Tech Talk

Recent posts

Time is limited. Once it’s gone, you can’t gain it back. Similarly, once a room goes unsold for a night, it will go unsold forever. There’s no way to recover that loss, because there’s no way to go back in time.
 
Many hotels fight this limitation by trying to sell as many rooms as possible. If all the rooms are completely booked, time no longer becomes a factor. But most don’t have the luxury of being at-capacity every single night. That’s why last-minute booking apps are growing in popularity in the industry, where hotels can make the most of each day. These apps specifically target guests who don’t plan far in advance, seeking accommodations from one week to one minute later.
 
There are several different ways your hotel can benefit from using last-minute booking apps in your business strategy.

IoT is Coming, Jon Snow…
Posted: 05/21/2019

Hospitality is prime for the coming advent of the various devices that make up the Internet of Things. Estimates show the industry now represents 17.5 million rooms worldwide and savvy guests are demanding more personalization and an overall improved guest experience along their connected travel journey and belief is that IoT can bring this to reality. 

The forces driving local search rankings are constantly changing. But recent studies suggest that in 2019, four key factors make up the local search algorithm. 
 
The most significant factor is Google My Business (GMB). If you’re not on it, get on it now.

The robotic revolution in the hospitality industry might seem to have taken a step back. This January, the famously quirky Henn-Na Hotel in Japan fired half of its 243 robot staff. The robotic workforce reportedly irritated guests and frequently broke down.

Think about the moment when you first enter your hotel room. Look around: Does the room tell you anything unique about the hotel where you are staying? Or is it all beige walls and double beds with white covers, and you have to walk back outside and look at the sign on the hotel’s facade to even remember where you are?



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

Hacking Hospitality: So Easy, a Child Could Do It

12/19/2014

Most hotels are riddled with security gaps. But I’m a glass-half-full kinda guy. The good thing about that is the issues that plague the industry are also simple to fix.

The following palm-to-the-forehead scenarios are actual examples of what I’ve personally witnessed while conducting security audits onsite around the world. Hopefully you can take these face-palm events and turn them into fist pumps of security-inspired success.

Password123? Sure, that seems secure.
When those geeky (albeit somewhat intelligent) IT guys come to install your point-of-sale terminal (POS), property management software or router, they usually set up a default password… and then they leave.

Indeed, Merriam-Webster’s definition of default is, “a selection made usually automatically or without active consideration.” Hear that? Without active consideration! Guess who else knows the default passwords for every single piece of software or hardware out there? Google. Courtesy of its billion online contributors, of course. The default password to your POS system is online, right now, merely a Google search away.

In a forensic investigation that my colleague conducted, 28 separately owned restaurants were hacked because one careless POS installer accidentally saved his client list in the POS installation files. How did this hackfest begin? It all started with one POS system’s unchanged default password, easily guessable by hackers everywhere.

This brings up a huge grey area in hospitality: the unclear delegation of security obligations between franchisors and franchisees. Often, the franchisor (or a franchisor-appointed third party) makes the decisions (including password decisions) and the franchisee follows… blindly.

Here’s the problem with franchisor-controlled security. You are responsible for security. You are responsible for Payment Card Industry Data Security Standard (PCI DSS) compliance. You are responsible when your franchisor-appointed third party sets a default password and you forget to change it. It’s you who is liable in the event of a breach. No franchisor or IT guru in the history of ever will pick up that tab.

If this sounds familiar, it’s time to have a long conversation with your franchisor.

A binder chock-full of credit cards just for me? You shouldn’t have.
Raise your hand if you keep a binder full of scanned credit card images somewhere behind the front desk for easy reservation access. If you do, take that raised hand and smack your forehead. Do you realize it only takes one patron, disgruntled employee or stranger to casually slip that convenient binder under his trench coat and walk out the door with thousands of credit cards, free of charge?

As per the PCI DSS, you aren’t supposed to store sensitive information (like payment card data) out in the open. Case closed. It’s time to find a different way to store patron payment information.

Now that we’ve covered physical storage of credit cards, did you know 63 percent of businesses store unencrypted credit cards on their business networks? In all likelihood, 16-digit card numbers swiped by your employees are not adequately protected. Besides being completely against the PCI DSS, unencrypted card data makes it easier for criminals to steal data and sell it on the black market for a huge profit.

How do you know if your organization is one of the 63 percent? Simple. Download a card data discovery tool (such as SecurityMetrics PANscan), to check your network for anything that may resemble card information so you can securely identify, delete and fix the problem. That process will greatly decrease the amount of damage a criminal may do to your business if you are compromised.

Updates? Ain’t nobody got time for that!
When was the last time you updated your operating systems? Please don’t tell me you’re still using Windows XP… What about the last time you updated your POS software? Your Internet browser? Your apps? Your mobile devices?

When it comes to updates, it seems like every man, woman and child thinks, “Updates? Ugg! I don’t have time for that right now!”

Did you know security is the number one reason to continue updating to the latest version of any system software? Criminals search for new weaknesses every day, and if systems aren’t updated regularly, these individuals may easily be able to find holes that allow them into your system.

Technically, problems that require hurried updates aren’t your fault. It’s the fault of the POS provider, the application creator or the software coder. But, if you don’t take the time to install the update they provided, you can (and will) be liable for your lazy updating practices that result in a data breach.

“That’ll be $460, sir. Now let’s print off your itinerary…”
You may have read this section in a recent Hospitality Upgrade blog post, but if I’ve said it once, I’ve said it a hundred times: don’t use front desk computers that browse the Internet to also accept credit card transactions. This is one of the worst security decisions a business could make.

What happens if the innocent employee, with no formal security training, accidentally clicks on a malicious link while browsing the Internet? That malicious link could secretly download malware or install a virus onto the machine. Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire local network) could be at risk.

The solution to the hotel front desk dilemma is simple. Segment. Dedicate one machine to take credit cards, and dedicate any others for customer service use. Machines used to take credit cards should have no access to the public Internet, and machines that have access to the Internet should not have access to the POS system.

Say a customer pays with a credit card on the dedicated machine while checking in, then asks about restaurants in the area. The front desk clerk would physically need to move to the other computer placed on a separate network segment used for Internet browsing. See? That wasn't too hard!

Yes, children could hack you.
Ok, so there’s not a huge influx of evil hacker children swarming the globe right now. But, “script kiddies” are becoming a very disturbing trend. The availability of readily accessible hacking-made-easy tools has swelled the ranks of these childlike, but effective, hackers. An amateur with a grade school computer education can often hack a poorly defended business network in minutes after downloading free hacking templates on the Web. 

Even though these hackers may be amateurs, their success rates are increasingly high, largely because businesses haven’t spent enough time making easy changes to safeguard their companies.

My point? Without effective security, more businesses will be attacked and compromised. Stop face-palming. It’s time to play hard to get.

 

About The Author
Gary Glover

SecurityMetrics


Gary Glover (CISSP, CISA, QSA, PA-QSA) is the director of security assessment at SecurityMetrics. Gary has worked in the IT security industry as a QSA for over nine years. For more information about SecurityMetrics, visit www.securitymetrics.com.

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code