For the second time in a year, multiple financial institutions are complaining of fraud on customer credit and debit cards that were all recently used at a string of Marriott properties run by hotel franchise firm White Lodging Services Corporation. White Lodging says it is investigating, but that so far it has found no signs of a new breach.
In January 31, 2014, this author first reported evidence of a breach at some White Lodging locations. The Merrillville, Ind. based company confirmed a breach three days later, saying hackers had installed malicious software on cash registers in food and beverage outlets at 14 locations nationwide, and that the intruders had been stealing customer card data from these outlets for approximately nine months.
Fast-forward to late January 2015, and KrebsOnSecurity again began hearing from several financial institutions who had traced a pattern of counterfeit card fraud back to accounts that were all used at nearly a dozen Marriott properties across the country.
Banking sources say the cards that were compromised in this most recent incident look like they were stolen from many of the same White Lodging locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky. Those same sources said the compromises appear once again to be tied to hacked cash registers at food and beverage establishments within the White Lodging run hotels. The legitimate hotel transactions that predated fraudulent card charges elsewhere range from mid-September 2014 to January 2015.
Contacted about the findings, Marriott spokesman Jeff Flaherty said all of the properties cited by the banks as source of card fraud are run by White Lodging.
“We recently were made aware of the possibility of unusual credit card transactions at a number of hotels operated by one of our franchise management companies,” Flaherty said. “We understand the franchise company is looking into the matter. Because the suspected issue is related to systems that Marriott does not own or control, we do not have additional information to provide.”
I reached out to White Lodging on Jan. 31. In an emailed statement sent today, White Lodging spokesperson Kathleen Sebastian said the company engaged a security firm to investigate the reports, but so far that team has found no indication of a compromise.
“From your inquiry, we have engaged a full forensic audit of the properties in question,” Sebastian wrote. “We appreciate your concern, and we are taking this information very seriously. To this date, we have found no identifiable infection that would lead us to believe a breach has occurred. Our investigation is ongoing.”
Sebastian went on to say that in the past year, White Lodging has adopted a number of new security measures, including the installation of a third-party managed firewall system, dual-factor authentication for critical systems, and “various other systems as guided by our third-party cyber security service. While we have executed additional security protocols, we do not wish to specifically disclose full details of all security measure to the public.”
TOKENIZATION VS. ENCRYPTION
Flaherty said Marriott is nearing completing of a project to retrofit cash registers at Marriott-run properties with a technology called tokenization, which substitutes card data with placeholder information that has no intrinsic or exploitable value for attackers.
“As this matter involves Marriott hotel brands, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us and we will continue to monitor the situation closely,” he said. “Marriott is currently on track to have all our U.S. managed systems fully tokenized within the month or so.”
Pressed on whether White Lodging also was using tokenization, Sebastian said the front desk systems at all White Lodging-managed Marriott properties are fully tokenized, and that payment terminals at other parts of the hotel (including restaurants, bars and gift shops) “are transitioning to tokenization and are scheduled to be fully tokenized by the end of the second quarter.”
Tokenization as a card security solution tends to be most attractive to businesses that must keep customer card numbers on file until the transaction is finalized, such as hotels, bars and rental car services. A January 2015 report by Gartner Inc. fraud analyst Avivah Litan found that at least 50 percent of Level 1 through Level 3 U.S. merchants have already adopted or will adopt tokenization in the next year.
Merchants retain tokens because they need to hang on to a single unique identifier of the customer for things like recurring billing, loyalty programs, and chargebacks and disputes. But experts say tokenization itself does not solve the problem that has fueled most retail card breaches in recent years: Malware remotely installed on point-of-sale devices that steals customer card data before it can be tokenized.
Gartner’s Litan said an alternative and far more secure approach to handling card data involves point-to-point encryption — essentially installing card readers and other technology that ensures customer card data is never transmitted in plain text anywhere in the retail environment. But, she said, many businesses have chosen tokenization in favor of encryption because it is cheaper and less complicated to implement in the short run.
“Point-to-point encryption involves upgrading your card readers, because you want the encryption to happen not at the software level — where it can be hacked — but at the hardware level,” Litan said. “But it’s expensive and there aren’t a lot of approved vendors to chose from if you want to pick a vendor who is in compliance” with Payment Card Industry (PCI) standards, violations of which can come with fines and costly audits, she said.
Merchants that adopt point-to-point encryption may also find themselves locked into a single credit card processor, because the encryption technology built into the newer readers often only works with a specific processor, Litan said.
“You end up with vendor or processor lock-in, because now your equipment is locked in to one payment processor, and you can’t easily just change to another processor if you’re later unhappy with that arrangement because that means changing your equipment,” Litan said.
In the end, many businesses — particularly hotels — opt for tokenization because it can dramatically simplify their process of proving compliance with PCI standards. For example, merchants that hold onto customer card data for a period of time until a transaction is finalized may be required to complete a security assessment that demands proof of compliance with some 350 different PCI requirements, whereas merchants that do not store electronic cardholder data or have substituted that process through tokenization likely have about 90 percent fewer PCI requirements to satisfy.
“In a lot of cases, it’s really less about security and more about simplifying PCI compliance to reduce the scope of the audit, because you get big rewards when you don’t store credit card data,” Litan said. “Unfortunately, the PCI standards don’t have the same kind of rewards when it comes to securing card data in-transit [across a retailer’s internal network and systems] which is what point-to-point encryption addresses.”
Merchants in the United States are gradually shifting to installing card readers that can accommodate more secure chip cards that adhere to the Europay, MasterCard and Visa or EMV standard. These chip cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied by point-of-sale malware.
Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).
Newer, EMV/chip-based card readers can enable a range of additional payment and security options, including point-to-point encryption and mobile payments, such as Apple‘s new Apple Pay system. But integrating EMV with existing tokenization schemes can also present challenges for merchants. For example, Apple Pay uses a separate EMV tokenization process.
“This means that merchants who use their own tokenization system and choose to accept Apple Pay payments will end up with multiple tokens for one card number, defeating a major reason why many merchants adopted tokenization in the first place,” Litan said.