News this week about a data breach at Hilton Worldwide has focused attention on what many security researchers say is an uptick in the use of point-of-sale (POS) system malware to steal payment card data from retailers and other organizations.
Hilton on Tuesday confirmed that unknown attackers had broken into some of its POS systems and stolen names, card numbers, expiration dates and security codes belonging to an unspecified number of credit and debit cardholders. But personal identification numbers (PINs) or addresses were not compromised, the company said.
[PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination. Read "Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats, Too."]
Hilton’s statement suggests that hackers had access to its POS systems for a total of at least 17 weeks spanning two different time periods, the first between Nov. 18 and Dec. 5, 2014 and the second between April 21 and July 27, 2015.
Hilton did not say whether this meant it suffered two separate incursions or whether the same hackers who had accessed its POS systems in 2014 accessed them again this year. As has become standard in such situations, the company has offered one year of free credit monitoring services to customers impacted by the breach.
Hilton is the second hotel chain to announce a breach in the past several days. Just last week, Starwood Hotels -- the owner of brands like Sheraton, Westin, and W Hotels -- disclosed that hackers had breached POS systems at over two dozen of its properties.
Like Hilton, Starwood did not disclose the number of people affected by the breach but confirmed that sensitive cardholder data had been compromised. In Starwood’s case, the relevant POS systems appear to have been attacked separately over a time span starting November 2014 and continuing through the end of June 2015.
The PoS malware responsible for the attacks on Hilton and Starwood have not been named. No indications have been given yet that the stealthy ModPOS, detailed by iSIGHT Partners this week, was to blame.
The breaches are just the beginning of what security analysts predict will be a spate of attacks on vulnerable POS systems this holiday season. “Point of sale (POS) systems – what consumers often call the checkout system - are often the weak link in the chain,” for retailers and businesses in the hospitality industry said Mark Bower, global director of product management for HPE Security following the recent attack on Starwood.
“A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data,” said Bower.
The holiday shopping rush creates the perfect opportunity for attackers to target POS systems, compliance services provider Trustwave said in a recent report. According to the company, some 40 percent of breaches in 2014 were POS-related, with almost all of them resulting from remote access vulnerabilities and weak passwords. Attackers targeted POS systems using at least 70 individual POS malware tools. Input validation errors stemming from SQL injection flaws and unpatched vulnerabilities caused 75 percent of the breaches that Trustwave reviewed.
Such issues could pose even bigger concerns this year, say some security vendors. For one thing, retailers are still only working to meet PCI 3.0 compliance requirements, says Chris Strand, senior director of compliance, Bit9+Carbon Black.
This is also the first holiday shopping season after the EMV liability shift went into effect, which means that in the event of payment card fraud, whichever party -- merchant or card issuer -- has failed to implement EMV Chip-and-PIN technology is the one stuck with liability for the fraud. Thus, EMV will now be in greater use, and many consumers will have an entirely new purchasing experience this season.
The fact that the end of life for Windows XP embedded is coming up in January adds to the problem, says Strand, referring to the fact that many POS systems still continue to run the operating system.