Luxury hotel chain hack is why we built Marrakash

Omni Hotels & Resorts has reported that its point-of-sale system has been hit by malware targeting payment card information. The attack on the systems of the luxury hotel chain follows similar breaches of point-of-sale systems at various hotels and retailers like Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide and Hilton Worldwide Holdings.

At the root of the vulnerability were old Windows PCs and the software on them intercepting the POS device drivers, with the Treasurehunt malware pulling card data from the memory of the computer processing the transaction. Full nerd level details here.

The EMV consortium has spent billions of dollars building a secure user experience based on dedicated cryptographically secure, bullet proof, bomb proof card reading technology. Most of you will know this as Chip and Pin or maybe even PayPass or PayWave. The problem here is that the whole story falls over like a house of cards apart the minute that you attach it to a bog standard out of date, un-patched windows PC with all of the security vagaries model is well known for, but routinely deployed.

Since October 2015 (with the introduction of Chip and PIN in the US) under PCI DSS rules, merchants who have not transitioned to EMV cards are now liable for fraudulent transactions. This has led to a spike in POS fraud as hackers scramble to make the most of this closing window.

The Moroku POS, Marrakash, is deployed on open standard Android tablets, allows merchants to create their full product catalogue, incent customer loyalty, create orders and take card payments using the NFC chip on the device. We and our customers think it’s cool “Buy a tablet, download software, go sell stuff” Many payments and security folk hate it because it doesn’t use an EMV compliant security device such as a traditional or contemporary card reader aka Square or Ingenico.

The Marrakash stack benefits in two ways. The first is that while there is no “100% safe” platform, mobile platforms go much further towards separating apps than PCs . This means that it’s a lot more difficult for malware to read card data from the memory of Marrakash while it’s running.

The second issue is that many of those PCs running POS software, especially in smaller merchants, are running operating systems that still have security vulnerabilities but are no longer being patched by vendors. Almost 11% of PCs out there are still running Windows XP despite the fact that it has not been supported for 2 years by Microsoft and is known to contain security vulnerabilities. Some of these are in merchants running POS systems.

A secure process is only as secure as the weakest link in it. You can run the fanciest EMV compliant card terminal but the minute you plug it into your Windows XP machine or operate it over your WiFi system with its default password, you may as well be processing bits of paper in a swipe machine.

We built Marrakash because we believe that:

–  Merchants need more than card reading – they need and want to run their business on mobiles and take payment

–  The more complex and outdated the entire system, the more vulnerable it becomes. By delivering a contemporary end to end platform, including payment on mobile and the cloud we can build the safest environment for payments to run

Come take a look – anytime


Post a comment