Scam of the day – February 12, 2017 – Data breach at InterContinental Hotels

InterContinental Hotels became the latest hotel chain to disclose that it had been hacked by cybercriminals stealing credit card and debit card information, joining Kimpton Hotels, Marriot Hotels, Hyatt Hotels, Trump Hotels, Hilton, Mandarin Oriental and White Lodging which all suffered data breaches during the past year.  Trump Hotels was hacked twice in the last year.

According to a statement released by InterContinental, credit card and debit card processing equipment was infected with malware at restaurants and bars at their hotels between August and December of 2016. The full extent of the data breach has not yet been determined.  For a list of the affected restaurants, you can go to this link. https://www.ihg.com/content/us/en/customer-care/protecting-our-guests

It is not known yet whether the data breach is related to the hacking by the Russian organized crime group Carbanak, that, as reported recently by Brian Krebs managed to install malware into the credit and debit card processing equipment manufactured by MICROS used in hotels around the world.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at the bars and restaurants at the InterContinental hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, InterContinental and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

 

Scam of the day – July 15, 2016 – Omni Hotels data breach

Omni Hotels and Resorts just became the latest hotel chain to suffered a massive data breach joining Hyatt, Hotels, Starwood Hotels, Hilton Hotels and Trump Hotels who all suffered similar data breaches in the last year in which credit card and debit card information of their customers was stolen by unknown hackers.  Although the data breach at Omni was just recently discovered, it goes back to December 23, 2015 and was stealing credit card and debit card data from Omni Hotels up until June 14, 2016.  The Omni data breach affected forty-eight of Omni’s sixty hotels in North America.  As often is the case, hackers who steal the credit and debit card data sell it in large batches to other cybercriminals on a part of the Internet called the Dark Web.    The first batches of stolen credit cards and debit card information started turning up on the Dark Web in February of 2016.  The hotel industry continues to be an easy target for hackers as it is an industry that services large numbers of people and often the hotels are individually operated franchises rather than operating under a central data security system.  It should be noted, however, that Omni does not operate franchises.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at Omni hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Omni and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Certainly if you have been an Omni customer since December 23, 2015 you should carefully review your credit and debit card statements for indications of identity theft and fraudulent charges.  If you were affected by this particular data breach, Omni  is offering free credit monitoring services for a year through AllClear ID.  You can sign up for these services by clicking on this link  https://omnihotels.allclearid.com/

Scam of the day – April 7, 2016 – Trump hotels hit again by apparent data breach

In July and  October of 2015 I reported to you about a massive data breach at the Trump Hotel Collection, which involved hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York that had gone for as long as a year before it was discovered.   Now as first reported by Brian Krebs,  Trump hotels in New York, Hawaii and Ontario, Canada apparently were hit with data breaches of their credit and debit card processing systems again.  As so often is the case in data breaches such as this, banks identified a pattern of fraudulent credit and debit card use that they  traced back to the affected Trump hotels.  The Trump Hotel Collection is presently investigating the apparent data breach.

Following the Trump hotels data breach of last year a lawsuit was filed in federal court in Missouri seeking class action status on behalf of the affected customers of Trump Hotels.  The lawsuit was filed by the law firm Hipskind & McAninch, which alleged that Trump Hotels were negligent in failing to remedy basic data security issues at their hotels, not discovering the data breach until long after it occurred and in failing to notify its customers in a timely fashion which put their customers at extreme risk of identity theft.   In the last year, hotels have been particularly targeted by hackers.

TIPS
If you used your credit and debit card at a Trump hotel in the affected cities, you should obtain your credit report from each of the three major credit reporting agencies and look for indications of identity theft.  You should also carefully monitor your credit card account and bank accounts for unusual activity.  You should also consider putting a credit freeze on your credit reports, which is always a good idea.

As for the rest of us, there is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which we do business.  One important thing to do is to refrain from using your debit card except at ATMs.  Using your debit card at retail establishments puts you at a much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Also, if you have not yet received a new EMV smart chip credit card from your credit card company, you should ask your credit card company for a replacement credit card with a computer chip now.  However, as I will discuss in an upcoming scam of the day, the EMV smart chip credit cards are not a panacea to prevent data breaches although they represent a definite improvement in security.

Scam of the day – January 29, 2016 – Wendy’s suffers apparent data breach

Fast food hamburger chain Wendy’s announced that it had discovered “reports of unusual activity involving payment cards” at some of its restaurants and is presently investigating the matter in order to determine the full extent of the apparent data breach and where it occurred.    This story was first reported by Krebs on Security.  Wendy’s operates 5,600 company owned and franchised restaurants around the world although initial reports do not tend to indicate that the apparent data breach affected all stores.  As is so often the case, the apparent data breach was first discovered not by Wendy’s itself, but by credit card processing banks noticing a pattern of fraudulent use of credit and debit cards that could be traced back to Wendy’s restaurants.  In fact, at this time, the incident appears to follow the pattern that I described in a column I wrote for USA Today in September of 2014.  http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

Wendy’s still uses the old fashioned magnetic strip credit cards which are much easier targets for hackers than the EMV chip cards which have been required to be used by companies since October of 2015.  The rules requiring companies to switch to the new smart cards carry no specific penalty, but in the event of a data breach can result in the company not using the EMV chip cards to be responsible for the costs of fraudulent use of stolen card information.  It should also be noted that although October 1, 2015 was the deadline for retailers to switch to EMV smart card processing for credit cards and debit cards to avoid liability in the event of a data breach, the deadline for ATMs and gas station pumps to switch to the EMV smart cards is not until October 1, 2017.

TIPS

As consumers the best thing we can do is to use your EMV chip card whenever possible.  Stores such as WallMart and Target have switched to the new cards.  If you have not yet received a new EMV chip card from your credit card company, contact them and get one as soon as possible.  It still is a good idea to not use your debit card for retail purchases because the protection from liability that you get regarding fraudulent use of a debit card is not as strong as the liability protection you get when using a credit card. Further, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.

If you were a customer of Wendy’s during the last year, it is a good idea to carefully monitor the charges on your credit card for indications of fraudulent use.

 

Scam of the day – December 30, 2015 – Hyatt Hotels suffers a data breach

Just before Christmas,  Hyatt Hotels announced that it had become the latest hotel chain to become the victim of a data breach joining Starwood Hotels, Hilton Hotels and Trump Hotels who all announced recently that their hotel chains had been the victims of data breaches in which the personal information of their customers was stolen by unknown hackers.  At this point in time, although Hyatt has confirmed that its payment processing system was infected with malware, it has not yet determined how long the data breach has been going on, which of its 627 hotels were affected and what specific information was stolen.  The data breach was discovered by Hyatt on November 30th, but it did not alert the public of the data breach until December 23rd.  Hyatt is still investigating the data breach and will release more information as it becomes known.

Two of the main reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandate credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at Hyatt hotels, the information that it appears may have been stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Hyatt and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.

Certainly if you have been a Hyatt customer within the past year, you should carefully review your credit and debit card statements for indications of identity theft and fraudulent charges.  Hyatt will be posting updates on its investigation on the website http://www.hyatt.com/protectingourcustomers/  You also can call Hyatt at 877-218-3036.

Scam of the day – September 29, 2015 – Hilton Hotels data breach

Hilton Hotels appear to be the latest in a long line of companies that have suffered a significant data breach involving credit cards and debit cards.  The hacking appears to have occurred between April 21, 2015 and July 27, 2015 although it may go back as far as November of 2014.  As is most often the case, the hacking was not discovered by Hilton, but rather by a number of credit card issuing banks that picked up a pattern of fraudulent charges that they were able to trace back to gift shops and restaurants at a number of Hilton properties which include not only Hilton Hotels, but Embassy Suites, Doubletree, Hampton Inn and Suites as well as the Waldorf Astoria Hotels and Resorts.  This type of data breach is something about which I wrote for USA Today in a column a year ago in which I explained the pattern for these data breaches and why they occur.  Here is a link to that column, entitled “Coming Soon:  Another Major Retailer Hacked.”  http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

For its part, Hilton released a statement saying, “Hilton Worldwide is strongly committed to protecting our customers’ credit card information.  We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately, the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously and we are looking into this matter.”

The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards about which I wrote in detail in September 23rd’s Scam of the day.  New regulations mandate credit card issuers and retailers to switch over to the new smart EMV chip cards by October 1st or risk increased legal liability, but unfortunately, many companies have not switched over and are not expected to do so by October 1st.  If smart EMV chip cards had been used at Hilton, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Hilton and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  They are easy to use and they will provide you with much greater security.  If you used a credit card or debit card at any of the above-mentioned Hilton properties during the dates indicted above, you should carefully monitor your credit card account and bank account for any indication of a problem.

Scam of the day – August 12, 2015 – Data breach at Fred’s Pharmacy

Fred’s is a retail pharmacy and dollar store with 650 discount stores mostly located in the Southeastern United States.  On Monday, they announced that two servers that process credit card data after cards have been swiped at individual stores were hacked and data stolen from the magnetic strips of these cards.   Fred’s like most retailers in the United States still use the insecure magnetic stripe credit cards to process purchases rather than the more secure smart cards with computer chips that create a new authorization number for every transaction as are used throughout most of the rest of the world.  New rules that will go into effect in October will require all companies to start using the new smart cards or be held financially responsible for losses incurred through the use of continued use of magnetic stripe cards.  Some retailers, most notably Walmart have already switched to the safer smart cards.  The data breach appears to have occurred between March 23rd and April 24th.

TIPS

If you shopped at a Fred’s Pharmacy or Fred’s Super Dollar store in March and April, you may wish to check out the statement of Fred’s which you can reach through this link for more information including information as to specifically which stores were affected.  https://www.fredsinc.com/credit-card-security-incident/

You also should consider putting a credit freeze on your credit report.  You can find information about how to do this here in the Scamicide Archives.  In addition, you should monitor your credit card and debit card usage.  Of course, if you have been following my advice, you will have refrained from using your debit card for retail purchases because the liability protection you have when using your debit card is not nearly as strong as that you get when using a credit card.

Scam of the day – July 5, 2015 – Trump hotel chain hacked

Donald Trump seems to be constantly in the news these days.  Whether it is for declaring his candidacy for President of the United States or for making inflammatory comments, Trump is omnipresent in the media.  However, the latest Trump news event is not one with which he must be pleased.  It has just been disclosed that the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York has been hit with a Target-like credit card and debit card data breach that appears to have started at least as far back as February.  As with so many data breaches, it was discovered not by the company hacked but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.  This type of hacking and data breach is expected to happen again and again as companies still cling to the use of old fashioned credit and debit cards using magnetic strips rather than the more modern smart credit cards with computer chips that create a new one-time authorizing number each time the card is used.

Here is a link to a column I wrote for USA Today in September of 2014 in which I both described how these data breaches occurred and correctly predicted their continuing pattern. http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

TIPS

There is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which you do business.  One important thing to do is to refrain from using your debit cards except in ATMs.  Using your debit card at retail establishments puts you at much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Although the deadline for companies being required to install smart credit card readers is months away, you should ask your credit card company for a replacement credit card with a computer chip now.  Some stores, most notably Wall Mart are already using the safer smart chip cards.  Whenever you can use the smart credit card, it is important to do so.

Scam of the day – October 22, 2014 – Staples becomes the latest data breach victim

Staples, the  popular office supply store is the latest major retailer to be hacked and suffer a data breach.  As I have written many times before, including in a column for USA Today in which I wrote about the data breaches following the same pattern each time, the news about the Staples data breach is in the early stage where the company announces that it is investigating what it calls a “potential” credit and debit card breach.  As I indicated in my USA Today column, http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ this is because the retailer generally does not discover that it has been hacked until banks monitoring fraudulent credit card use notice a pattern of fraudulent card use that lead back to the source of the stolen credit card and debit cards, which in this case was some Staples stores.  Ironically, earlier in the day before it announced the “potential” data breach, Staples announced that the Staples App would work with Apple Pay, the new pay by phone App in the iPhone 6.  Greater use of pay by phone and smart credit cards with chips would dramatically reduce the problems caused by the epidemic of data breaches targeting magnetic strip credit card and debit cards used throughout the United States.

TIPS

At the moment, we don’t yet know how long the Staples data breach, which initially appears to have been limited to stores in the Northeastern United States has been going on.  Certainly if you have shopped at a Staples store in the last six months you should carefully review your credit card statements and monitor your account carefully.  As always, I urge you not to use your debit card for retail purchases because of the greater risk of serious financial harm when compared to using a debit card which provides greater consumer protection.  As more information about this data breach becomes known, I will let you know.

Scam of the day – August 29, 2014 – J.P. Morgan and other banks hacked

The FBI is investigating an apparent hacking of banking giant J.P. Morgan and as many as four other banks by what initially appears to be sophisticated hackers from Eastern Europe.  Some are theorizing that the hacking was sponsored by the Russian government in retaliation for sanctions brought against Russia in the wake of its actions in relation to Ukraine.  Much sensitive data was compromised and stolen as a result of the hacking.  The initial investigation appears to be focusing on the exploitation of computer programs used by a J.P. Morgan employee to work from a remote location.  This type of exploitation of remote desktop software such as Microsoft’s Remote Desktop, Apple’s Remote Desktop, Chrome’s Remote Desktop, Splashtop, Pulseway and LogMein that enable the convenience of logging into a company’s computers from an off site location has proven to be a major security flaw that has been continually exploited in company after company for quite a while going back to Target’s hacking last year to the recent UPS hacking.  I have warned people about this flaw for sometime and the FBI has warned American businesses to watch for this.

TIPS

Banks are a frequent target of cyberattacks and American banks have generally done a good job in recent years in protecting data, however, as this latest hacking shows, more needs to be done, particularly in regard to the particular type of malware used in this attack which may be or be similar to the “Backoff” malware I have been warning about.  As for we as consumers, there is little we can do other than to carefully monitor all of our accounts, only use credit cards rather than debit cards for retail purchases and limit the amount of personal information you provide to any company or governmental agency with which you do business.  This will not be the last major hacking exploiting this flaw to occur.