FTC Files Complaint Against Wyndham For Hotel Data Breaches 46
coondoggie writes "A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."
Re: (Score:1)
Yea, but the problem is any "land" would be sovereign land of the country. Sealand was possible because it was technically still protected by the UK but it could not be claimed by it. An island in the same location would have been claimed land. An island further and unclaimed by a nation would also be unprotected (meaning any nation could just attack you, you'd have to have your own military to defend it)
Re: (Score:2)
We just all need to calm down. The only thing leaked were those videos that end up on sites like "my-ex-girlfriend.com".
So fine them money they already didn't spend? (Score:4, Interesting)
I suppose morally or ethically this is needed but the idea that they should be fined money they already either didn't have or didn't want to spend in order to remediate this seems short sighted. Maybe a Wall Of Shame that requires them to post signs everywhere and on their websites, that Wyndam is REALLY bad and indifferent to security and they have and will probably again lose your data is what's needed.
Re: (Score:3)
If they didn't want to be fined money they didn't have, they shouldn't have done something they couldn't afford to do without exposing their customers to risk.
Re:So fine them money they already didn't spend? (Score:5, Informative)
I actually read some of the complaint. Surprisingly, it has nothing to do with the fact that they only offer unencrypted WiFi. It's the fact that they actually lied to consumers, saying they use "industry standard practices" to protect customers' privacy, but actually do nothing of the sort. In fact, their level of incompetence seems impressive.
Here are some of the salient details from the giant list of Wyndham security screwups (ellipses and emphases mine)
a. failed to use ... firewalls ... storage of payment card information in clear readable text;
... ... permitted Wyndham-branded hotels to connect insecure servers to the ... network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities; ... well-known default user IDs and passwords ... easily available to hackers through simple Internet searches; ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase “micros” as both the user ID and the password; ... network; ... conduct security investigations; ... monitor ... network for malware used in a previous intrusion; and ... property management systems ...
b. allowed
d.
e. allowed
f.
g. failed to adequately inventory computers connected to the
h. failed to
i. failed to
j. failed to adequately restrict third-party vendors’ access to
Re: (Score:2)
Re: (Score:3)
Hotels are a well-known "wild west".
If you are linux, turn on firewall logging [ubuntu.com], and check out the results. If you are on Windows, fire up Zone Alarm. You'll probably be hammered on port 445 with worms/viruses attempting to propagate through Windows sharing. As far as I can tell, Windows Firewall doesn't detect these attacks, but I'm not a Windows expert. It's sad that a product called "Windows Firewall" lacks the most important part of the title (the firewall).
After you see the repeating pattern (for ex
Re: (Score:1)
Re: (Score:2)
I happen to know for a fact that both Micros and Aloha use "customer/customer" as the default windows username & password for their POS servers... and it wouldn't surprise me if other POS software vendors used customer/customer as well. micros/micros is a slight improvement over default, given that it isn't customer/custome
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Wouldn't it then be more productive if the companies in question were instead forced to hire an FTC-appointed network security inspector and apply any and all changes the inspector tells them to at their own cost?
In theory that would work, but in reality they will just end up getting someone a lot like the OCC, FRB, and state banking authority auditors. They are ridiculously uninformed and ignorant about security practices and IT in general. They will go thru a generic checklist, demand stupid policy documents, and basically waste time and money on both ends (the gov'ts and the company's).
PCI audits are not actually required (Score:2)
PCI audits are nice to have and companies want them and auditors are happy to do them but failing a PCI audit doesn't actually mean much. There's no regulatory penalty for failing one or failing all of them. Unlike HIPAA where there are real albeit rarely applied penalities, for PCI no such thing exists.
Re: (Score:3, Interesting)
Agreed (Score:1)
The processing firms don't exactly help. (Score:5, Informative)
Disclaimer: I'm not a PCI-DSS expert. The list of rules for accepting payment cards is quite long; there's an entire industry dedicated to making sense of it and applying those rules to businesses. And I'm not part of that industry.
But I have had a quick look at them. AFAICT, the processing firms are actively undermining PCI-DSS in at least a couple of ways. One of the big things they push is a virtual card terminal - basically, log onto their website and process everything that way.
PCI-DSS says this is fine, provided the computer used for this is in a separate VLAN firewalled from everything else on the company network, has no more than the bare minimum software installed and is not used for anything but processing card transactions.
The processing firms push the virtual terminal as a money saver - "don't hire an expensive card machine, use your existing computer" and a way to be more flexible - "accept card payments from anywhere, just take your laptop with you and use that". I can't for the life of me figure out how this squares with the PCI-DSS rules regarding virtual card terminals.
Anyone able to explain? Or are the processing firms actively undermining the rules laid out by Visa & Mastercard regarding how you process card details?
Re: (Score:1)
I have slight involvement in this. Two comments:
First, the "expensive card machine" isn't that expensive. We just bought one for about $300. It does require a dedicated phone line, but supposedly there is a version that works over ethernet and doesn't require the VLAN separation.
Second, I have the separate PC installed behind a firewall, but it is a pain in the neck. It is supposed to be scanned for vulnerabilities monthly, plus kept up to date with Windows patches. Yes, I said windows, because the website
Re: (Score:2)
The problem here is a fundamental disconnect in how hotels do business with how card security is mandated.
Hotels don't trust travelers to pay after their stay. They don't want to ask you to pay up front, either, because then they can't give you the seamless sign-it-to-my-room experience. Credit card account numbers offered an easy middle path: "we'll hold your card number until checkout." it harkens from a bygone era where credit was the exclusive province of the wealthy, who were de facto trusted to pay.
Re: (Score:2)
Makes a lot of sense. I've seen plenty of businesses that take cards and it's amazing how many of them seem to totally ignore PCI-DSS.
I can only come up with two possible explanations:
1. My understanding of PCI-DSS is totally wrong.
2. It's not really enforced to any significant extent - it just gives the bank a slightly bigger stick to beat you with if you don't comply.
Re: (Score:3)
I don't know what you have in your understanding, so I'll leave #1 alone (although I suspect it's not the real explanation.)
As for #2, "enforcement" is a weird process. Merchants are broken into four Tiers, where retailers processing more than X million credit trans a year are in Tier 1, and so on. The higher the tier, the more stringent the auditing and requirements, and the higher the fines for non-compliance. A tier 1 retailer might be spending $5 million dollars per year (or more!) in compliance audit
Re: (Score:2)
Thanks for your insight.
Your description isn't far off how it looked to me as an outsider: a set of rules you're meant to comply with but aren't really enforced unless it becomes glaringly obvious that something's gone horribly wrong.
Re: (Score:2)
Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.
But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.
Re: (Score:2)
Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.
But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.
Regarding your first comment, audits of Tier 1 and Tier 2 retailers are strongly enforced. The last count I saw was 6 million merchants accepting Visa, but fewer than 50 are Tier 1, and less than a thousand are Tier 2. Tier 4 is where the vast majority of retailers are, and there is pretty much nothing done at that level - payment processors simply don't accept anything there that doesn't come through their provided-or-certified payment terminals. Tier 3 is kind of hit-or-miss.
PCI-DSS permits the storage
So I put on my data breeches and my wizard hat and (Score:3, Funny)
So I put on my data breeches and my wizard hat and ...
Wyndham: Do these data breeches make my butt look fat?
FTC: Um... later honey I have some paperwork to file.
Or maybe this the start of a new advertising campaign by wyndham
"Ladies... don't like how data breeches make your butt look fat down at the poolside? Well come to Wyndham instead and relax in our spa, now featuring homeopathic computer security"
Conversation overheard at the defcon bar: "So I was social engineering the hotel firewall chick, and I charmed her outta her data breeches. At that point, I'm thinking third base for sure then I discovered it was a trap so I got the FTC to go after she/he for false advertising"
So... I heard the Wyndham has same day dry cleaning service as a perk, but if you send out your data breeches, rather than getting them back same day, everyone in .ru gets a copy of them.
That's all the time I got for /. standup comedy right now, thank you and I'll be here all night.
Re: (Score:2)
Oh I got another one. Breeches, those are pants, right? Well Wyndham-style data breeches, those are pants with a "leather chaps" cut, such that the legs are covered and the fun parts are hanging out for all to see. Get it, data breeches?
I'm gonna make a lotta money selling my UEFI boot secret signing key tee shirts and data breeches as a package deal.
There's always witty data beaches jokes, once I tire of breeches jokes. "Stay at the Wyndam, right on the sandy data beaches of the holodeck."
Isn't the FBI in FAVOUR of data breaches? (Score:3)
Yes, yes they do [wired.com].
It was just last month [engadget.com] I was reading about it. Again.
Or is it that they only want this access for themselves [techdirt.com] and you're a tairist if you don't think the FBI should have all access to all your activities and communications [rt.com].
Buyer Beware? (Score:2)
I am guessing that the Wyndham was charging for "secure" access, but if they were only charging for access, then wouldn't that be a case of Buyer Beware?
It is still important for users to be wary of any network not their own personal or work network. Since you can't control the access point, don't assume the 3rd party is either.
Encrypt your info and think before you use another's internet access.
Hotel's responsiblity? (Score:1)
It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."
Re:Hotel's responsiblity? (Score:4, Informative)
And a hotel is responsible for network integrity why?
It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."
The complaint was mostly about internal office stuff, their office stores your credit card info digitally, unencrypted, networked, in ready to steal format, that sort of mistake.
Not so much about the complimentary wifi for guests.
Re: (Score:1)
Yeah it looks like they're just getting pinged for not implementing any personal data sanitation. Really makes you think about all those 3rd rate machines we swipe into daily.
Anecdotal evidence- (Score:2, Interesting)
that's hilarious, i actually stayed at a wyndham "microtel" last week on my way to florida, network was completely open, and i got hit with a man in the middle attempt within seconds of getting online, tried to knock me off https logging into facebook.
Data Breaches (Score:2)