Hilton hotels in credit-card-stealing malware infection scare

Re: Common theme

Is there a common theme throughout these POS hacks?

Yes, the whole process of credit card payments is unsafe, and has been since the days of telephone sales. Everything else is just plastering over broken fundamentals, but you're not allowed to say that if you're in the card industry (hence the anon).

Re: Common theme

Posting anon because my partner works as a manager for Hilton. The common theme is having plenty of money for security and spending it all on not-security instead.

Security at hilton appears to be piss-poor. Managers are meant to set passwords for their subordinates in order to minimise time spent at the service desk (which seems to be outsourced so various call centres with the usual script-drones). Whenever passwords are reset, it will break three or four other systems and lead times on getting those fixed are frequently measured in days, yet the user is still assumed to have full access to everything; when a member of staff is disciplined for not doing $something in $application and says "but my account is locked out and I'm waiting for it to be fixed!" then the official response from the higher-ups is always "well why didn't you ask $so_and_so for their username and password?". Don't know how well the POS systems are insulated from their windows crapola but most of the senior levels of staff have access to the some elevated credentials for performing some simple maintenance tasks (since it's frequently a 24hr turnaround on getting the POS systems fixed "properly"). There's no culture of security whatsoever and a frequently toxic working environment with exceedingly high staff churn of poor underpaid sods on zero-hours contracts.

IT and security at hilton, at least at the level I've been exposed to by proxy, are so shit that it's a miracle this hasn't happened before. In fact it probably has and no-one's noticed.

Re: Common theme

Yes and no. Part of the difficulty is that most chains like this are franchise operations so you wind up with a hybrid of conhugecom-mom&pop. So some of the corp IT types probably get the security. Whether they can effectively communicate that to the bean counters is a different question, but there are better odds they can win over the bean counters than getting mom and pop who own the local franchise to properly understand what has to be done.

Re: Guess someone didn't get the memo ...

Guess someone didn't get the memo ...

that Hilton sent out maybe a year ago, to always check the backs of your computers to make sure no little dongles had been inserted between the USB cable from the c/c reader and the PC.

Most of the machines are built in so that only screen and keyboard are visible, and most staff would not be able to tell a dongle from a ferrite coil in the cable. It's a nice theory...

Re: USA Today

I'm not familiar with the systems at Hilton US, and my knowledge of Hilton UK systems is quite a few years out of date; but in the UK, the central reservation system is, or was, separate to the front of house system.

However, you book a room using the central reservation system. Most of the time, you don't actually pay for it at that point, they just do an authorisation-only transaction for the amount so that they can collect if you don't turn up. When you arrive at the hotel, they will do another authorisation-only transaction to cover any extras you might take while you are there, using the front of house system, and you pay the bill when you check out.

An airline who does a block-booking for staff or delayed passengers and doesn't allow any extras to be charged to their account would probably not be affected. Pretty much everyone else would be.