If you stayed, ate or played at a Hyatt hotel between Aug. 13 and Dec. 8, 2015, there’s a good chance your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain’s payment systems. In its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries.
In a statement released Thursday, Hyatt said the majority of the payment systems compromised by card-stealing malware were at restaurants within the hotels, and that a “small percentage of the at-risk cards were used at spas, golf shops, parking and a limited number of front desks.” The list of affected hotels is here.
Chicago-based Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging (twice) and the Trump Collection.
U.S. banks have been transitioning to offering chip-based credit and debit cards, and a greater number of retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.
However, most of these chip cards will still hold customer data in plain text on the card’s magnetic stripe, and U.S. merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.
The United States is the last of the G20 nations to enact this liability shift, and many countries that have transitioned to chip card technology have done so through government fiat. Those nations also almost uniformly have seen card counterfeiting fraud go way down while thieves shift their attention to targeting e-commerce providers.
Although cyber thieves still steal card data off the magnetic stripe from customers of banks in nations that long ago shifted to chip-cards, that card data is typically shipped to thieves here in the United States, who can counterfeit the cards and use them to steal merchandise from U.S.-based big box retailers.
What’s remarkable about the U.S. experiment with moving to chip cards is that the discussion about whether and when to move to more physical security (chips) in credit and debit cards has played out almost entirely apart from the move to impose expensive and increasingly labyrinthine compliance regulations (PCI) on merchants that wish to process or accept card transactions.
Instead of just mandating that banks and retailers shift in lockstep on a to handling chip cards, U.S. lawmakers and regulators have for years delegated (abdicated?) accountability for credit card security to a booming industry of auditors and assessors who’ve been trying to secure a technology (magnetic stripe-based cards) that is 60 years old and is about as secure as mailing your credit card number on a postcard.
For all the attention given to sophisticated new ATM and card skimming devices, for example, the technology included in skimmers to steal card data from the magnetic stripe need be no more sophisticated than the components of a 35-year-old Sony Walkman. I should note here that while the chip-based liability shift for retailers went into effect in October 2015, that same shift doesn’t extend to ATM machines until October 2016 and for unattended payment terminals (e.g. gas pumps) until October 2017.
As chip card adoption picks up here in the States and counterfeiting cards becomes more expensive for cyber thieves, we will start to hear about far fewer of these retail breaches. E-commerce providers will no doubt feel the brunt of this shift because the thieves don’t just go away when you make things harder on them — they go where there are more plentiful victims and fewer up-front costs. And for cybercrooks, there is a great deal of low-hanging fruit in the e-commerce sector (and there are plenty new businesses coming online for the first time every day).
There is another big shift in fraud that’s coming but that is probably not getting enough attention from the banks, retailers and e-commerce providers: It’s a safe bet that we can also expect a giant spike in account takeovers and in new account fraud. Both forms of fraud are closely linked to static consumer identity data (SSN, DOB, etc.) that is widely available in the cybercrime underground. Banks and retailers alike have a lot of work ahead of them to improve the reliability and scalability of systems for authenticating and really knowing their customers.
Instead, many financial institutions have squandered a great deal of their resources trying to figure out which retailers are exposing their customers’ cards. That’s because Visa, MasterCard and the other card associations won’t tell banks which retailers have been hit; they just send them incessant updates about specific card numbers that were suspected to have been compromised in a breach somewhere. It’s then up to the banks to work backwards from the breached cards and triangulate which merchants show up most frequently in a batch of given cards.
All of this probably explains why on any given week I’m contacted by anti-fraud personnel at various banks across the country, asking if I can help them divine the source of some card fraud pain they’re experiencing. As a journalist, this is a bit of a surreal situation, but I can’t complain much: It has allowed this author to break story after story about card breaches in the retail sector over the past two years.