Tech Talk

Recent posts

The robotic revolution in the hospitality industry might seem to have taken a step back. This January, the famously quirky Henn-Na Hotel in Japan fired half of its 243 robot staff. The robotic workforce reportedly irritated guests and frequently broke down.

Think about the moment when you first enter your hotel room. Look around: Does the room tell you anything unique about the hotel where you are staying? Or is it all beige walls and double beds with white covers, and you have to walk back outside and look at the sign on the hotel’s facade to even remember where you are?

Hotel guests commonly bring multiple devices with them during their stay. However, many hotel environments don’t provide easy access to charging outlets. This situation can lead to a guest feeling more than inconvenienced. A recent survey found almost 90 percent of people "felt panic" when their phone battery dropped to 20 percent or below.

Spam is one of the major problems that most hotel website owners face on regular basis. It is a bad practice used by spammers to persuade the page rank of a site.

GBTA recently partnered with AccorHotels to conduct a study investigating the role of loyalty in managed travel programs in Europe with the goal of understanding how loyalty programs currently fit within company travel policy and what opportunities may exist in the future.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

Eliminate Internet Browsing on Check-in Machines

07/24/2014

At virtually every hotel security audit I’ve ever conducted, and at every hotel I’ve ever stayed at, front desk computers are used to both browse the Internet and accept credit card transactions. That is a serious violation of security protocol.

It doesn’t matter if a desk clerk is helping a customer print off their afternoon boarding pass, or check their personal email. Internet browsing on point-of-sale (POS) or property management machines that have the capability to take credit cards is a one-way ticket to data compromise.

Hackers Are Lurking
What happens if the innocent employee, with no formal security training, accidentally clicks on a malicious link while browsing the Internet? That malicious link could secretly download malware or install a virus onto the machine. Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.

The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, so cybercriminals can reproduce cards or sell the stolen data on the black market.

Common types of malware that may infect your front desk computers include:

  • Keylogger: malware that secretly records every keystroke a user makes on a computer or mobile device. In such a way, malware authors can easily harvest typed information like passwords or credit cards.
  • Memory Scraper: designed to capture, or ‘scrape’ sensitive information from system memory (RAM) and return it back to the attacker. Some can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.
  • Rootkit: type of malicious software activated each time a system boots up. They are difficult to detect because they reside at the system’s kernel level, and are activated before a system's operating system has completely booted up.
  • Packet Sniffer: malicious software that can intercept incoming and outgoing network traffic. Most sniffers are able to decode and analyze the data found, reporting it back to the owner.
Can Customer Service and Security Coexist?
The solution to hotel front desk dilemma is simple. Segment.

Most hoteliers don’t segment the POS and property management systems from other systems with access to the Internet. Segmentation is the act of compartmentalizing network areas that contain sensitive information (like customer credit cards) from those that don’t. Segmentation is a very secure practice because, if set up correctly, it is nearly impossible for sensitive data to leak outside of its allotted area.

It may sound complicated, but it’s not. All you need to do is dedicate one machine to taking credit cards, and dedicate any others for customer service use. Machines used to take credit cards should have no access to the public Internet (browsing, etc.), and machines that have access to the Internet should not have access to the point of sale system. That way, even if employees aren’t properly trained, it’ll be extremely difficult to mess up.

For example, if a customer pays with a credit card on the dedicated machine while checking in, then asks about restaurants in the area, the front desk clerk would physically need to move to the other computer placed on a separate network segment at the front desk used for Internet browsing. Remote desktop connections to a dedicated ‘browsing’ computer on another network segment could also be used.

Please note that the computers used to browse the Internet are just as vulnerable as before, but if infected, do not have access to credit card data on the more secure network segment. Also, don’t forget the concierge desk…they often have similar access to front desk computers.

I’m convinced that if this simple practice were put into place at hotels around the world, the risk of compromise in the hospitality industry would significantly decline. Not to say this is the only way hospitality industry systems are being compromised. Best practice is always to implement all controls contained in the PCI Data Security Standard. 

About The Author
Gary Glover

SecurityMetrics


Gary Glover (CISSP, CISA, QSA, PA-QSA) is the director of security assessment at SecurityMetrics. Gary has worked in the IT security industry as a QSA for over nine years. For more information about SecurityMetrics, visit www.securitymetrics.com.

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code