To prevent security breaches, know how they occur

January 11, 2012

Guests’ personal data is passed throughout a hotel’s network on a daily basis and can be found

anywhere from the point-of-sale system to the property-management system to the financial records and guest-profile databases. It is often collected via the swipe of a credit card and transmitted electronically, but even encrypted technology won’t stop it from getting in the wrong hands.

Trustwave is a leading provider of on-demand data security, often hired by credit card brands to investigate breaches. Many of Trustwave’s investigations following breaches in the hospitality space have determined the technology in a hotel was compliant with the PCI Data Security Standard, but human error allowed hackers to gain access to databases, extract guests’ credit card numbers, duplicate credit cards and assume false identities.

“They can turn that data into cash rather quickly,” said Nicholas Percoco, SVP of SpiderLabs at Trustwave.

That doesn’t necessarily mean property-level employees were at fault. Often times, in attempts to make hotels more efficient by sharing guest profiles or allowing remote access for IT staff, networks are left unsecured.

“It’s mostly the network configurations—the first thing we’re going to look at is remote access,” said David Ellis, director of forensic investigations for SecurityMetrics, a data security firm certified to perform PCI scans audits, penetration tests and forensic analysis. “Are the passwords hardened or are they ‘ABC123’? The attacker has to get in somehow and the most popular way is getting passwords from remote access programs like LogMeIn, PCAnywhere, etc.”

Once a hacker has found access to a network or server, he can install malware that will record future credit card transactions. Another piece of undetectable software searches files in which the data is consistent with credit card numbers and extracts that data. If an internal FTP is set up, the hacker can retrieve files that way. If not, he can set up an undetectable internal e-mail server and e-mail himself the critical data.

“With the credit card number and the swipe data, hackers can recreate the cards,” said Warren Dehan, president of Northwind-Maestro, which recently went through the application and review process to be listed on the PCI Security Standards Council’s list of PCI compliant companies. “The hardcopy—on paper—that’s the poor man’s way of stealing data. Modern day hackers will just start scanning the Internet and if a hotel doesn’t have their network locked up tight they can get on the machine, and maybe on the server if they’re lucky.”