NEW YORK (MainStreet) — Another day, another hotel data breach where guest data - your personal credit card info - may have been sucked up by cybercriminals. The latest hotels to join the list of victims: Hilton Hotels and Trump Hotels. Prior big hotel breaches have included hotel management company White Lodging - twicevictimized - along with management company Destination and Mandarin Oriental. Hard Rock also has suffered a publicized breach.
Questions hotel guests need to be asking themselves now include: is it safe to use a credit card at a hotel? How about a debit card?
First, however, what happened in the latest breaches? Trump Hotels has issued a statement that said it “may” have been a victim. It acknowledged that malware was at work at many of its hotels for over a year. Trump Hotels continued: “For customers that used credit or debit cards to make purchases between May 19, 2014, and June 2, 2015, we believe that the malware may have affected payment card data including payment card account number, card expiration date and security code.”
Hilton, for its part, issued a statement that said little. "Hilton Worldwide is strongly committed to protecting our customers' credit card information," the company said. "We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today's marketplace. We take any potential issue very seriously, and we are looking into this matter."
Security blogger Brian Krebs, who broke the Hilton news, insisted Hilton likely has in fact been breached. He wrote in his blog: “Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States.”
In many of the other cases - White Lodging for instance, where many Marriott properties were breached - the breach also focused not on reservations but on ancillary services such as bars and restaurants.
How did this happen? Why are so many hotels seemingly falling victim?
Know this: probably we know only a slice of the bad news. Many other hotel gift shops, bars and restaurants likely have been compromised, and because the attacks are undetected, they are ongoing. “The affected parties often don’t know there is a breach,” said Christopher Budd, a security expert with Trend Micro.
Kevin Watson , CEO of Netsurion, a provider of remotely-managed network and data security service, added: “Probably a meaningful number of hotels have been breached and don’t know it.”
“Hotels are where people with money go," said Jerry Irvine, CIO of IT company Prescient Solutions. "They are attractive to cybercriminals.” He added that the way hackers work is that they continually scan networks for known vulnerabilities - and when they find such a system, they get to work. “The weakest links are where you attack,” said Irvine.
As for why the attacks seem to focus on point of sale terminals, Levine said: “Many POS systems are old. Many don’t get updated with security patches.”
Reservations systems, by contrast, typically are kept updated, because they are a hotel’s lifeblood.
Don’t expect better at hotel point of sale systems anytime soon is advice from multiple experts.
That also is why cautious travelers are now rethinking how and where they use credit and debit cards at hotels. Here are new rules:
Keep your debit card in your wallet. “Just don’t use your debit card at a hotel,” urged Budd. “It offers much weaker protections.” He’s right. Credit card fraud liability is capped at $50, by law. In some cases, debit card liability is unlimited and it almost always is harder to get actual money restored to your account.
Don’t shop at hotel gift shops. If you must - to buy a morning paper, say - pay cash, or charge it back to your room.
Think twice about hotel restaurants. Most hotel restaurants are overpriced and blandly mediocre anyway. But breaches now are another good reason to avoid them. There’s a compelling reason to eat in the restaurant? Again: charge it to the room. Or pay cash.
Use chip cards where you can. Particularly timely news is that with the October 1 EMV liability shift looming - where whichever of the credit card issuer and the retailer has weaker security is held responsible for losses due to card number theft - experts said that, generally, if a hotel has in fact installed EMV, aka chip, readers, go ahead and use them if you have a chip card. Probably you will be safe. But don’t count on seeing EMV in hotel gift shops or restaurants. A sprinkling may have them but the vast majority won’t, not soon.
What about Apple Pay or Android Pay? Hotels offer a prime argument for using Apple Pay and Android Pay. They just are safer, because much of the crucial data is “tokenized,” meaning a crook would only get what looked like gibberish to him. But don’t hold your breath expecting at find wide acceptance at hotels. It’s just not widespread.
And when all else fails: pay with cash. It is the safest way to transact with hotels in today’s atmosphere of breaches.
This article is commentary by an independent contributor. At the time of publication, the author held TK positions in the stocks mentioned.