through Windows sharing. As far as I can tell, Windows Firewall doesn't detect these attacks, but I'm not a Windows expert. It's sad that a product called "Windows Firewall" lacks the most important part of the title (the firewall).

After you see the repeating pattern (for example, new request every 40 seconds, or something similar), walk down to the front desk and try to report it. You'll probably be met with blank stares. Any way you attempt explain the issue will not work, unless you can include the key phrases "blinking light" or "reboot". Good luck with that.

I don't want to defend this hotel chain too much, but I don't expect this to change any time soon. All the things in your list probably fit into the generic definition of "industry standard practices." Actual security would be far above industry standards. :(

Re:So fine them money they already didn't spend?

[Killall+-9+Bash]

f. ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase âoemicrosâ as both the user ID and the password;

I happen to know for a fact that both Micros and Aloha use "customer/customer" as the default windows username & password for their POS servers... and it wouldn't surprise me if other POS software vendors used customer/customer as well. micros/micros is a slight improvement over default, given that it isn't customer/customer.

j. failed to adequately restrict third-party vendorsâ(TM) access to ... property management systems ...

You think Micros won't remotely shut your shit down if you "forget" to pay your bill? J. is impossible. POS vendors want/need/will not give up remote management capability. Might as well damn them for not securing the NSA backdoor on their windows servers.

Re:So fine them money they already didn't spend?

I AM LINUX! How did you guess?

Re:So fine them money they already didn't spend?

[hsqueak]

There's a reason I use a secure VPN every time I travel.

Agreed

[NoleusMaximus]

They should be required to notify their guests of their bad record of protecting data.

The processing firms don't exactly help.

[jimicus]

Disclaimer: I'm not a PCI-DSS expert. The list of rules for accepting payment cards is quite long; there's an entire industry dedicated to making sense of it and applying those rules to businesses. And I'm not part of that industry.

But I have had a quick look at them. AFAICT, the processing firms are actively undermining PCI-DSS in at least a couple of ways. One of the big things they push is a virtual card terminal - basically, log onto their website and process everything that way.

PCI-DSS says this is fine, provided the computer used for this is in a separate VLAN firewalled from everything else on the company network, has no more than the bare minimum software installed and is not used for anything but processing card transactions.

The processing firms push the virtual terminal as a money saver - "don't hire an expensive card machine, use your existing computer" and a way to be more flexible - "accept card payments from anywhere, just take your laptop with you and use that". I can't for the life of me figure out how this squares with the PCI-DSS rules regarding virtual card terminals.

Anyone able to explain? Or are the processing firms actively undermining the rules laid out by Visa & Mastercard regarding how you process card details?

Re:The processing firms don't exactly help.

I believe it is because there is a difference between VTs that operate as a standalone piece of software on the laptop and VTs that operate through a web browser window. The VTs that are like PoS terminals on laptops are regulated as you say. The web-based VTs are treated the same as payments through any web-based merchant.

Re:The processing firms don't exactly help.

I have slight involvement in this. Two comments:

First, the "expensive card machine" isn't that expensive. We just bought one for about $300. It does require a dedicated phone line, but supposedly there is a version that works over ethernet and doesn't require the VLAN separation.

Second, I have the separate PC installed behind a firewall, but it is a pain in the neck. It is supposed to be scanned for vulnerabilities monthly, plus kept up to date with Windows patches. Yes, I said windows, because the website we use is tied to Windows+IE. Would love to stick a bsd box in there with some other web browser, but it isn't supported. Oh, and the windows update site isn't on the list of allowable hosts to connect to, so I have to sneaker net patches onto it.

The auditor suggested we ditch the computer and get the pinpad device, but now we're not sure it will work for us. Doesn't seem to be possible to issue refunds on it, or get the monthly reports that the PC produces.

Re:The processing firms don't exactly help.

[plover]

The problem here is a fundamental disconnect in how hotels do business with how card security is mandated.

Hotels don't trust travelers to pay after their stay. They don't want to ask you to pay up front, either, because then they can't give you the seamless sign-it-to-my-room experience. Credit card account numbers offered an easy middle path: "we'll hold your card number until checkout." it harkens from a bygone era where credit was the exclusive province of the wealthy, who were de facto trusted to pay. Hotels were glad to be able to extend the same profitable conveniences to anyone who could pay on credit.

So they've built an entire business model on storing credit card data, rather than a pay-as-you-go system. But account numbers alone simply aren't a safe way to do that. PCI DSS says they can't store cleartext account numbers beyond the time it takes to authorize them. Yet they still do.

Again, the fix is the same as is needed across the credit industry: separate identification from authorization. Then the hotels can store the account all they want, it's valueless without the authorization needed to release your money. At the pool, getting a drink? I dont need the card, just my auth to charge it.

They can provide a simulation of this if they could securely store the card, but they pretty much suck at it.

The card networks should tell Wyndham, "sorry, no holding cards at all. Don't trust your guests? Not our problem, switch to a pay-as-you-go system."

Re:The processing firms don't exactly help.

[jimicus]

Makes a lot of sense. I've seen plenty of businesses that take cards and it's amazing how many of them seem to totally ignore PCI-DSS.

I can only come up with two possible explanations:

1. My understanding of PCI-DSS is totally wrong.
2. It's not really enforced to any significant extent - it just gives the bank a slightly bigger stick to beat you with if you don't comply.

Re:The processing firms don't exactly help.

[plover]

I don't know what you have in your understanding, so I'll leave #1 alone (although I suspect it's not the real explanation.)

As for #2, "enforcement" is a weird process. Merchants are broken into four Tiers, where retailers processing more than X million credit trans a year are in Tier 1, and so on. The higher the tier, the more stringent the auditing and requirements, and the higher the fines for non-compliance. A tier 1 retailer might be spending $5 million dollars per year (or more!) in compliance audits. Get down to the small business level of Linn Wu's Chinese Kitchen, and she doesn't care too much if she writes your card number down over the phone when she's taking your order. She might face a $150 fine for non-compliance, and that's only if someone complains.

Where PCI DSS makes most of a difference is if you have a breach. Then, they'll retroactively audit you, find out wherever the leak originated and then fine you like crazy for being out of compliance. The really weird thing is it doesn't matter what your pre-breach auditor determined whether or not you were in compliance - if you were breached, you couldn't have been compliant because had you been following their rules you obviously would have stopped the attack!

It's a noisy and expensive game that's making a small mountain of QSA auditing firms rich, but is providing little more than a dubious amount of "protection" to the retailers. And by "protection", I mean definition 5 of protection as in "Well suppose some of your tanks was to get broken and troops started getting lost, or fights started breaking out during general inspection, like. It wouldn't be good for business, would it, Colonel?"

On the flip side, it seems to be having a positive effect on security. The attacks have had to become much more sophisticated, meaning the attackers need that much more skill to pull them off. That keeps more of the riff-raff skript kiddi3s out. And really, I think it stops a lot more of the internal theft of data by unskilled workers.

Re:The processing firms don't exactly help.

[jimicus]

Thanks for your insight.

Your description isn't far off how it looked to me as an outsider: a set of rules you're meant to comply with but aren't really enforced unless it becomes glaringly obvious that something's gone horribly wrong.

Re:The processing firms don't exactly help.

[jimicus]

Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.

But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.

Re:The processing firms don't exactly help.

[plover]

Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.

But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.

Regarding your first comment, audits of Tier 1 and Tier 2 retailers are strongly enforced. The last count I saw was 6 million merchants accepting Visa, but fewer than 50 are Tier 1, and less than a thousand are Tier 2. Tier 4 is where the vast majority of retailers are, and there is pretty much nothing done at that level - payment processors simply don't accept anything there that doesn't come through their provided-or-certified payment terminals. Tier 3 is kind of hit-or-miss.

PCI-DSS permits the storage (when properly protected) of the Primary Account Number and the expiration date. But it explicitly prohibits the storage of CVV2 and/or track data beyond the amount of time it takes to perform the authorization request. So technically, you can keep enough data to put another transaction through at a later date. Whether or not you will get paid for it is a different question.

Something that is often confused when dealing with credit transactions is that there are typically two interactions between the merchant and the issuing bank: the authorization, and the settlement. In authorization, the data is sent to the bank, and the bank decides whether or not to approve the transaction. If they approve, they return an approval code. In settlement, the merchant sends their transactions to the bank, and the bank transfers the money to the merchant. Technically, the bank only has to pay those that they agreed to during the approval process (those with valid approval codes.) They may also pay the unapproved transactions, but with the understanding that the merchant accepts all risk of the transaction, meaning if the customer complains to their bank about an unwanted charge that the bank didn't approve, the bank will be reimbursed by the merchant. These are called chargebacks. (Typically this is all done through intermediaries known as payment processors, but they're not important to the understanding.)

Now look at authorization. The bank has to decide within a few milliseconds whether or not to extend credit to this person. They use rules: is this account behind on its payments? Is it over its credit limit? And they look for fraud: are they truly convinced that it's the account holder with his or her card, or is this a fraudulent use of the account number? Are the authorization requests suddenly originating from an Estonian cyber cafe? Another factor is whether or not the card is present. Their evidence is if the track data is included in the authorization.

Merchants are given incentive to send "Card Present" authorization requests as much as possible, as they qualify for the lowest interchange rate (lower per-transaction fees to the merchant.) If a merchant sends too many "Card Not Present" requests, their interchange rates will rise, due to the increased risk of fraud. In addition, the merchant assumes the risk for chargebacks for all CNP authorizations.

So if all you have is account number and expiration date, you can still send an authorization request, but it will be an expensive CNP request.

Authorization is an optional step. The merchant can decide on their own whether or not to accept your credit card. So, using just the account number and expiration date, a merchant can put through a settlement request with no authorization at all. Depending on the bank and merchant, the bank will likely pay; but as in the card not present transaction, the merchant assumes all risk.

And finally, debit is a different animal altogether. Authorization and set

So I put on my data breeches and my wizard hat and

[vlm]

So I put on my data breeches and my wizard hat and ...

Wyndham: Do these data breeches make my butt look fat?
FTC: Um... later honey I have some paperwork to file.

Or maybe this the start of a new advertising campaign by wyndham
"Ladies... don't like how data breeches make your butt look fat down at the poolside? Well come to Wyndham instead and relax in our spa, now featuring homeopathic computer security"

Conversation overheard at the defcon bar: "So I was social engineering the hotel firewall chick, and I charmed her outta her data breeches. At that point, I'm thinking third base for sure then I discovered it was a trap so I got the FTC to go after she/he for false advertising"

So... I heard the Wyndham has same day dry cleaning service as a perk, but if you send out your data breeches, rather than getting them back same day, everyone in .ru gets a copy of them.

That's all the time I got for /. standup comedy right now, thank you and I'll be here all night.

Isn't the FBI in FAVOUR of data breaches?

[ReallyEvilCanine]

Why yes.

Yes, yes they do.

It was just last month I was reading about it. Again.

Or is it that they only want this access for themselves and you're a tairist if you don't think the FBI should have all access to all your activities and communications.

Buyer Beware?

[realsilly]

I am guessing that the Wyndham was charging for "secure" access, but if they were only charging for access, then wouldn't that be a case of Buyer Beware?

It is still important for users to be wary of any network not their own personal or work network. Since you can't control the access point, don't assume the 3rd party is either.

Encrypt your info and think before you use another's internet access.

Hotel's responsiblity?

[DeTech]

And a hotel is responsible for network integrity why?

It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."

Re:Hotel's responsiblity?

[vlm]

And a hotel is responsible for network integrity why?

  It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."

The complaint was mostly about internal office stuff, their office stores your credit card info digitally, unencrypted, networked, in ready to steal format, that sort of mistake.
Not so much about the complimentary wifi for guests.

Re:Hotel's responsiblity?

[DeTech]

what read TFA?

Yeah it looks like they're just getting pinged for not implementing any personal data sanitation. Really makes you think about all those 3rd rate machines we swipe into daily.

Re:So I put on my data breeches and my wizard hat

[vlm]

Oh I got another one. Breeches, those are pants, right? Well Wyndham-style data breeches, those are pants with a "leather chaps" cut, such that the legs are covered and the fun parts are hanging out for all to see. Get it, data breeches?

I'm gonna make a lotta money selling my UEFI boot secret signing key tee shirts and data breeches as a package deal.

There's always witty data beaches jokes, once I tire of breeches jokes. "Stay at the Wyndam, right on the sandy data beaches of the holodeck."

Anecdotal evidence-

that's hilarious, i actually stayed at a wyndham "microtel" last week on my way to florida, network was completely open, and i got hit with a man in the middle attempt within seconds of getting online, tried to knock me off https logging into facebook.

PCI audits are not actually required

[gelfling]

PCI audits are nice to have and companies want them and auditors are happy to do them but failing a PCI audit doesn't actually mean much. There's no regulatory penalty for failing one or failing all of them. Unlike HIPAA where there are real albeit rarely applied penalities, for PCI no such thing exists.

Re:PCI audits are not actually required

[netwarerip]

Banking regulatory agency audits are not the same as PCI audits. The OCC can, and has, shut down a bank for failure to comply. Any 'National' bank must comply with the OCC regulators' demands. I worked at one that didn't like the 'raw deal' they got from the OCC so they dropped their national charter (went from being Shady National Bank to Shady Bank, and getting a state charter). Problem is, every OCC (and FRB, and state) audit is long on things like lending policy and HMDA compliance and short on legitimate IT concerns. It's always been just a dog and pony show on that end, because they have accountants auditing IT, and accountants are idiots.
BTW, HIPAA and GLBA are basically one and the same, and banks must comply with GLBA.

Data Breaches

[chinton]

Sounds like a pair of pants with a USB cable.

The former CSO is now pitching risk software

And according to this article http://www.darkreading.com/security-monitoring/167901086/security/security-management/240002778/startup-arms-csos-with-heat-maps.html, the former CSO of Wyndham is the CTO/CISO for a new start-up that is selling software to help C-level executives better understand risk in their organization.