TECHNOLOGY FOCUS: Between 1997 – 2007 hotels put a lot of effort into protecting their IT-systems by installing anti-virus systems, next generation firewalls, intrusion prevention systems and secure web-gateways. These were defense systems to protect confidential data from computer viruses, worms, backdoor trojans and spyware.
Hotels have to deal constantly with social engineering attacks such as phishing and now also with APT’s (Advanced Persistent Threats). Worldwide, APT’s are considered the most dangerous type of cyber attacks as they simply bypass the defenses that are in place.
This particular group of thieves are experts in cyber intrusion methods and remain anonymous and undercover for a long time so we can’t see them. Not seeing them coming makes them dangerous and the toll of their illegal activities is often high. Intelligence agencies and law enforcement know that these criminals are well funded, organised, intelligent and highly motivated to achieve large-scale frauds. Cyber crime criminals on the other hand, mostly operate as individuals and simply hack for profit.
Criminals try to hack into the hotel network in an attempt to steal guest identities including credit card details. They are not just targeting one individual, but thousands of cardholders at the same time. Once they have guest cardholder data in their possession, they are able to use it to buy items online, withdraw cash on the account of the victim (the hotel guest) or even replicate credit cards for further transactions. Credit card fraud is a new form of pick pocketing, but on a larger scale.
Hotels in particular are considered soft targets for two reasons:
1. The nature of the hotel business is dealing with many people from different cultures around the world where most people pay their bills electronically.
2. Hotel WiFi networks are notorious for their lack of security and therefore provide an open door for hackers.
At Sky Touch, we see an opportunity in the future to provide a more secure Internet connection for hotel guests next to the open network as an extra service.
Back in 2012 the Federal Bureau of Investigation warned the public to be aware of malware (malicious mail) installations via hotel networks, but hotel networks still have a bad reputation for easy access.
Some corporations have taken the necessary step when their executives travel to certain countries to equip them with a different company laptop to mitigate the risk of having valuable data infected. Usually when they return to home base, the IT-department has to vibe the hard drive again because of the number of viruses and malware found. At the moment, this action seems to constitute best practice.
Security companies such as ‘Fire Eye’ discovered that one of the major reasons organisations fail to identify ATP attacks is because systems are mainly configured to examine inbound traffic. Monitoring outbound traffic can increase the chance to detect APT’s and other cyber attacks. Most hotels will not know they have been compromised by an APT attack until it’s too late.
To protect guest identity from the new breed of cyber attack, in future we recommend re-assessing the systems and training employees who work with the systems in preventing cyber crime. This approach is less costly in the long term by reducing the risk of being compromised and having to clean up after an APT attack. Cleaning up later is a challenge and very time consuming. Repairing the damage on the company image is even more difficult. Guests would be wary trusting you again with their credit card details.
The ‘Check Point’ security company research team analysed security threats of over 10.000 companies in 2013. They discovered that on an average day, a High Risk application is used every 9 minutes. Every 27 minutes an unknown malware is being downloaded leading to data loss incidents. Across industries data loss increased in 2013 by 88 percent over the previous year. Their 2014 security report says that the number of malware has exploded. Targeted malware attacks and infections increased 73 percent from the previous year.
In 2012, there were 34 million new unknown malware recorded. Research recognised 83 million new malware in 2013. This is an increase of 144 percent, a clear warning sign to take the next generation threat seriously and reconsider IT-security strategy.
Hotel employees receive training today in security awareness and learn, for instance, not to leave back doors open for security reasons. We teach them what to do when receiving a bomb threat or how to behave during a robbery. But do your employees know what to do with social engineering attacks coming from the virtual world?
Founder and Managing Director of Sky Touch Consulting, Stefan Vito Hiller, has over 20 years experience in the hotel industry including five years experience in the security field. He has worked for leading hotel brands in Munich, Frankfurt, Bremen, Berlin, Cork, Edinburgh and Doha in the Middle East.
When working for a leading global security company in Germany, Stefan developed their hotel and tourism security segment. In this position, he conducted overt and covert security audits, provided security training and developed innovative security solutions.
Stefan now consults to hotels to implement innovative and affordable strategies to raise their level of security to meet growing global demands.