Security vulnerabilities persist in hospitality industry

Security vulnerabilities persist in hospitality industry. (IMG:J.Anderson)

When checking into a hotel and asked for a credit card for incidentals, or when pre-paying online, do you honestly give it a second thought considering most hotels are big chains and well established? If you're among the majority of consumers, then no, you do not. However, recent breaches and a new study from Trustwave might make you pause in the future.

Earlier this week, Trustwave, a PCI vendor and Qualified Incident Response Assessor, issued an advisory on the results of 75 investigations for credit card compromise. The advisory, while lacking the names of clients who were investigated at their own request, highlighted some interesting observations. Presently, Trustwave’s data shows over one million accounts at risk.

In the majority of investigations, the data held on the magnetic stripe was a complete loss, thanks to antiquated processing systems and technologies used. Since the out-dated processing applications store the card’s data completely, all an attacker needs to do is compromise the system or network and download the stored files. In addition, other similarities in the investigations, such as weak passwords or default passwords, insecure remote access, and improper firewall configurations, each led to a compromise at the hotel.

A spokesperson for the company told The Tech Herald that in each of the 75 confirmed breaches, there were two main methods for extracting data, which none of the businesses were able to prevent at the time of compromise. The first is, again, out-dated processing applications. The fact they are so old means they're out of compliance with PCI, which is a regulation all hotels, motels, and hospitality operations are required to comply with. These applications simply store the data on the system. Once that system is compromised, the data is there for the taking.

The second is custom Malware. This Malware parses magnetic stripe data from volatile memory. Residing within the memory of the infected system, as it's used to record payment transactions, the Malware copies the information and offloads it to any number of destinations. Criminals often create databanks of captured information where they can access it at will. Trustwave said that, in many cases, systems deemed compliant with PCI at one time can fall victim to this type of attack because of issues created during configuration that allowed the Malware to infect the system.

Weak communications, when dealing with remote processing centers for credit card application or remote properties (as in the case of a hotel chain), as well as internal communications, is another avenue of compromise. While Trustwave did not break down how many of the 75 clients were breached by this method, some were, and it is a known risk. Earlier this year, Visa issued an alert that warns of Malware attacks on card data in transit. 

Since most hotels have a centralized processing application for credit or debit card purchases, customers in the restaurant, gift shop or spa all face the same risk as those who used a card to simply pay for their room.

The fact that most hotel chains are connected via a larger network means that if one site is compromised, it isn’t too much of a stretch to assume the other sites are compromised as well. The truth is, in cases like this, if one site is compromised then you can be sure the others are too -- a point proven in the case of Wyndham Hotels and Resorts.

Earlier this year, Wyndham reported that sometime last July, criminals breached the network of a franchised Wyndham property and, because the franchise was linked to a central network, the criminals had access to 41 other properties and their systems.

According to reports at the time, the true scope of the damage was unknown, the hotel never revealed how many accounts were exposed, only Florida listed a figure. In a statement around the time of the disclosure, the Florida Attorney General said that almost 21,000 residents could have been affected by the Wyndham breach.

As a consumer, should you worry? No. Several regulations will prevent you from being liable for fraudulent charges by someone who stole your credit card. There are also stringent protections to help curb some of the pain of identity theft. The problem with most of these identity theft protections is that they still require a lot of hoop jumping.

So what can the hospitality industry do to prevent breaches? According to Trustwave, following the best practices is a start. For example, enforcing stronger passwords, proper egress filtering for the firewalls, and remote access enforcement, are just some of the things listed in its report.

While PCI is not 'end-all-be-all' security, it is the first step. Checklist security is only effective if followed completely, and added to by knowing your business and knowing what risks you face. Reliance on checklists alone will do you no good, as proven by the countless breaches that have occurred at PCI-certified businesses. Each business compromised, sticking only with the reported breaches from 2008 and 2009, was compliant at one point in time. However, what happens between the time of certification and the annual audit is what matters.

The Tech Herald: Best Western Hotels targeted in recent heist (Update) 


Want regular updates from The Tech Herald? Follow us on Twitter.

Interested in a more interactive TTH? Join our Facebook Group.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.