Hotels Are Hackers’ Playgrounds

Well, it’s a scary new trend for all the globe-trotting, business trip making, road warriors out there.  A study released this year by Trustwave coalition found that 38% of credit card hacking cases last year involved the hotel industry.  The hospitality sector was well ahead of the financial services industry (19%), retail (14.2%), and restaurants and bars (13%).

Why hotels?  Hackers hit hotels because that is where the richest vein of personal credit card data is, and they know that you are on the road when the incident strikes.  Hotels are notorious for inadequate data security, often offering free or low cost Internet connectivity, and simplifying connectivity by making the process of connecting to it as unencumbered (and by nature, insecure) as possible. 

Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to properly store or transmit data.  The sophistication of computer and communications systems can vary widely from one hotel to the next, even within the same corporate chain.  The same is true of point-of-sale credit card swiping systems.  The Trustwave report says that “organizations large and small were found to be moving forward with plans to implement new technology, while leaving basic security threats overlooked.”

As the hotel industry hit tough economic times and hotel owners cut spending, security upgrades often lagged in priority.  Proper IT security requires software, hardware, firewalls and encryption programs, but also budgetting for staff training as well as constant monitoring of transactions and data access.  If you can’t keep up, you will most certainly fall behind.  The full extent of credit card fraud by those who breach hotel systems is unknown.  Anecdotally, data breaches in this sector occur with disturbing regularity.

  • Today it was reported that 17,000 guests at the Emily Morgan Hotel had their credit-card numbers stolen and used in a 3-state shopping spree.  5 people were arrested in the largest identify-theft case ever in San Antonio history.   The suspects stole stacks of stolen credit-card receipts from a storage room at the hotel to make counterfeit credit cards.
  • Last month, Destination Hotels and Resorts, a chain of luxury properties in the US, notified customers that credit cards “may have been compromised.”  ABC News reported that Destination was the victim of “an intense database attack that lasted over three months,” and quoted losses, which totaled hundreds of thousands of dollars, averaged $2,000 to $3,000 on each of the estimated 700 credit card numbers stolen.
  • Wyndham Hotels recently sent customers a statement saying that a “sophisticated hacker had penetrated our computer system” at as many as 31 hotels from Nov. 7, 2009, to Jan. 23. Wyndham said it was improving its security technology.

These are just the most recent and memorable items that come to mind.  It often takes months for these attacks to be discovered by customers who may be on the road frequently and not monitoring card activity reports carefully, or by the hotels themselves.  Hackers often make multiple small charges to validate a card, probe its limits and test the vigilance of a cardholder before making bigger purchases.

So, what do you do to protect yourself?

  • Use a hardware firewall.  Don’t laugh!  I travel with one.  It takes up less space than a mouse, and I _know_ many people can’t stand the laptop’s little finger mouse.  These things are so simple to setup, and they come with a bloody Quick Start Guide on a 6×8 card.
  • Install and use a software firewall.  Too inconvenient for you?  Suck it up, buttercup.  Take the time to learn hwo to use it, or spend the time fixing your credit report.
  • Install and update your Anti-Virus software.  You have heard it before, you will hear it again.
  • Use a A/V software enhancer, like ThreatFire, or other product.  It takes Anti-Virus to the next level, not relying on signatures, but watching for unapproved software, configuration changes and unusual behavior.
  • Setup a set of credit cards taht you use just for travelling.  Set the credit limit low, and monitor it closely.
  • I don’t use credit cards at all, but that causes major inconveniences.  If my job changes to require me to travel more, I will opt for a reduced limit credit card, or one that requires a phonecall to my cellphone with a challenge and response phrase of my choosing.

Security is generally about trading in some measure of convenience for some degree of safety.