Scam of the day – April 21, 2017 – Holiday Inn, Crown Plaza and others hit by massive data breach

InterContinental Hotels Group which operates Holiday Inn, Crown Plaza, Hotel Indigo, Candlewood Suites and Staybridge Suites hotels has announced that they suffered a data breach at an estimated 1,175 of their hotels.  The hacking of their credit card processing systems at these hotels occurred between September 29, 2016 and December 29, 2016 and was discovered in December by credit card processing banks who uncovered a pattern of fraud that was able to be traced back to the affected hotels.  I first reported to you about this in February.

InterContinental Hotels is just the latest hotel chain to disclose that it had been hacked by cybercriminals stealing credit card and debit card information, joining Kimpton Hotels, Marriot Hotels, Hyatt Hotels, Trump Hotels, Hilton, Mandarin Oriental and White Lodging which all suffered data breaches during the past year.  Trump Hotels was hacked twice in the last year.

InterContinental is offering an interactive website where you can look up if you stayed at one of the affected hotels.  Here is a link to that website:

https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/property-listing

It is not known yet whether the data breach is related to the hacking by the Russian organized crime group Carbanak, that, as reported recently by Brian Krebs managed to install malware into the credit and debit card processing equipment manufactured by MICROS used in hotels around the world.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at the bars and restaurants at the InterContinental hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, InterContinental and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Scam of the day – February 12, 2017 – Data breach at InterContinental Hotels

InterContinental Hotels became the latest hotel chain to disclose that it had been hacked by cybercriminals stealing credit card and debit card information, joining Kimpton Hotels, Marriot Hotels, Hyatt Hotels, Trump Hotels, Hilton, Mandarin Oriental and White Lodging which all suffered data breaches during the past year.  Trump Hotels was hacked twice in the last year.

According to a statement released by InterContinental, credit card and debit card processing equipment was infected with malware at restaurants and bars at their hotels between August and December of 2016. The full extent of the data breach has not yet been determined.  For a list of the affected restaurants, you can go to this link. https://www.ihg.com/content/us/en/customer-care/protecting-our-guests

It is not known yet whether the data breach is related to the hacking by the Russian organized crime group Carbanak, that, as reported recently by Brian Krebs managed to install malware into the credit and debit card processing equipment manufactured by MICROS used in hotels around the world.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at the bars and restaurants at the InterContinental hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, InterContinental and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

 

Scam of the day – August 16, 2016 – More hotel data breaches

Yesterday, HEI Hotels and Resorts, a company that manages hotels operating under  brand names such as Marriott, Hyatt and InterContinental, announced that 20 of its hotels suffered a data breach that resulted in hackers stealing customer names, credit and debit card account numbers, expiration dates and three digit verification codes for tens of thousands of transactions going back as far as March of 2015.

It is not known yet whether the data breach is related to the hacking by the Russian organized crime group Carbanak, that, as reported recently by Brian Krebs managed to install malware into the credit and debit card processing equipment manufactured by MICROS used in hotels around the world.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at HEI’s hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Kimpton and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Here is a link to which you can go to find out which hotels were affected by the data breach and when the data was compromised.  http://www.heihotels.com/list-of-properties

Scam of the day – May 6, 2016 – Hacking group Anonymous threatens world banks

The world banking system is an increasing target of hackers and cybercriminals.   The recent cyber bank robbery of the Bangladesh Central Bank in which hackers succeeded in stealing approximately 81 million dollars is just the tip of the iceberg.  I reported to you in February of 2015 about the exploits of the Russian cybergang Carbanak that stole as much as a billion dollars from up to a hundred banks worldwide.  The full extent of the vulnerability of banks to cybercrime is still unknown because it is believed that many banks that have been victimized by cybercriminals don’t report the thefts to regulatory authorities due to vague standards mandating the reporting of such security breaches.

Now the international hacking collective Anonymous has announced on YouTube a new  month-long campaign they are launching against banks around the world. They are referring to this campaign as Operation Icarus.   Already, Anonymous has managed to take down the website of the Bank of Greece for a short period of time.  The Bank of Greece has indicated, however, that no personal information was accessed and no data was lost.  It remains to be seen how serious a threat is posed by the Anonymous’ campaign against the banks, but it will be interesting to see what happens over the next month.

Here is a link to the video announcement of Anonymous of its campaign against the banks of the world.  https://www.youtube.com/watch?v=GpGWaa3uCNo

TIPS

The vulnerabilities in the interconnected world banking system as well as vulnerabilities in the security of individual banks have been and are being exposed by hackers such as those in Carbanak and those responsible for the hacking of the Central Bank of Bangladesh.  Greater attention to cybersecurity by banks around the world is critical.  In addition, regulators both in the United States and around the world need to establish new standards by which all banks must operate to safeguard their accounts.  As for we, the depositors in these institutions, the best we can do is monitor our own accounts regularly for fraudulent activity and make sure that we are not the weakest link when it comes to protecting our user name and password when doing online banking.  We should also use dual factor authentication when doing online banking as an additional security measure.

Scam of the day – February 17, 2015 – Billion dollar international bank hacking

Russian cybersecurity company, Kasperky Lab issued a report yesterday disclosing what may well be the biggest bank hacking in history.  The hacking of more than 100 banks in the United States, Japan, Switzerland, the Netherlands and primarily Russia was accomplished by a criminal group called the Carbanak cybergang composed of Russians, Chinese and Europeans who through advanced malware installed on the computers of the targeted banks permitted the hackers to infiltrate the computers of the banks’ employees in charge of cash transfer systems and ATMs.  They then installed a remote access tool (RAT) on these employees’ computers that enabled the hackers to see everything done on these employees’ computers with the goal of mimicking the look of legitimate transactions when the hackers activated electronic transactions and programmed ATMs to dispense money at specific times to steal as much as a billion dollars over the last two years.

TIPS

As of today, no bank has admitted that it was one of the affected banks.  This makes fighting similar attacks more difficult, which is one reason President Obama has recently been advocating for a law to mandate public disclosure of such security breaches by financial institutions.  An important aspect to this hacking that has been often overlooked in some early reporting of the story is that although the malware used to perpetrate this crime is amazingly sophisticated, the planting of the sophisticated malware into the computers of the targeted banks was accomplished by old-fashioned phishing emails that lured the bank employees to click on infected link.  Everyone including companies, governments and private individuals have got to do a better job of not clicking on links no matter how legitimate they may appear until you have confirmed that they are indeed legitimate. Remember my motto, “trust me, you can’t trust anyone.”