In the past few years, many hotels and restaurants have stepped up their technology defenses to protect guest data and other confidential information, but it is a mistake to think that technology alone is an adequate defense. Criminals know that the easiest way to bypass and overcome our best technology defenses is to deceive and manipulate human beings. This strategy is known as social engineering.
Social engineering can be used to gain physical access to secured areas such as server rooms, media closets or storage facilities containing records and computers with confidential information, or it can be used to prompt people into sharing confidential information such as their passwords or a guest's email address.
Here are some examples of cases that have occurred in the hospitality industry:
Case 1: Imposter Tax Auditors
Two men dressed in business suits and carrying laptop cases, came into a hotel and asked to speak to the general manager. They claimed they had been retained by the County Tax Commissioner’s Office and showed business cards as CPAs. They went on to say they were conducting unannounced tax audits and needed to review the accounting records for the past year. As we know, these records not only include confidential business information but also contain details about guests and employees. They also said they would need a conference room to work in and the use of a copier to document various records.
Although these two men appeared credible, the general manager decided to make a phone call to the Tax Commissioner’s Office and learned these two men were not authorized and were imposters. The Tax Office also advised that they do not make audits unannounced and they always provide written advance notice. The general manager in this case, protected guest data and the business information of the hotel by making that one phone call to verify that these two men were legitimate and they were not.
Case 2: PMS Changes
A hotel front desk associate received an email from his property management system (PMS) vendor. The email advised that a software update would be downloaded within the hour to correct some software bugs and it was necessary to create new password. The email contained a link to follow. Fortunately, the hotel front desk associate checked with the manager on duty who was not aware of any PMS changes or downloads. A few phone calls later, it was determined that the email was from a false sender and was an attempt to get unauthorized access into the PMS.
Case 3: Point-of-Sale System Maintenance
A young man walked into a restaurant during a busy lunch rush and introduced himself to the hostess as a technician from the point-of-sale (POS) company sent to do maintenance on the system. He offered a business card, was wearing a polo shirt with the POS company logo on it, and he was carrying a laptop case. The general manager was offsite at a meeting so the hostess called the assistant manager. The controlling computer for the POS system was in the locked office at the back of the restaurant and the assistant manager had the keys to unlock the office so the maintenance work could be done. The assistant manager had several things to do during this busy time, but took the time to call the vendor to verify this maintenance work because the general manager did not have anything noted on the schedule about it. That phone call protected the guest credit card data stored in the main POS console in the locked office along with all the cash payments stored there as well.
Case 4: Additional Copy of Guest Folio
It is not unusual to receive a phone call request from a guest who had a past stay and has lost the copy of his guest folio to use in submitting an expense report for business travel. A front desk staff member received such a call and advised the guest to log on to the loyalty program website to get an e-copy of the folio he needed. But the guest said he did not belong to the loyalty program and was calling from an airport where he could not log on to his PC at the moment. It turned out that the caller wanted the copy sent to a different email address than what was on file. The front desk staff member took the time to check the email address on file for that guest and recognized that the caller was asking to have the folio sent to a different one. The caller was advised that the folio would be emailed to the address on file and the guest data on that folio was protected.
This brings up the question of whether there are details on a folio that could be useful to a criminal. It has been an accepted policy in the hotel industry not to tell someone a guest's room number as part of guest safety. But what other information do we have about guests that must be carefully controlled? Even obtaining the home address and the last four digits of the credit card number from a guest folio can be valuable to a criminal who already has other stolen information about that individual.
Bear in mind that there is a criminal marketplace where criminals can buy stolen credit card numbers for less than 50 cents each but a full identity may sell for $100 or more. A full identity includes name, postal address and email address or phone number associated with that account, along with a social security number or driver’s license number or passport number.
When someone has a full identity, he or she can pass the verification procedure for all kinds of customer services and even open new accounts or change the address on an account. In order to achieve this, criminals may have to collect different parts of an identity from different sources. Many times the pieces of personal information at risk may not be the ones we have learned to watch for such as social security numbers or passport details. Instead, the details an attacker desires may be a phone number or an email address. For this reason, it is critical to consider all personal information confidential and manage it carefully.
Criminals may use data gathering to prepare for a social engineering attack. They may look in dumpsters or trash cans to get receipts, signatures, letterheads, names or other information that can be used to further an attack. Knowing the names of management individuals, or the name of some of their service companies will help add credibility to an attacker's story. This type of information, while not seemingly sensitive, should not be discussed with untrusted individuals.
The very real difficulty of all the social engineering cases described above is that they could be legitimate. This is where training and procedures pay off. When hotel staff are well trained and prepared and know how to respond, both the hotel reputation and guest data will be protected (along with employee information too). Social engineering is aimed at organizations where training and procedures are weak or nonexistent. High staff turnover can also be a factor. If training is only offered once a year, new employees may miss out and be untrained.
Criminals also aim for timeframes where it is very busy and staff may be distracted or preoccupied, or a hotel may be targeted during the late night shift when few employees are on hand and there is a reluctance to call the general manager.
One of the best ways to determine if your training and procedures are understood and consistently followed is to conduct a social engineering test from a reputable security firm. The exact type of test can be designed to relate to training and awareness programs that have been implemented and the overall information security priorities that have been set. The date and location of the test are agreed and planned in advance.
Different kinds of testing that can be done include:
- Attempting to physically access secure areas such as a back office or records storage room.
- Obtaining specific target information via emails or phone calls.
- Attempting to make unauthorized changes to guest profiles such as email addresses or other contact details.
- Convincing employees to perform unsafe actions such as visiting untrusted websites or downloading unknown software.
If you are striving to take the right steps to protect guest data, review your security procedures or consider a social engineering test this year. The results of a social engineering test are the most reliable report card on your security awareness and training procedures.
Lynn Goodendorf, CIPP, CISSP, is vice president Data Privacy Services at VerSprite LLC, which provides consulting services for information security and privacy. She can be contacted at lgoodendorf@versprite.com.
©2012 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.