Tech Talk

Recent posts

People today expect to be connected always and everywhere; sometimes it’s hard to believe that there was a world before smartphones and Wi-Fi. In the time since Wi-Fi became ubiquitous in hotels, apartments, and public spaces, it has fueled the evolution of connectivity in a lot of ways. Just like Maslow’s hierarchy of needs, the most basic needs start at the bottom, and you can’t get to the next level without a strong foundation. 

By now, everyone is aware that hotel giant Marriott International announced on Friday a massive data breach that goes back more than four years and may have affected up to 500 million customers worldwide. 

After two years of preparation, the FlyZoo Hotel — a futuristic property that uses interactive technologies to do everything from greet guests to deliver room service — is ready for business. 

Mobile technology is fast becoming central to the entire travel experience. Consumers are increasingly using their smartphones to research trips, book accommodation, check in at the airport, and access their hotel room. But one of the next big roles mobile has to play in the travel process is mobile payment. The idea of an entirely cashless society might still seem some way off, but mobile payment is gaining popularity. As it becomes more widely used, its fast and frictionless nature will bring benefits before, during and after a trip. 

Digital marketing, also known as internet marketing, plays a significant role to boost hotel website traffic and online bookings. Recently, many big announcements were made in the digital industry, for example when Facebook introduced a new video format for marketers, or when Google announced a board core algorithm. If you are a new hotelier and want to stay ahead in the industry, then you should know what’s going on in the hotel digital marketing industry. 
 



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

Point-of-Sale System Breaches, Hackers Do Not Descriminate

03/06/2014
“We're deeply sorry for the inconvenience and frustration this issue has caused our guests.” Those are the words prepared by the public relations staff for the 40 million Target customers impacted by the data breach announced in December 2013. Besides having their information stolen and sold on the underground market, many of those guests found themselves with banks, credit unions, and state benefit programs closing down their cards as a result of "recent fraudulent activity occurring on customer’s compromised cards.” Those cards have been or will be reissued and the customers will not be financially liable for losses but they still have had unnecessary hassle introduced into their holidays.

It has been widely speculated that the Target breach was the result of a computer virus that was introduced via a software update on every point of sale (POS) device. This is similar to what has been seen before; most recently in October 2013 where a variant of malware (malicious software or virus) assigned the moniker “Dexter” was identified as the culprit in a massive data breach affecting the South African fast-food industry. Like the Target breach, the South African breach cost local banks there tens of millions of rand (South African monetary unit) and is reported to be one of the worst breaches in that country’s history.

In both instances the culprit is reported to steal data through RAM scraping, a technique where the data is stolen from the memory inside the computer that manages real-time data keeping it accessible so that transactions can be quickly processed.

On January 19, 2014, Beth Belton of USA Today reported that the author of the virus used in the Target and Nieman Marcus attacks was likely written by a 17-year-old hacker from Russia. As first described in Hospitality Upgrade's Summer 2011 article, “Who’s That Knocking At My Computer”, the Russian cybercriminals dominate the threat landscape. Ms. Belton revealed that that the teenager identified as Sergey Taraspov sold his malware to dozens of cybercriminals for about $2,000.

With credit and debit card fraud growing more prevalent all the time (Nilson Report statistics put this type of fraud at $11.3 billion worldwide in 2012) the pressure on retailers to prevent these types of breaches will only increase.

Ensuring your organization is compliant with the Payment Card Industry (PCI) standards is an important step toward protecting yourself from these types of breaches. It is crucial however, to remember that good security will always lead to compliance, but compliance will not always lead to good security. As you review your compliance plan for PCI make sure your goal is more than just to be “minimally compliant.” The extra effort involved in implementing better security controls is well worth it when you consider the impact a breach could have on your business and more importantly your reputation.

As a result of the trends in the ways attacker breach credit card data the Payment Card Industry (PCI) has responded with improved and tougher standards. PCI Data Security Standards (DSS) 3.0, effective beginning January 2014 (although not mandatory until January 1, 2015) provides some new guidance related to Point of Sale (POS) Systems that is overdue. The new standards would have significantly lowered the risk of a breach of the type that occurred at Target and others.

The changes that impact POS systems fall into one of three categories, scoping, inspection of devices and anti-malware practices.

Historically organizations have been able to “scope out” much of their network (i.e., carve it out from being subject to the requirements of the standard) by putting their POS system on a separate network segment, i.e., implementing network segmentation. In this way, only the segment of the network on which the POS system resides is subject to the standards and the other network segments are not. The theory behind this is that vulnerabilities in the non-POS segment cannot impact the segment that contains the POS system.

PCI DSS 3.0 still allows you to use segmentation and scope out portionss of the network but now requires proof that the segmentation truly isolates the POS system from the rest of the network. The proof required is in the form of validation through testing that the segments are separate and that a vulnerability in the non-POS segment would not be able impact the segment containing the cardholder data. Typically a network penetration test is looked to provide this validation.

Another new requirement in PCI DSS 3.0 is “9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” This requirement, which requires periodic inspections of POS devices, is considered a best practice under the new standard until June 15, 2015 when it becomes a requirement. This standard strengthens card present transactions (like those at the Target stores) by ensuring that terminals are evaluated on a regular basis to ensure they have not been compromised.

Lastly, the new standard addresses the need for increased vigilance on systems not commonly targeted for malware attacks. While the standard specifically calls out systems such as the iSeries or AS400s, devices with Apple or Mac OS’s would also fall into this category. This recognition that malware and viruses can be created to target any and all technologies is a key improvement to the standard and injects reality for those who think it can’t happen to me, because their system is not a common target for hackers.

About The Author
Mary Siero
President
Innovative IT


Mary Siero is an executive level Information Technology Consultant with experience in several industries in both IT and business departments. Her diverse background has provided her with a unique perspective about IT's role and the value it can bring to the businesses it supports. Mary has over 30 years' experience in engineering and technology from industries such as Gaming and Hospitality, Healthcare, Consumer Products, Manufacturing and Education.

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code