Point of Sale (POS) malware is a type of malicious software that hackers remotely install into retail checkouts to steal credit card details from customers as they pay. Yesterday representatives working for the famous Hilton chain of hotels admitted that the firm had discovered the use of the harmful software on some of its checkouts.
It is believed that the malware was on the Hilton’s’ payment systems on two separate occasions for a total of 17 weeks. The first period in question was last year from Nov. 18 and Dec. 5, and the second stint this year from April 21 to July 27. Anybody who suspects that they may well have paid for lodgings with a credit card at a Hilton Worldwide Holdings Inc during those particular two time periods is being strongly advised to check their bank statements for any irregularities.
The malware in question is a type of memory scraper that quickly copies sensitive customer data (while they are very momentarily unencrypted in the memory of the terminal). It is worried that the harmful code may have allowed the hackers to take cardholder names, card numbers, security codes and expiration dates – meaning that there may be a substantial risk to Hilton customers. Annoyingly, quite often the cyber criminals that employ these methods do not themselves directly steal from people, instead opting to sell the valuable stolen data onto a third party via the dark web.
As a result, checking your bank statement only for the time periods that the malware was active in the hotel’s POS is not an option – as it could have been any time since that the hackers (or a third party) decided to use the sensitive private information to steal money from former guests. As such, it is also fair to say that any robbery using the stolen card details could have yet not happened. For this reason, consumers who are convinced that they may have fallen prey to the scam may still want to go ahead and cancel their cards. That way avoiding any possible adverse future repercussions.
In a statement about the Hilton’s recent discovery the company said,
‘Hilton Worldwide is strongly committed to protecting customers’ payment card information, and we sincerely regret any inconvenience this may have caused customers.’
Unfortunately for the Hilton and other hotel chains this type of attack is on the increase. Just last week rival hotel chain Starwood Hotels & Resorts Worldwide Inc. announced a similar point of service issue in which card details could possibly have been stolen from 54 hotels in North America.
Despite reassurances from Starwood that a third party investigation had revealed no card details were successfully taken, the firm does accept that the malware was present in the payment systems of the restaurants, gift shops (and other in-hotel payment points) at those 54 hotels.
The fact that Starwood has released a list of the hotels that were affected does rings alarm bells. After all – why do consumers need to know which hotels were affected – if no valuable data was taken? Included in the list are prime locations such as the Sheraton New York Times Square hotel, the Westin New York Grand Central New York and The St. Regis Bal Harbour Resort in Florida, not mere establishments.
Arguably, anybody leaning on the side of caution may want to take precautions if they stayed at a Starwood hotel during the period of November 2014 and October 2015. I say this because one can not help but wonder why the POS malware would have been effective in a Hilton hotel – but not in a Starwood – when the type of malware in question is of a similar (if not identical) nature.