Hyatt Hotels Payment-Processing Systems Hit By Malware

itwbennett writes: Hyatt Hotels said Wednesday that it recently identified malware on the computers that run its payment-processing systems. And while Hyatt didn't provide more details on the breach, including how many customers might be affected, the alert to customers asking them to closely check their credit card statements suggests that hackers may have obtained critical credit card information. The breach is the latest in a series of attacks in the hospitality industry, which include Hilton Worldwide, Mandarin Oriental and Starwood Hotels & Resorts Worldwide.

Hyatt Hotels hit by malware ..

[nickweller]

By any chance was this Payment-Processing System running on Microsoft Windows?

Re:Hyatt Hotels hit by malware ..

[sinij]

Why would it matter? They would be equally screwed in all-Linux shop.

You don't stop targeted malware at OS level, you stop it at the network level when it attempts to dial home.

Re:Hyatt Hotels hit by malware ..

And how does that matter? This isn't 1998 anymore. All operating systems have vulnerabilities. All IT teams need to make decisions balancing security, manageability, reliability, cost, etc. All large IT teams have staffs with varying amount of intelligence and dedication. The choice is operating system has so little to do with it anymore. Grow up.

Re:Hyatt Hotels hit by malware ..

[ClaraBow]

How did you come to this quick conclusion? Do you have some insight? If not, then you are trolling.

Re:Hyatt Hotels hit by malware ..

[sinij]

'I run Linux, therefore I am secure', which is unstated premise of original post, is not justifiable position position in 2015. Especially when you are dealing with high-value target like payment processing.

Re:Hyatt Hotels hit by malware ..

Sorry I have to call bullshit on that. Windows is a closed proprietary system, the absolute last type of system you want to use on a "high-value target like payment processing". You're correct that running Linux is not a panacea; I think few are stating that. But it's been proven that 0-days are patched much more quickly on open source packages than waiting for Patch Tuesday or whatever Microsoft calls it now.

Most importantly, the closed source vendor may never release a patch to a dangerous flaw...a flaw that you may never have been made aware of!

Besides, most of these leaks we're seeing in the press appear to be inside jobs. A good question to ask is how many are happening without companies knowing about it. Using proprietary software just amplifies the number of ways that your system can break.

P.S. Btw, if your security plan is to rely on protecting yourself at the network level then you might as well hang it up, you're fscked. If the bad guys have the upper hand at the OS and application level they can do pretty much whatever they want.

Re:Hyatt Hotels hit by malware ..

[UncleTogie]

But it's been proven that 0-days are patched much more quickly on open source packages than waiting for Patch Tuesday or whatever Microsoft calls it now. Most importantly, the closed source vendor may never release a patch to a dangerous flaw...a flaw that you may never have been made aware of!

Thank God that open-source means that all code will be reviewed and will never have vulnerabilities. https://en.wikipedia.org/wiki/OpenSSL#Notable_vulnerabilities

But hey, let's see proof of the OSS movement patching 0-days quicker, please.

Directed attacks

[houghi]

This feels as if it was a directed attack. This could mean that the cards read were the cards used, not so much cards that where stored by them.

Obviously still an issue if that is the case, but if it happened that way, not blatently so. It also could be that it is just the web reservation. That would be worse than the terminals, because website will include cvv code and thus can be used much easier.

Re:shouldn't this be a solved problem by now?

[sinij]

How am I suppose to make profit if I can't put my nuclear reactor C&C on the internet?!

Constant Leaks

In my lifetime I have had my data leaked by (at least) a University I applied to, Home Depot, Target, T-Mobile, and my rental apartments that required a background check. I stayed at the Hyatt for Thanksgiving and recently booked there for a Wedding coming up. Just yesterday I got an email from Chase that my password/email/and phone number on the account was changed. How did they get through my secret pass phrase.... the operator gave them a new one because they knew my SSN (which the fraud dept said wouldn't happen), Capitalone also did this in the past (capitalone even allowed the scammer to make my new passcode question "what is my last name"). So this is the perfect system we have now. Constant leaks that I can't stop and constant attempts to change my cards and add loans. If you get a leak the company gives you 1-2 years of credit watching, because as we all know your SSN is only good for 2 years (sarcasm). You can block your credit for 7 years after a police report but they can still try taking over existing cards. I am sure I am just very unlucky but honestly this is a crazy system that I have to fight to keep my pristine credit. Only when the credit card companies start going after the leaks by charging the companies will we see a change. That or congress' info get leaked and they make a new bill allowing for a simple SSN change.

I worked on that system (almost 20 years ago)

At the time, it was a C program running on HP/UX. I'm guessing that they replaced it with a Windows-based system since then.

Panacea:

[vikingpower]

don't use credit cards. I don't. I pay cash. Car rentals, hotels, flights. Besides the fact that I don't incur debt - as "paying" with a credit card is actually paying with borrowed money - no data can be leaked. Sure, I am European and live in Europe. When I slap down € 2000 on the desk of a car rental company, I can drive away with a VW Golf. In the US it's virtually impossible to live without a credit card. Which demonstrates the sickness of the whole system, IMHO.

Re:Panacea:

[sglewis100]

Stolen cash is reimbursed by your bank at a rate of $0 reimbursed for every $1 lost. Credit cards are reimbursed at $1 to $1. I'm not advocating running up a lot of debt and paying interest, but man, would my business travel be almost impossible without the cards I use (and pay off 100% every month once I get my expense check deposited).

I'd also miss out on all the great deals, like the 60,000 miles I got for AA, plus priority boarding and free checked bags for using their Citi sponsored card. Try booking a flight, hotel and car without a card. And the companies don't care... yeah they don't get 19% interest off of me, but they still get a few points off the merchant.

I also found more favorable exchange rates in Europe, speaking of Europe using my card and getting billed direct in € than going through banks and exchange counters.

Incidentally... hoping that was a typo. € 2000 to rent a car?

Re:Panacea:

[vikingpower]

€2000 = deposit. Also, here in Europe, I can pay in cash for hotels and tickets, no problemo.

Re:Panacea:

[aaarrrgggh]

That is really poor use of your capital, amped a terrible sense of financial planning. If your weakness is you can't manage your spending without using cash, you should figure out how to deal with that. A credit card can offer rebate points, can have no up-front costs, offers fraud protection, etc. which make it a zero-cost or negative-cost tool.

Short term debt is financial leverage. If the goods you purchase have the same cost, there is no benefit to using cash.

Carrying a balance and paying interest though is stupid.

Re:Panacea:

[vikingpower]

Disagree. Expenses such as airline tickets and car rentals are to me, being an independent engineer, things I should be able to finance immediately out of my own pocket. Being able to do so is the result of sane financials. Running up debt for such things, even if it is short-term debt, is an unnecessary complication and inevitably has a cost. Short-term debt is only financial leverage iff it helps to secure a major deal that otherwise I could not have secured. Which has not happened until now. I learned all my financial planning from my mum, who managed to run our 2-children, 2-adult household from the income of a simple beekeeper, paying off the mortgage on a house in the process. Lesson #1: don't run up debts for consumption goods or services, ever. Ever. It has served me well.

Re:Panacea:

[vikingpower]

Ah, and here are lessons #2 and #3. Lesson #2: save 10% of what you earn, if you can (if you can't, save whatever you can ). Lesson #3: only cash and gold are money. A balance on a bank account is not real money. Stock isn't, either. Nor are governments bonds or loans to other people. All these things representmonetary value, and may one day be converted to money. They may also evaporate.

Re:Panacea:

[aaarrrgggh]

While my parents taught me the same things in terms of financial planning, it is still a poor strategy to use only cash. Income, spending, (savings), and financing are different issues. If you defer a cash outflow of $1,000 for 30 days that is $2-10 of interest you could have made. If you get "points" for credit card spending, that is another $10-20. If you think in terms of insuring the cash against theft or loss, that is another $10-20. How much value this has to a person is a function of how much they spend.

That said, if you can negotiate a $50 savings on that $1,000 transaction for using cash rather than credit it is clearly a better use of capital.

Re:Panacea:

[vikingpower]

Yes. Very often, when offering to pay cash, I can get € 50 off on, say, a €1000 transaction. People don't get to see cash a lot anymore these days, but they sure **love** it. Which is another reason to use cash I have grown so accustomed to I didn't even include it in my list of more formal reasons.

Re:shouldn't this be a solved problem by now?

[sglewis100]

Step 1: Don't put your payment processing system / nuclear reactor C&C / pacemaker on the internet.

Step 2: Profit.

I think step 1 cancels step 2. I'd go elsewhere. "Thank you for booking online at Hyatt.com for your discounted, prepaid hotel reservation. Please call 1-800-HYATT in the next 2 hours to secure your room by reading us your credit card number over the phone."

Payment processing systems need to have links to the Internet. Inbound (yes you can have firewalls and proxy servers in between) to receive payment information and outbound (so you can authorize transactions to your merchant processor).

They need to be fined. Heavily.

[grahamsaa]

Until customers aren't the only ones left on the hook in the case of breaches like this, companies like Hyatt aren't going to take security seriously. Sure, they might pony up for credit monitoring, but that does little to actually make customers whole if their identities are stolen or their bank accounts are emptied. If we were to start fining companies like this, say, $10,000 per card number / identity / sensitive detail stolen, I have a feeling these breaches would become far less common. Until we do this, we shouldn't expect Hyatt to care.