This isn’t the first CUbit you’ve read discussing a hack. Wasn’t the first about cars?
Well, there’s another high-profile hack to discuss today. This time, cyber criminals hit Starwood Hotels across the country. Starwood is the parent company, but I’m sure you’ll recognize Sheraton, Westin, even the Dolphin hotel at Walt Disney World. If you’ve stayed at any of these properties in the past year, keep an eye on your credit/debit cards.
How did they do it? “Who cares?” you say, “the data is already stolen, and it’s always the same thing.” To some extent, you’re right. Obviously, people looking to take your money gained access to your data somewhere down the line. What I consider important is the point on the line where it happens. First, kudos to the entire banking industry, since we almost never hear about leaks stemming from their end. Your security processes mean the low-hanging fruit for criminals is somewhere else. That “somewhere else” is at the point of sale. Malware (read: software made to do mean things) was installed on POS systems, so every card swiped could potentially be saved for later use.
I have a few issues with this type of hack, which tends to be a more common approach. The primary being: It’s completely avoidable!
That’s right. There’s no reason for any card information to be stolen in this way, ever again. We have two advances to thank:
1. EMV chips. You know that gold square on your card? It houses a computer chip which creates a one-time use card number and does some other voodoo along the way to increase security. However, it’s not always used! That chip (and the security that comes with it) only runs when you insert your card in the bottom slot, not when it’s swiped. Personally, I’d never swipe with an EMV card if at all possible. When I was in Peru, we ate at a restaurant where the server came to our table with the card machine. He inserted our EMV cards into the slot, right there. No one walked away with the card. That was the norm. As EMV cards become ubiquitous, this should be demanded here, too.
2. Mobile payment. Systems like Apple Pay and Android Pay bypass the attack vector of this hack as well. Like EMV, they pass a one-time use number to the system, and hold your card number close to the vest. On iPhones and some Android phones, they also require a fingerprint, further ensuring the person paying is actually you. These mobile payment platforms protect your data from everyone, sometimes to the chagrin of the merchants (who want that data for marketing purposes).
Bottom line: You’re going to see these hacks on a regular basis. Whether your information is part of the leaks is partially up to you. Are you using an EMV card, and doing so in the bottom slot, every time? Or did you add your cards to Apple Pay and “touch to pay” wherever you go?
No security is 100%, but by embracing the best tech we have (and mobile payment is awfully convenient, too), you can reduce the chances of needing to have your card replaced again and again.
Image credit: miami.cbslocal.com