Update the POS with Biometrics
According to HYPR, hackers see hospitality work settings as prime targets, just as they do retail and foodservice, due to high bankcard transaction volume. A core service and retention benefit of hospitality that compounds vulnerability is wholesale storage of bankcard and identity data. Hotels and platforms spare travelers the need to re-present payment and personal data, only to increase hospitality enterprise risk of attack on that data.
The attack on Sabre’s SynXis system shows that privileged access to data should be underpinned by the best available security using systems designed with security in mind. Fortunately, next-generation authentication solutions for hospitality and other industries offer these workers an experience that makes security attainable and reasonable.
Prior to the Internet, travelers presented sensitive information at the time and place of service. PoS terminals merely processed bankcard transactions and were leaner than systems currently in use. Today's systems combine booking with storage of personal and bankcard data, broadening their target appeal. A sector that once was fun is now an active theater in a larger war against fraud.
Running a desktop operating system with a PoS feature provides a ripe environment for exploit. Basic security that is absent today should be implemented tomorrow:
- Encrypt databases where transactions and customer information reside. Encrypt the server software to which all terminals are connected. Also encrypt hard drives where this data is stored.
- Require VPN access to any server-side remote admin tools to limit exposure the Internet. PoS systems should not be connected to the public network or to a home office. Work exclusively through a VPN.
- Adopt a security mindset no matter your company size, and ensure all in your organization participate. This is a heavy educational lift. Mature enterprises implement training, and the hospitality sector should take as serious a posture as a big four bank.
The last point reminds us that most security and usability is inversely proportional. The hospitality worker, already overtaxed, is also expected to be infallible in her or his security knowledge and practice. This is hardly fair.
A more equitable view of a system built with security in mind is one with a pristine user experience. And an intelligent system is one that addresses that single point of failure — a stubborn reliance on passwords and a quixotic trust in their management.
Banks and insurers are already phasing out passwords and safeguarding systems similar to hospitality ones. They are employing a suite of software that leverages everyday mobile devices for voice, face/selfie, touch, eye, and palm scan for entry into all applications across devices, platforms, and operating systems.
Rather than type a username and an increasingly complex or "strong" password, users present one or more biometrics for instant login. Standards such as those of the Fast IDentity Online (FIDO) Alliance ensure that employers, service providers, and security vendors do not store biometrics. Fingerprints, face patterns, and the like remain where they should, encrypted on a user's mobile device. Revocability in the event of a lost device provides yet another protection.
These solutions solve the security-usability conundrum elegantly and provide workers the best online experience they have ever known. They also lack the risks that SMS or "soft tokens" have. Recently an exploit with the SS7 protocol compounded the U.S. Department of Commerce's National Institute of Standards and Technology's deprecation of soft 2FA. Next-gen authentication through biometrics also avoids placing additional hardware layers, such as hard 2FA tokens, upon the insecure username-password scheme. The tools are already in hand.
Through biometrics, the root and tool of identity verification could not be simpler. It also cannot be forgotten, shared, or mishandled because it is a person. Biometrics delivers ironclad security and a pristine experience, and solutions based on it are in fact working for Wall Street. It is high time we let the sunny side of town, the ski slopes, and other places of note enjoy the safety and peace of mind that comes only from biometric security.