Hotels of all sizes continue to fall prey to cyber attacks, while the breadth of data compromised grows exponentially. The practices employed by hackers on hotels are also rapidly evolving, necessitating that IT defense strategies evolve as well.
“The threat landscape is very different now than it was just a few years ago,” notes Kelvin Coleman, executive director, National Cyber Security Alliance (NCSA). “Every hotel is vulnerable, and hackers are looking not just for credit card numbers, but also for data they can monetize. Additionally, attacks are no longer being carried out by ‘lone wolf’ types sitting in a garage or basement. Now most perpetrators are members of organized rings,” both in the U.S. and abroad.
Simple phishing attacks and malware injections are still common in the hotel space, say Coleman and vendors like OpenVPN. However, more sophisticated schemes are surfacing. NuData Security, a Mastercard company, offers the injection of overlays into reservation systems to skim credit card numbers as an example. Advanced persistent threats to hotel networks, which involve multiple simultaneous points of entry (so that if a breach is discovered, hackers can still continue with an infiltration), are popular now as well, reports Compliance Point.
1 WiFi Networks: Be Vigilant
WiFi networks are a common access point for perpetrators to hack into as a “bridge” to the corporate network. According to XM Cyber, this allows hackers to access systems that collect personally identifiable information (PII) and payment card information. Similarly, many attackers now engage in a form of “dark hoteling” that involves creating a spoofed version of a hotel’s guest WiFi network. Guests are tricked into sharing payment or other personal information for WiFi access or faster service.
Another up-and-coming “dark hoteling” scheme involves targeted spear-phishing attacks. According to SiteLock, individuals who are trying to use the guest WiFi encounter a pop-up that looks like it is from the hotel and contains some type of personal information about the guest (the latter distinguishes it from a mass phishing attempt). Clicking a link in the pop-up injects malware into the system. Spear-phishing is also perpetrated against hotels by sending emails to guests, requesting that they click a link (resulting in malware infection) or provide PII or other sensitive data.
2 Internet of Things Platforms: Connected & at Risk
In certain instances, perpetrators now attempt to gain access to properties’ restaurant POS, guest registration, and billing systems through other systems that are connected to the wireless network — e.g., hacking into it via Bluetooth-controlled locking systems, smart TVs, remote-controlled in-room amenities (e.g., HVAC) and advanced AV systems in conference rooms. Vendors like Nyotron acknowledge that as hotel operators increasingly leverage the Internet of Things (IoT) to cater to guest demands for connected experiences, the latter variety of schemes will become more common.
Forter notes a trend among fraudsters creating fake booking sites. This involves reservations being fabricated for resale through “URL-jacking” — utilizing the URLs in hotel confirmation emails to see, extract and change personal information provided there. Highly sophisticated online criminals will also set up fake websites that resemble those of legitimate hotels, accept bookings from real customers, and complete the bookings elsewhere using stolen credentials. The reservations are then sold on a third-party site, turning a profit before the hotel or consumer realizes that any type of theft has occurred.
Forter’s research indicates that account takeovers, wherein fraudsters use stolen credentials to hack into legitimate online accounts, are on the rise across all industries, increasing at a rate of 31% annually with no sign of abating. These attacks occur after network breaches with the perpatrators using PII after it has been stolen to commit additional crimes like account takeover. Takeovers of loyalty accounts are becoming especially prevalent.
3 Artificial Intelligence, Real Threat Exposure
As businesses look to artificial intelligence (AI) to bolster customer experience and guest engagement, Coleman says criminals have begun to exploit this for their own gains. Fraudsters have become adept at finding ways to harness AI to identify where to launch and spread attacks, as well as to pinpoint guest targets and enhance malware capabilities.
Final Word: Technology Fixes
Firewalls, VLANs and regular patching of systems represent a good start toward keeping cyber attackers at bay, but evolving threats call for more comprehensive, effective cyber-defense strategies.
“It’s not only the endpoints any more, it’s everywhere — every device and every system has to be safeguarded,” asserts Randy Vanderhoof, executive director, Secure Technology.
Sources note that while network segmentation — separating networks used to process payment card information from guest WiFi and corporate networks — is good practice, it is insufficient protection against compromise. Attackers now know how to overcome this separation of networks and “jump” from one network to another by taking advantage of misconfigurations or weak controls. Limiting the number of interconnections between different types of networks is therefore very important, as is utilizing technology from vendors like Digital Shadows to detect when unauthorized access from one network to another occurs. Similarly, sources suggest migrating to next-generation firewalls that pair traditional firewall technology with intrusion detection and prevention systems (IDPS) designed to monitor network or system activities.
Hotel operators might also consider opting for fiber-based passive optical LAN rather than a copper-based LAN infrastructure. According to the Association for Passive Optical LAN (APOLAN), copper LANs can span a distance of only 300 feet, so network access points for copper LANs can be placed no more than 300 feet apart. Passive optical LANs can span much greater distances (up to 12.5 miles), reducing the number of vulnerable access points to which hackers have access. Additionally, the optical network terminal component of passive optical network infrastructures store do not store configuration or user information and require no physical management access. This adds another layer of security not possible with copper networks.
CMIT Solutions and Netsurion see a combination of security information and event management (SIEM) and endpoint detection and response (EDR) technology as weapons for fighting the security battle at network endpoints. The SIEM component provides a single location for storing and analyzing data coming from multiple log sources, while the EDR determines whether malware has been installed on endpoint devices and finds ways to respond to this type of threat. Netsurion has rolled out next-EventTracker EDR, a next-generation solution that integrates SIEM with EDR and is delivered in a managed-services model.
Patrick Dunphy, CIO, Hospitality Technology Next Generation (HTNG) points to the increased importance of using unified threat management and threat intelligence solutions given the breadth of the cyber-attack landscape. The latter solutions, sources say, should track geographical indicators and block fraudsters who are pretending to be from somewhere they are not, using an identity-centric approach that involves monitoring customer behavior at every touchpoint of travelers’ buying journey. For example, the browsing, account creation and point redemption stages of loyalty program usage should all be scrutinized to determine the legitimacy of each traveler and catch fraudulent activity before it makes an impact.
Priceline has implemented Forter’s proprietary end-to-end technology in a move to detect and eliminate fraudulent purchases at the account level as well as at the point of sale. The solution taps into an extensive network of resources and utilizes AI to ferret out suspicious activity and determine if a transaction is legitimate prior to settlement.
“This is critical, since both honest travelers and fraudsters regularly book travel at the last minute,” states Eric Lorenz, Priceline’s vice president of finance operations.
or representational state transfer (REST) is equally critical because third-party reservations require APIs, in turn increasing the number of external connections. The use of sniffers to detect insecure API connections helps safeguard data and
systems as well.
While deploying the right network security technology tools is important, hotels must also create what some sources call a “human firewall” by properly training employees about what they can do to thwart threats and what to watch for (e.g., emails that contain suspicious links, suspicious guest behavior, etc.).
Vendors like Cybint Cyber Solutions and VENZA offer cybersecurity education to hotel operators and employees. Prism Hotels & Resorts recently implemented VENZA’s Everest data security package, which in addition to PCI DSS SAQ preparation, internal/external network scanning, and data breach coverage includes the services of a personal program coach and webinars. A wide variety of brands, among them Hyatt Regency and Hilton Hotels & Resorts, among others, made it necessary to provide consistent security training to a diverse employee base, according to Prism Resorts & Hotels CFO John Bailey.
“Hotel employees really need to understand the extent of these threats, and that they play a role in handling them,” Dunphy observes.