How cyber gangs select and break targets

It’s important to understand that cybercrime is an industry – it’s not the reserve of lone operators who know how to hack from the comfort of their bedroom. As an industry, the scale of this criminal enterprise is far greater than many business owners realise. JAMES CARSON, chief executive of Support Tree, explains how organised crime is targeting the IT in hotels.

The fact is, wherever there are payments online, identities logged and bookings taking place, that’s considered a rich vein for cyber criminals. It’s no wonder that hospitality is a prime target.

Cybercrime is a major threat to hoteliers, with reputational loss being a massive consequence. With such a huge amount of transactional data being processed through hotels, customers’ confidential information, including bank details, can be taken, and management can fail to spot those transactions that shouldn’t be taking place. From the hackers’ perspective, because of the large number of transactions going through systems, finding information without the hotel’s knowledge can be very easy, with the right know-how.

The growing list of hacked hotels

Back in 2010, researcher Nicolas Percoco revealed at a prominent US conference on the subject, that cyber gangs had quite suddenly and with real focus, targeted hotels and resorts to compromise the credit card details of customers. Since then, this has not abated. The last two years have seen criminals breaching IT at Trump Hotels, Starwood, Hyatt and many more, all covered by Hotel Owner.

More recently, at the start of this year, a report of malicious malware that breached security for credit card transaction was confirmed by the InterContinental Hotels Group – the parent company of many thousands of hotels around the world.

It’s important to mention these major players, as these hotels have big budgets for legions of IT savvy engineers and yet still they are compromised. Just imagine how attractive smaller hotels with less resource or understanding of the weaknesses in their IT, might be to attackers?

Probing for weaknesses

This brings us to a key criterion that a criminal gang would look for in a new target – vulnerability. How vulnerable is your IT to being hacked, does it have poor security?

Advanced IT is a relatively recent addition to the ‘must haves’ of the hospitality industry, and for this reason, there are gaping holes in security for many hoteliers. Today, live systems are connected to the internet and are attacked regularly. It just takes one malware to win through and all manner of hell can break loose.

Tricks of the dark trade

Training hotel staff about IT security threats to watch out for, may also be poor to non-existent. A common technique used by criminals that can leave your IT wide open to attack, relies on tricking staff into inadvertently installing malware.

Phishing emails are how many hotels are and will be targeted. In particular, you may have smaller independents where staff are doing multi-functional jobs, and sometimes they get asked to do various different things but will not always be sure who by. This means that phishing emails sent out to people holding the purse strings can be an easy way to infiltrate hotel finances and systems, and get all sorts of information. And this is just by sending the ‘right’ kind of email in the guise of someone else. 

Hotels don’t necessarily put a huge amount of resources into the firewalls on their systems so there are open ports on their network, which, with the right kind of equipment, can present an easy opening for hackers. And, of course, if you haven’t got the right sort of firewalls, staff can put software onto their computers which will ultimately lead to exposing those computers. This will allow hackers to, for instance, record key logging to track details saved on a computer, which they can then take advantage of and use. 

The use of so called ransomware, when targeting businesses, has proven to be a nasty piece of software, popular with cyber gangs. This will encrypt all the data in a computer with a countdown timer in the corner, before you are asked to pay a fee, usually a few hundred pounds, to unlock your data – or it will be destroyed.

An attack known as Distributed Denial of Service (DDoS) is also a popular attack method by gangs. This overwhelms your system with a bombardment of requests to computers, effectively crashing the system. When this is part of what’s known as a ‘blended’ attack, database details are stolen at the same time the system breaks down.

Hackers can take screenshots of your computer at regular intervals – capturing all the data on your guests. They can even take control of webcams and monitoring systems and sell the feed. Imagine the consequences of that for hotel security. The criminals often operate in what’s known as the ‘dark web’, a mirror of the world wide web, that criminals traditionally use to pay for trafficking of drugs or people and a range of distasteful and illegal activities.

Beyond your office computer, your point-of-sale devices can be compromised. This is done by hacking remote administration tools. Data of every card swipe is captured and maybe sold on to other criminals who encode other cards with the relevant information. The customer will only realise there is a problem when money has already vanished from their account.

Sometimes the weakness in your security is in your vetting procedure for staff – who may be complicit in a scam.

The pace of technology

The fact is that hospitality and IT are recently very dependent on each other but are not a natural mix of sectors. Therefore, hoteliers may install systems but not fully comprehend how to secure and monitor them.

Hotels are increasingly expected to have as standard everything from Wi-Fi connectivity to electronic keys, CCTV monitoring, room TVs that sync to customer devices, modern online booking systems and a suite of technology that seems to be growing all the time. Every new layer of technology brings with it new security challenges and a means to be exploited. As this increases there will be a heightened focus on sourcing better security solutions – but we have to also pause and ask, is this all practical?  

There is a fine line between cyber security – making sure employees know the right steps in cyber security, and then also productivity – where there are so many steps that you’re being slowed right down. So, you’ve got to draw the line somewhere. There’s a lot of security now that allows for members of the public, or staff of sites to be able to seamlessly and more easily use systems in a more secure way. 

Whilst on the one hand, technology can make life more problematic, on the other it can be clever enough to reduce the complications.

For me, it always comes down to the right kind of implementation and investing intelligently with security. If you have an IT support system which fully understands your setup and the time is taken to work out your kinks, it won’t be problematic. In contrast, if you just try to ‘throw’ security at it without a plan or a strategy, it could be ineffectual and very disruptive to the business.

Worst case scenarios

Of course, if a small hotel loses its reputation, the results to the business can be terminal. For a larger hotel chain, the reputational damage, say from customer information being stolen, could potentially impact on share prices. The impact could be catastrophic, affecting the overall value of the company, which I believe is far more hurtful than any amount of money being stolen. It could also lead to the hotel being sued.

Cybercrime must be taken seriously, more seriously than it currently is – as it is a very real, very active threat to hotel owners everywhere.

What IT solutions should hoteliers consider to ensure security

  1. Wireless network security, using more secure encryption
  2. Separating public networks from internal one
  3. Staff security training, this is the weakest link and last port of defence
  4. Deep packet inspection on internet connections to make every connection safer
  5. Encryption on all laptops and devices with hotel data saved
  6. Mobile device management on mobile devices to control access and ensure monitoring is capable
  7. Two form authentication to log on to the hotel system, or any system with customer information
  8. Anti-virus software on desktops, laptops and Macs
  9. Anti-malware software
  10. Monitoring intrusion and detection systems
  11. Email security, checking email before delivery
  12. Web security, checking all sites before allowing access to site
  13. A need for the development of comprehensive security policies, annual security audits and post-breach processes


James Carson is CEO of Support Tree, a business IT support company based in London.

The post How cyber gangs select and break targets appeared first on Hotel Owner.

Powered by WPeMatico

Latest Posts

Contact Details

the hotel marketer

Phone: 0203 0263660

Email: contact (AT) thehotelmarketer (DOT) com