Before flying from Rome to Philadelphia earlier this summer, I stopped in the hotel lobby to print my boarding pass. The hotel had one computer dedicated solely to this task. It was the only public computer available to guests. I could access only airline websites and input my name and confirmation number for the ticket. That was it.
I thought this was the hotel's way of trying to squeeze a few more Euros out of me – but this setup may also stop fraud. It prevents someone from stealing whatever other information I could have typed into the computer, such as an email login and password.
In July, the U.S. Secret Service and Department of Homeland Security released an alert to the hospitality industry, warning it that business center computers had become a hacker target.
According to Krebs on Security, which posted the nonpublic advisory, the warning came from a task force in Texas that arrested individuals who allegedly targeted computers at hotel business centers in the Dallas/Forth Worth area.
This kind of fraud could be more than just about trying to steal a road tripper's credit card information, said Patrick Peterson, CEO of cybersecurity company Agari. If the hotel in question is near a major corporate headquarters – where contractors, consultants and employees from other offices stay when visiting – criminals could target them to steal and then sell company login information. Credit card theft thus becomes possible corporate espionage.
The hotels involved in this case haven't been revealed, but Peterson points out that they could be near the Dallas/Fort Worth-area headquarters for AT&T, Energy Transfer Equity, Southwest Airlines, Texas Instrument and Neiman Marcus.
"If you're in Russia, if you're in China, and you're about to bid on a multibillion-dollar oil field, knowing what your competing bidders know about that oil field is very valuable," he says. It's much easier to steal someone's login through an unsecured business center computer than to infiltrate a heavily protected company.
Travel Industry Security Lags – and Hackers Know It
The travel industry lags in its security efforts, Peterson says. Agari's TrustIndex report found a 400 percent increase in the level of threat to the travel industry in the past quarter. Out of 14 companies that Agari studied, only three hit acceptable security marks.
A large part of that threat came from email phishing scams that would either install malware on the victim's computer or let criminals encrypt a hard drive and then demand a ransom to unlock that hard drive, Peterson says.
Attacking business center computers is a different kind of scam. "It's low-tech, and there are so many different ways it can be done," says Bill Hargenrader, cyber security solutions architect at Booz Allen Hamilton, a strategy and technology consulting firm. It's also cheap, he adds: "I can go online right now and, for $60, get a USB keylogger and put it into someone's computer and record all those keystrokes."
On a business center computer, a keylogger stuck into the back of a machine can go undetected for months – and that's assuming the person who finds it knows it shouldn't be there.
Another attack method: Installing software directly onto the machine, using general-purpose Trojan malware such as Zeus, which will "sit around and look for user names and passwords for people browsing online," Hargenrader says. The Trojan will also look to steal credentials, banking login, credit card information and company logins.
In the Dallas/Forth Worth case, the suspects allegedly used stolen credit cards to register as hotel guests, then logged on to install keylogging software onto those machines.
Security Cameras, Touchscreens Can Help Hotels Prevent Data Fraud
Hotels have a few options on how to prevent this kind of theft.
One low-tech but effective tactic is installing video surveillance, says Chris Poulin, IBM security strategist. "Cameras can be a pretty good deterrent." Just knowing that they're being recorded can stop hackers from trying to insert a USB keylogger – not to mention identify perpetrators if they still try.
Hotels can also swap out standard screens with touchscreens and activate Windows 7 Touch features that come with the device, says Hargenrader. If there are no keys, there are no keystrokes to record.
Going a step further, hotels could replace PCs with tablets, says Poulin, especially as the demand for doing much more than printing boarding passes declines as travelers bring their own devices.
Hotels could also arrange for their computers to set up virtual desktop for every visitor, requiring a login to get into the system. "They get a fresh copy of a known operating system and operating system. When they logoff, it wipes everything out," Poulin says.
More immediately, though, Hargenrader says hotels should remind visitors that lobby and business center computers are public and that they shouldn't put their information at risk.
Another option: They can do what my hotel in Rome did and limit what kind of information customers can enter into the system. "When you put your boarding pass information in, you put in the flight locator code. It's limited information that's not personally identifiable but still gives you access," said Hargenrader. If malware captured that information, it would give criminals nothing in return.