⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

A Farewell to Arms… and Anything Else that Isn’t Properly Secured

Order a reprint of this story
Close (X)


To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


June 01, 2007
Hotel | Sense
Michael Schubach, CHTP - michael.schubach@pinehurst.com

View Magazine Version of This Article

© 2008 Hospitality Upgrade. No reproduction without written permission.

Through intelligent creation, the modern businessperson has evolved digitally to accommodate a modern lifestyle of constant motion.  They breakfast in Los Angeles, lunch in Chicago and dine in New York, never missing a message or an e-mail.  They move from office to airport to hotel, managing their professional and personal financial empires at every available portal.  They auto-pay their bills from Atlanta, transfer commodities from Dallas, and parlay a hot stock tip into a financial coup over a cup of coffee in Seattle.  They are titans, modern marvels of human potential.

However, they are not the only ones who have evolved.  Now, consider bank robbers. Why should they have to suffer business interruptions like security guards and exploding dye packets?  Do they really have to bother with annoying trivialities like making the getaway car arrangements?  After all, this is the post-modern information age. Shouldn’t robbing a bank have gotten easier? 

You probably won’t be surprised to learn that the process of transferring wealth from one party to another without permission has indeed gotten easier.  What might surprise you is that the victims are more computer savvy than you imagined, the robbers are more nefarious than you imagined, and the enabling partner may be more you than you imaged. 

Let’s start at the beginning.  Computer crime isn’t new enough to discuss; identity and personal information theft have been common technology topics for the last decade.  Certainly no IT professional would be willing to admit that he or she even knows people dumb enough to send their bank account information in response to those impassioned e-mails from deposed sub-Saharan dictators.  And yet, intelligent, thoughtful and computer-literate businesspeople are pumping an astounding volume of sensitive information into any computer within a finger’s reach, without as much as a second thought.  What many road warriors don’t quite realize is that as they buy, sell and trade, they can be flinging Hansel and Gretel-style electronic breadcrumbs that can be scooped up from 15,000 miles down the path. 

On March 20 of this year, ABC News aired a piece by Len Tepper and Asa Eslocker focusing on cyber criminal rings in Eastern Europe, India and Asia that target retirement and investment accounts.  It seems that sets of account IDs and their passwords are as hot a commodity as Google stock, and far more reasonably priced.  According to ABC News, IDs and passwords are readily available on a Moscow-based hacker’s forum at a rate of $350 for a set of six.  A Russian-speaking ABC News intern logged into the forum and was offered a set of six trader accounts that had active balances totaling more than $100,000.  I’m sure your CFO would agree that this is an excellent return on a very modest investment. 

The procedure for obtaining user information is deceptively simple. The first step is to infect an Internet-connected workstation with key-logging malware (malicious software).  The most common infection method is to deploy a Trojan horse, an uninvited program that may seem benign but has a more sinister purpose.  The bad guys have workshops of technical minions whose function is to make sure that their programs are one step ahead of (or capable of side-stepping or disabling) the host machine’s protective software.  Once the invader is installed, it opens communications with ISPs half a world away so that every keystroke entered on that machine is intercepted and recorded.  As soon as a hapless user types in any www.financial-institution.com, the uninvited host snaps up the user ID and password.  Faster than the user can change that password or stop a transaction, the end user’s new Russian business partner has emptied their funds through wire transfer, check payment or stock sale.  Money goes out in multiple transactions small enough to avoid any over limit safety mechanisms or legal inquiries.  Transfers generally make a domestic stop before heading offshore, assisted by yet another unsuspecting accomplice—more about that later.
According to ABC News, cyber criminal rings concentrate on installing their key-logging software on upscale public-use terminals frequented by business travelers.  They target machines such as those found in a cyber café, an airport VIP lounge, a convention center lobby or (heads up!) a hotel business center.  But before you assume that you’re safe because you travel with your own laptop, be advised that another favorite method of deploying malware is to have you download it yourself onto your trusted machine.  An FBI source told me that one popular method for finding well-qualified businesspeople to plunder is simply to advertise for them.  Rather than posing as recently exiled dictators, the Mafioso post career opportunity notices on job-finder Web sites like monster.com or careers.com.  They advertise for accountants with banking experience and then download a Trojan horse when applicants visit what they think is a legitimate business site with job offerings.  What the site really offers are overseas travel opportunities for cash and stock if that machine ever logs into a financial Web site. 

About now, the average reader is thinking, “Well, sure, bad things happen to good people, but I simply phone my bank, let them know what’s happened, and the money gets put back into my account the next day.  After all, didn’t I just hear a reassuring television commercial by a bank that stated that proven frauds are replaced within a day?”  Yes, average reader, you may have heard such a statement, but you glazed right over the key word—proven.  How do you prove that you didn’t authorize a transaction when the bad guy presented your valid credentials?  The fact that you don’t personally know the recipient doesn’t prove fraud.  Besides that, once the money has departed the original financial institution and the receiving institution’s client confirms that the transfer was expected, the transaction typically cannot be recalled.  Once the funds are offshore, recovery is not a banking issue. Everything now depends on international treaty enforcement and mutual governmental cooperation, which is the diplomatic way of saying, “pucker up and kiss your assets good-bye.”

Remember when I said that money goes offshore by way of unsuspecting accomplices in the United States?  Those “mules,” as the FBI likes to call them, are people who have responded to online career opportunity listings as well.  They are typically stay-at-home folks with a computer system and a bank account.  They have been lead to believe that they can make big bucks in their spare time while they sit poolside with their laptop.  Once they join the program, they receive wire transfers into their personal bank accounts.  (Can you guess from whence that transfer originated?)  The mule is instructed to withdraw the wired amount (less a very generous commission), convert the balance of the funds to a cashier’s check, take that check to a Western Union facility that day, and wire it on to another address in… let’s say… the Ukraine.  When the FBI contacts a mule to let them know that they have just participated in a fraudulent money laundering scheme, most of them are taken totally by surprise.  If the mule knew what he was doing–and the FBI could prove that–they would be arrested and prosecuted for committing a federal crime.  However, if the mule thought he was employed by a legitimate company transacting legitimate international business, they are innocent of a crime.  The mule may be convinced to go out of business but the money is usually long gone by the time they are contacted.
Once wired abroad, the money becomes the property of the bad guys.  My FBI source noted that although our U.S. agencies petition Russia for intervention and assistance, this sort of issue receives a very low priority on the Russian side.  None of their citizenry has been victimized, no real advantage accrues to the Russian authorities (outside of American goodwill), and their own mafia can be active enough to discourage active police engagement.  It seems logical to expect that the police interest level would be higher if the money were flowing from them to us, but apparently they are not yet as attractive a target as we are.  However, if they maintain their current success rate, they may be joining us up there at the summit of evolution faster than they realize.
There are lessons here for IT professionals, both as network custodians and as plain old people.  First and foremost, don’t entrust a computer you’ve never seen before with your financial transactions; the computer is only as safe as its last user.  Second, make sure your own trusted computer has functional anti-virus protection that is updated daily.  Third, change your passwords regularly.  Not just your machine or network access password, but your applications passwords.  When was the last time you changed your online banking password?  Fourth, read your statements from your financial institutions as soon as they are available, and review your balances frequently.  Notify the institution if you see anything unusual, sometimes interlopers will just change a setup parameter or perpetrate a $5 fraud to test the waters.  If you don’t know what or why something happened to your account, then call your institution immediately.

 For the IT professional as a network custodian, we must come to terms with a business requirement for ever-increasing diligence as bad guys proliferate.  Of course our private business networks have our undivided attention, but what about our public machines?  Are they checked frequently?  Is virus protection in place and updated regularly?  Do you wipe and reinstall regularly just because?  Are your guests aware of the potential risks when they sit down to a common-use machine?  A disclaimer notice for public-use machines (similar to ‘no lifeguard on duty – swim at your own risk’) is not a bad idea.  At the risk of making it sound like the lawyers have already inherited the universe, I would not want anyone to be the provider of a hotel business center machine that was construed to be negligently contributory to a fraud. 

Goodness knows that in this day and age, anyone who can type on a computer should be aware of the dangers that lurk in cyberspace, but as Mae West once observed, goodness has nothing to do with it.
Michael Schubach, CHTP is vice president of information technology for Pinehurst Resort.  He does indeed keep his money in a bank, and as of last night, the account still had a balance on it. He can be e-mailed at michael.schubach@pinehurst.com, so long as the message is certified virus free and doesn’t request any specific information or perilous site visits in the reply.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.