Return to blog
Posted on August 16, 2016

The HEI Hotels Malware Event: how it underscores the importance of chip-based cards

The chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels—Connecticut-based HEI—said this past weekend that malware infecting payment systems for 20 of its locations may have been used to steal tens of thousands of credit card numbers and corresponding customer names, expiration dates, and verification codes.

How Malware Affected Financial Privacy and Security

The malware was discovered earlier this summer on payment systems used at the properties’ spas, bars, lobby shops, restaurants, and other facilities, Chris Daly, a spokesman for HEI, said in emails and phone calls. (Reuters)

Although many thousands of transactions were, apparently, affected by this data breach, it’s unclear how many guests’ cards were compromised because many conducted multiple transactions per visit. The fact that the total number of sad souls suffering this security inconvenience may be lower than the number of total reported incidences is small consolation.

What Can We Do To Prevent This?

In recent years, similar large-scale attacks have hit chain stores such as Home Depot and Target. Such infiltrations have encouraged retail industries in the US to phase out the widespread use of magnetic strip-based cards in favor of chip-based debit- and credit cards. Rollout has been slower than it should be, as vendors are required to buy new terminals (at a whopping $500-1000 cost per terminal) in order to process cards in this new, safer way.

Those little, shiny chips on the latest debit and credit cards you’ve gotten in the mail? Those are computer chips. The stateside shift to EMV is well underway, but long overdue, as  EMV— which stands for Europay, MasterCard and Visa—is already the standard globally, and is shorthand for cards equipped with these little computer chips, as well as the accompanying technology used to authenticate chip-card transactions.

Magnetic strip cards pass static credit card information to a company’s POS (point-of-sale) system, leaving that information susceptible to hackers, who then steal it to make duplicate credit cards. EMV transactions, in contrast, transmit a dynamic (ever-changing) card number. The chip creates a unique transaction code that cannot be used again. This, obviously, makes it much more difficult to steal and recreate cards for fraudulent use.

The Take-Away

The US was well behind the curve with regards to credit- and debit card security, but massive security breaches created risks for customers and massive public relations issues. Happily, those risks are already dipping rapidly as we adopt technological advances that stay one step ahead of the criminal contingent.

The familiar advice always applies: keep a close eye on your account statements and the charges made against them, and be vigilant about where and when you choose to use your cards. Maybe make it clear to merchants that you will wait until they are able to upgrade to an EMV system before you’ll hand over your card.

Until they do? Pay in cash, or take your business elsewhere.