Alastair Paterson is the CEO and co-founder of Digital Shadows
Typically, when we wish someone well before they leave on a journey we are referring to their physical safety while in transit. But, increasingly, there’s another consideration – their online security.
Over the past year, compromises of payment card data from point-of-sale (POS) systems, network intrusions against third-party suppliers, and cyber espionage campaigns against visitors using hotel Wi-Fi networks have plagued the travel and hospitality industries.
In the spirit of ‘forewarned is forearmed,’ let’s take a closer look at some of the most notable examples of each of these types of threats and how firms in these industries can mitigate risk.
Point-of-sale (POS) attacks
Those who seek to compromise payment card details use malware to extract this data from POS systems or devices as well as physical skimming devices.
As an example, some groups target companies through ‘spearphishing’ emails containing malicious Microsoft Office documents or malware that moves through compromised networks.
The most high-profile network intrusion in the past year involved a compromise of the Sabre Corporation, reportedly affecting at least eight hospitality companies. Through unknown means, the attackers had accessed account credentials that permitted access to payment card data and information for some reservations processed by Sabre’s central reservation system.
This attack demonstrates a trend of third-party supplier attacks, in which financially-motivated criminals impact multiple companies by compromising their supplier to access sensitive or valuable data.
Wi-Fi network compromise
Hotel Wi-Fi networks have been targeted in an information gathering and cyber espionage campaign against travellers to Europe and the Middle East. Cyber criminals almost certainly choose to target these networks because they are deemed less secure.
In one campaign, spearphishing emails were used to deliver information-harvesting malware to victims. The attackers also purportedly used the EternalBlue exploit, which targets the vulnerable Microsoft Server Message Block (SMB) protocol for movement within target networks.
So what can you do to reduce the risk?
While the Europay, Mastercard and Visa chip technology have made physical card fraud more difficult, online card spending is on the rise. Consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard.
- Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity to mitigate the risk of credential compromise.
- With the help of Google Alerts or open source web crawlers like Scrapy, monitor for mentions of your company on cardable websites (sites that track those that are susceptible to fraudulent purchases as a result of lax security controls).
- Routinely train employees about the risks of spam and spearphishing and how to avoid becoming a victim.
- Encourage staff to use different passwords for personal and business accounts. Consumer password management tools like 1Password or LastPass can be helpful.
- Patching is an important part of your defence strategy and failing to do so opens the door wide for adversaries. For example, Microsoft has issued a patch for the vulnerabilities exploited by EternalBlue.
As long as payment card details and other proprietary information remain lucrative on criminal forums and marketplaces, the travel and hospitality industry need to remain vigilant.
But with greater awareness about POS system attacks, operations against third-party suppliers, and the vulnerabilities of public or semi-public Wi-Fi networks, companies can do a lot to mitigate risk and ensure safer journeys for travellers.
For more features and breaking news sign up to C&IT Magazine's daily News Tracker.