This past summer, as thousands of tourists relaxed, dined, and sipped cocktails at a variety of well-known hotels, hackers were stealing their credit card data. Kimpton and HEI announced that attackers infiltrated their point of sale (POS) systems and that malware had compromised card numbers, expiration dates, internal verification codes, and in some cases, cardholder names.
With winter and the holiday travel season around the corner, the question arises: Why are hotel chains so attractive to cyberattacks, and what—if anything—can business and leisure travelers do to protect their credit cards, personal information, and travel reward accounts from criminals?
Inviting targets
Hotel chains are often behind the cybersecurity curve, making them more vulnerable to attacks. The vast majority of IT security budgets—approximately 85%—focus on perimeter protection, not post-breach detection. This means that hotel chains are mostly focusing on keeping hackers out, but once they’ve penetrated the system, there is little to stop them from having a field day completely undetected.
Hotel chains make for especially attractive targets because they hold huge databases of credit card data. Hackers have a virtual smorgasbord of options, including public Wi-Fi signals, magnetic strip door entry cards, and multiple point of sale terminals at spas, gift shops, coffee bars, and restaurants, as well as sharing programs with third parties including airlines and car rental companies. One of the reasons hotels are such low-hanging fruit is because access to their networks and the central payment server they rely on is often frighteningly easy.
All those networks are connected not only across a single property or even a specific hotel chain, but across the entire company. Tens of thousands of credit card records are added every day, along with the millions already stored in databases. Those breaches can net hackers sensitive data across an entire company spanning multiple brands.
Front desk staff, who have access to the corporate network, are trained to be friendly, well-groomed, and professional—not security-aware—making them comparatively easy targets. Infiltrating a network might be as easy as sending staff members emails that appear to be from a familiar person or business, but actually prompt them to click on a malicious link or provide sensitive information that is then used in a cyberattack—an attack method also known as “phishing.”
Once hackers have a single machine under their control, they quickly move laterally throughout the network to find and hijack payment card data. It can be as simple as finding and copying the server data that holds existing transaction data or installing malware that updates to every POS terminal, giving hackers control over tens of thousands of them and capturing every new payment or swipe.
But the problem isn’t limited to the connected networks across the corporate or backend systems. Hotels are replete with fairly unsecured public or guest access. Guests who connect to hotel Wi-Fi are taking a big risk, since hotel Wi-Fi systems are generally not well protected. Furthermore, when guests connect to hotel systems, they bring all their system vulnerabilities with them. Sending a phishing or social engineering attack to guests and taking control of their systems is child’s play for most attack tools.
Protecting hotels
With so many potential entry points for attackers, it’s imperative that hotel chains move to close cybersecurity gaps as quickly as possible and begin taking post-breach detection seriously. Hotels need to operate under the assumption that their networks have been breached and take proactive measures, such as making sure their cybersecurity systems alert them to attacks with information they can act on and provide real-time digital forensics so they can properly investigate the breaches.
As for travelers, avoid the guest Wi-Fi and always use your cellular network instead—particularly when accessing sensitive accounts such as those on bank and credit card sites. If you can, get a VPN—it’s worth the additional fee. And don’t assume the hotel business center computers are safe. Avoid making sensitive digital transactions while using the hotel computers and do not plug in your USB stick into that very public computer, as there are good chances it has spyware on it.
Set up two-step verification for your online accounts. Opt to use the new “smart” credit cards with chips and pins. Choose credit cards over debit cards because the process of disputing fraudulent transactions on a credit card is easier. Or as security guru Brian Krebs put it, “having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).” Finally, be vigilant about reviewing your credit card statements and be on the lookout for fraudulent transactions.
Your holiday vacation should be a time to relax, not to worry about having your valuable information stolen.
Shlomo Touboul is the CEO of Illusive Networks.
