Starwood POS Data Breach

2171 1

HPE Security and Tripwire, respectively, have issued comments on news of a point-of-sale payment card data breach at Starwood Hotels involving at least 54 locations.

Lane Thames, Security Researcher at Tripwire :

“In today’s interconnected world, there is no place to hide. If a company has any type of payment processing system, then rest assured someone, somewhere, has or will eventually try to find a way to break in to steal valuable payment-related information. Merchants and consumers all need to understand this because no one is immune from the vast infestation of malware and malicious actors roaming around the Internet these days–and it won’t be changing for the better for the near future.

Consumers must remain vigilant in how they manage their credit cards and other personal information. One piece of advice I give, especially during the holiday seasons, is that, if possible, reduce your credit card ‘attack surface’ by using only one major credit card. When, not if, your credit card information has been breached, it is much easier to only need to deal with one credit card source.”

Mark Bower, Global Director of Product Management, Enterprise Data Security for HPE Security :

“Once again with today’s news of a potential payment card data breach at Starwood Hotels, we see that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS).

Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.

However it’s important to note, especially going into the busy holiday season, that hospitality organizations, as well as retailers and any businesses using POS systems, can avoid the impact of these types of advanced attacks.

Proven methods are available to neutralize this data from breaches either at the card reader, at the POS, in person, or via web booking platforms. Leading travel-related organizations, airlines, and travel booking aggregators have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.”

No specific malware has been associated with the Starwood breach, but on a related note, Mark commented earlier this week on a new rash of retail POS terminal malware, identified just as the holiday shopping season gets underway :

“Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware. They should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Risks of theft from POS malware like Abaddon is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. If it’s GammaPOS, Abaddon, Dexter or other variations of malware designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale, the attackers get only useless encrypted data. No live data means no gold to steal. Attackers don’t like stealing straw.

How to do it? The easiest way to deploy this is with contemporary Format-Preserving Encryption based devices which protect data without having to make major changes to POS data flows and applications, going end-to-end to the secure processing host, far out of reach.

Over the past few years the PCI Council has also supported the approach and called it Point to Point Encryption (P2PE) or end to end encryption. For merchants, these solutions address the risk by encrypting the payment card data before it even gets to the POS. This might be in the card reader, a reading pin pad, or even inside a reading “sled” or “wedge” attached to the POS. If POS is breached, the data will be useless to the attacker. On the other hand, the secure card readers are very, very difficult to attack and do not store live data to steal: they encrypt it and pass it up the payment process to the POS. If tampered with they are designed to destroy their contents.

The trick is getting it right so that even though the data is protected and secure, it’s still compatible to the payment applications in the merchants systems and applications in the POS itself to permit regular POS functions to continue without change. That’s where format preserving encryption (FPE) comes in – NIST recognized FFX mode AES in particular. With FPE, the data stays protected from the moment it is captured as its read or entered. The magnetic stripe data and track information (Track 1, Track 2 or even EMV data) or manually entered credit card numbers are all protected while retaining the track structure, PAN format and integrity. To the POS, it still looks and feels like cardholder data, so low impact to the way customer payments are handled. To the merchant the PCI DSS scope is dramatically reduced, the whole POS is potentially out of scope. To an attacker, there’s nothing of value to steal.  The attacker would get nothing but useless encrypted data. Only the other “end” of the payment process, usually an acquirer after the payment data has passed through switches, gateways, networks and applications, can decrypt the data. For post authorization processes, a token might be returned to the merchant for storage and re-use in applications and databases without needing live PAN data again

When implemented correctly, this approach can dramatically reduce the cost of PCI compliance and solve huge risk challenges easily. Without having to worry about nasty POS infecting malware and the reducing the cost of PCI DSS compliance, merchants can focus on growing their business.”


If you are an expert on this topic:

Submit Your Expert Comments


In this article