Hyatt Hotels, known for their high-end lodging options, have become victim to a cyber security breach by means of a point-of-sale attack. These attacks are carried out by literally intercepting the sale at the moment of purchase, usually through one of two ways:
- The use of an additional scanner that reads a credit card’s magnetic stripe and stores the unencrypted data in its memory for a short period of time. This information is then sent to the hardware that it has been registered with, which is then exploited for either personal use or often sold on underground websites.
- Through malware that can infiltrate other software, access that software’s database and store the information within.
In Hyatt’s case, it is the latter, with cardholder name, expiration date, card number and internal verification code being among the compromised data. This particular malware exploits a weakness in typical PCI-DSS payment industry practices which usually holds the information in encrypted format but allows the memory to be decrypted and processed.
The industry is becoming increasingly aware of the problem but remains slow to react with the U.S. being particularly slow to move from a magnetic strip system to use of smartcards. Hotels in particular are vulnerable to these sorts of attacks because of the way that information is stored and because the industry practice is to hold that information longer than most others in order to keep up with customer bookings and services charges. Mark Bower, global director of product management at Hewlett Packard, believes this sort of attack will further encourage the transition over to smartcards so to avoid malware that takes advantage of magnetic strip technology. The best way to avoid this sort of attack, however, is to always check personal bank statements for suspicious activity, and to report any charges that have not been made personally.