New Trump hotel attack shows giant security gap in how you pay with plastic

Malicious hackers may have hit Trump’s credit card payment system a second time, and in the same way.

It used to be that you worried a thief could steal your credit card out of your wallet and go on a spending spree. Now, they can steal your card even as you hold it in your hand.

Crooks have invaded the computer system that runs the point-of-sale devices, the little machines where you slide your card to pay at the grocery store or hotel gift shop. And it looks like they may have hit presidential candidate Donald Trump’s hotels yet again.

Sources in the financial sector have told Brian Krebs of KrebsOnSecurity that they have seen a “pattern of fraud” on cards from customers of the Trump Hotel Collection since the beginning of this year.

Last year, Krebs reported—and the Trump Hotel Collection finally confirmed—that malware on its card payment system stole guests’ card information at properties from Toronto to Hawaii. 

“We are in the midst of a thorough investigation on this matter and are working with the U.S. Secret Service and the FBI to help catch these criminals and prosecute to the full extent of the law,” Trump’s son Eric said in a statement yesterday, as reported by CNBC. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

Fallout

The new report of a possible credit card breach brought snickers from some observers, as Trump has made big claims about cybersecurity.

After the last breach, the Trump Hotel Collection said,” We are confident that customers can safely use payment cards at all of our properties.”

Trump told the New York Times that the U.S. is “so obsolete” in cyber.

“We’re the ones that sort of were very much involved with the creation, but we’re so obsolete, we just seem to be toyed with by so many different countries, already,” he said. “We are frankly not being led very well in terms of the protection of this country.”

“Make Trump hotels great again,” joked one commenter on line.

“Hackers, you’re fired!” said another.

“For all his braggadocio it seems that Trump is simply inadequate when it comes to the subject of security,” said Dave Lewis of Liquidmatrix Security Digest. “How can a country expect Trump to lead them when he can’t even get his hands around his own company’s network security?”

Who did it?

Some members of the hacktivist collective Anonymous declared “war” on Trump and promised April 1 as a target date. At least two of Trump’s sites were successfully attacked on that day, reported Tech Insider.

But cybersecurity experts say Anonymous may not be behind the latest breach report.

“Even though Donald Trump has been publicly targeted by the Anonymous hacker group, we can’t attribute the credit card breaches to a single group without a more detailed forensic investigation,” said Travis Smith with cybersecurity company Tripwire 

“As a retail business, it’s entirely possible that these attacks were carried out by a criminal group only interested in the value of the credit card data,” he told Archer News.

“Since it’s known that Trump owned entities are actively being targeted, copycat cyber criminals can take advantage of the noise of the other attacks to carry out their own,” Smith said.

Trump’s family attributed the newest incident to “cyber terrorists.”

“Like virtually every other company these days, we are routinely targeted by cyber terrorists whose only focus is to inflict harm on great American businesses,” said Eric Trump in his statement.

How it happens

You might do quick recon when using an ATM, checking to see if someone is standing too close, or covering the keypad with you hand while you type in your PIN.

But the thieves are not hanging around card payment machines at hotels to jot down your credit card number. They get it by faking their way into the hotel’s computer network, Smith said.

“A common theme among many point-of-sale attacks is using valid credentials to get into the network,” he said. 

“The gold mine would be for an attacker to compromise a network or systems administrator’s credentials, but even a third-party vendor’s credentials have proven to be sufficient in obtaining access,” he explained. 

Once inside, they will set up a way to secretly suck out the credit and debit card info as it comes in, perhaps in small bits so that companies don’t know the data is leaking out.

“To evade detection, the malware will try to hide from security tools,” Smith said.

Race to infect

Even you didn’t stay at a Trump hotel, you are still at risk. Many hotels have also reported card payment system breaches in the past year, including Hyatt, Hilton, and Starwood, the company that runs Sheraton, Westin and W hotels.

An attack affected customers who used gift shops and restaurants at 54 Starwood hotels, according to The Register in November. The company added more locations to the list in January, bringing the total to more than 100.

Hyatt announced that more than 100 hotels were affected in the U.S. in the last half of 2015, mostly at the card payment machine in restaurants, but also in spas, golf shops, parking areas, and the hotel’s front desks.

Researchers at cybersecurity company FireEye said they saw a big growth in new point-of-sale malware families in 2015, as companies move from “swipe” cards to the reportedly safer “chip” card.

“Many retailers are still in the process of transitioning to chip-enabled card technology,” researchers said. “Criminals appear to be racing to infect POS [point-of-sale] systems in the United States before U.S. retailers complete this transition.”

Protection

Companies should put their point-of-sale system on a separate network segment and limiting access to that segment, said Smith.

“By having a separate network segment, you can control what goes in and out of the point of sale environment,” he said. “This reduces the attack surface for the devices as well as makes exfiltrating data much more difficult for attackers.”

He said companies need to stay informed on how other similar businesses get breached to “let someone else’s detection become their prevention.”

“Attacker are continually changing their tactics, techniques, and procedures,” Smith said. 

Checking up after you check in

The breached hotels recommend that customers check their statements to see if they have any suspicious purchases on their cards after staying at the affected properties during the affected times.

But cybersecurity experts say you should check your statements no matter where you stay or shop.

“Every business which has a point of sale device is a potential target for these types of attacks,” said Smith. “It doesn’t matter if your credit card was used to buy a hotel room, hot dog, or hair cut—consumers need to be vigilant in protecting themselves.”

As for Trump, he has supporters on line who sympathize with this potential misfortune and point out that many companies and government agencies have been breached. His supporters are joined by other commenters who find humor value in this latest report, saying Trump could construct a “firewall”—a cybersecurity tool—instead of the candidate’s proposed wall between the U.S. and Mexico.

“Maybe Trump should build a ‘Wall’ to keep hackers out!” wrote one commenter.

“It’s gonna be yuuuuuge,” declared another.