Avoid 2009's Hospitality Hacker Blitz: 15 Need-to-Know Methods of Attack


It's official; 2009 was the year of data breaches in hospitality.

In a multi-industry comparison report by Trustwave, hackers infiltrated hospitality organizations more than any other industry last year, including retail, finance, and more. According to the 2010 Global Security Report, hospitality breaches accounted for a whopping 38% of all braches investigated by TrustWave SpiderLabs, and can be attributed to attacks on the systems responsible for the processing or transmission of payment card data. The report identified software-based point of sale systems (POS) as the most frequently breached area across all of the industries involved (85%), because they represent the easiest method for criminals to obtain credit card data. And for some companies last year, insecure network connections granted hackers unrestrained network access across properties, turning a single breach into a multi-site attack.

Anatomy of a data breach
So how are hackers infiltrating information technology systems? The 2009 Verizon Business Supplemental Data Breach Report identified and ranked by frequency the following top 15 types of attacks:
  • Keylogging and spyware: Malware specifically designed to covertly collect, monitor and log the actions of a system user.
  • Backdoor or command/control: Tools that provide remote access to or control of infected systems, or both, and are designed to run covertly.
  • SQL injection: An attack technique used to exploit how Web pages communicate with back-end databases.
  • Abuse of system access/privileges: Deliberate and malicious abuse of resources, access or privileges granted to an individual by an organization.
  • Unauthorized access via default credentials: Instances in which an attacker gains access to a system or device protected by standard preset (widely known) user names and passwords.
  • Violation of acceptable use and other policies: Accidental or purposeful disregard of acceptable use policies.
  • Unauthorized access via weak or misconfigured access control lists (ACLs): When ACLs are weak or misconfigured, attackers can access resources and perform actions not intended by the victim.
  • Packet Sniffer: Monitors and captures data traversing a network.
  • Unauthorized access via stolen credentials: Instances in which an attacker gains access to a protected system or device using valid but stolen credentials.
  • Pretexting or social engineering: A social engineering technique in which the attacker invents a scenario to persuade, manipulate, or trick the target into performing an action or divulging information.
  • Authentication bypass: Circumvention of normal authentication mechanisms to gain unauthorized access to a system
  • Physical theft of asset: Physically stealing an asset.
  • Brute-force attack: An automated process of iterating through possible username/password combinations until one is successful.
  • RAM scraper: A fairly new form of malware designed to capture data from volatile memory (RAM) within a system.
  • Phishing (and endless "ishing" variations): A social engineering technique in which an attacker uses fraudulent electronic communications (usually e-mail) to lure the recipient into divulging information.
Vendor safety solutions
An operator's first line of defense against a data security breach is of course compliance with Payment Card Industry Data Security Standards (PCI DSS). Here are a few solutions that can help:

TableTop Media: Ziosk: Leveraging the self service trend in the marketplace, TableTop Media has developed Ziosk, a pay-at-the-table and digital promotion device that can be placed on restaurant tabletops. Ziosk features wireless portability, extended battery life, an integrated printer, DVD quality video and 3D applications for dining entertainment, and enhanced security components that exceed PCI requirements for protecting cardholder data. Ziosk is fully PCI PA-DSS compliant.

Maitre'D by Posera: Now, versions 7.05 and 8 of Maitre'D by Posera are fully PA DSS v1.2 -- PCI DSS compliant. The Maitre'D EFT Module, allows operators to communicate directly with financial institutions to authorize credit and debit card transactions. A proprietary algorithm embedded within Maitre'D automatically generates new encryption keys for every single transaction that takes place (maintenance free).

Mercury Payment Systems: PCI Partner Program: Mercury Systems' new PCI Partner program is designed to help merchants who do not have the expertise to complete PCI DSS requirements. It offers comprehensive resources to help merchants comply with PCI DSS requirements. In addition to discounted services, support and assistance, the program provides merchant reimbursements in the event of a data security breach.

MICROS Systems: OPERA Enterprise Solution: Effective in version and above, MICROS OPERA Enterprise Solution now includes enhanced credit card tokenization capability, which can be configured to operate with any credit card processing vendor. Using this capability, a special token which corresponds to the credit card transaction, is returned from the credit card processing vendor and stored in the OPERA database. OPERA can also tokenize credit card data that is transferred from other applications which may be connected to OPERA, such as online reservation systems, Web booking engines, or sales & catering systems.

Agilysys: InfoGenesis POS: InfoGenesis POS by Agilysys is an enterprise-ready POS solution that combines powerful reporting and configuration capabilities in the back office with an easy-to-use touch-screen terminal application. The system's Service-Oriented Architecture (SOA) enables interfaces to a wide range of host systems, such as payment card processors and guest management solution providers. InfoGenesis POS v4.1 is certified by the PCI Security Standards Council as PA-DSS compliant, which ensures the security of sensitive payment card data and enables hospitality venues to operate as profitably as possible.

First Data: Secure Transaction Management: First Data and RSA have responded to conversations with retailers through a new service called the First Data Secure Transaction Management. SM service is a unique solution enabling merchants to secure payment card data and remove it from their environment while allowing access when needed. The approach uses a "layered" combination of tokenization, advanced encryption and public-key technologies designed to dramatically simplify the process and reduce the cost of complying with PCI DSS requirements. The solution will be tested in customer trials and available to all merchants in the U.S. by the spring of 2010.

PCI in Hospitality
This ad will auto-close in 10 seconds