Hotel companies, which in 2009 led all business sectors in credit card security breaches, showed a marked improvement last year. But security experts warn that travel-related activities are still among the most vulnerable to criminal hackers.
Moreover, they say, that vulnerability is likely to grow as travelers increasingly use mobile technologies to pay for purchases with credit card numbers.
Last year, the food and beverage industry regained its previous distinction as the most-breached industry tracked by Trustwave’s SpiderLabs, accounting for 57% of the incidents the data security provider investigated.
The hotel industry fell to No. 3, accounting for just 10% of investigations, down from 38% in 2009. Retail was No. 2 for credit card hacking crimes in 2010, accounting for 18%. (Click here to view a chart of the rankings.)
The natural question is whether the hospitality industry dramatically improved its security in 2010 or just got lucky.
"I think it’s a little bit of both," said Nicholas Percoco, senior vice president and head of SpiderLabs. "The same organizations that were targeting the hotel industry have sort of shifted their sights a bit. … It's sort of a shooting gallery."
Another hotel security expert, Anthony Roman of A.C. Roman & Associates, said that without a formal study, it was impossible to know if the industry overall had made major strides.
"Given the [improved level of] losses in the hotel industry, it is likely that executive management has responded and improved their I.T. architecture," he said. "Therefore, the hackers have changed their priority list."
From a marketing and public relations standpoint, he said, it is clearly in their best interest to fix the problem.
"Brand tarnish, fines, customer lawsuits, loss of credit card merchant privileges, bad press are all motivating factors for hotels to have improved their systems," Roman said. "System improvement is not a constant, though. Hackers specialize in re-examining new system changes and initiating renewed attacks against a previously attacked industry that had improved its defenses."
Indeed, a report issued by SpiderLabs last week warned hotels not to let down their guard.
"While a reduction of breaches within the hospitality industry was observed from the prior year, hospitality businesses should remain on high alert," the report said. "At this time, it appears that the organized-crime group responsible for the majority of hospitality breaches in 2009 expanded their target list. Instead of focusing exclusively on the hospitality industry, this group became active within the food and beverage and retail markets, as well."
Roman and Percoco agreed that the reason hotels became the No. 1 target of credit card hackers, a distinction traditionally held by restaurants, is that while hotels are often associated with major brands, they are usually not owned by large corporations. As a result, they don’t have the backing of corporate networks and the more secure I.T. services often associated with them.
Lax security practices
The SpiderLabs report, which analyzed data from more than 200 data-breach investigations, showed that the bulk of the problems involved third-party vendors, with 88% of breaches resulting from insecure software code or lax security practices in the management of technology.
"Often with hotels and food and beverage outlets, they do not have [I.T.] staff on hand," Percoco said. "So they have to go looking in the phone book to find an integrator [to set up their credit card payment systems]. In many cases, those organizations probably do a fine job of setting it up, but they don’t do a great job … of securing the systems. They don’t change passwords, things like that. Criminals know that."
Once hackers find a vulnerability at one establishment within a major brand, they look for the same brand in other locations to see if they have the same vulnerability.
The most hacked systems are point-of-sale systems, where the credit card is swiped. The report said 66% of breaches involved in-transit credit card data.
That was the case with a breach at Destinations Hotels & Resorts last year in which Austin, Texas, police said hackers made off with hundreds of thousands of dollars over three months.
Other hotel companies that have publicly notified customers of breaches over the last several years include Wyndham, Radisson, HEI and Best Western.
"Guests are generally unaware of it until the hotel notifies them," Roman said.
While hotels seem to have made strides in protecting guests’ credit card data, Percoco and Roman said a new area of concern is smartphones and mobile apps.
"Among the most interesting and surprising elements of the report is the rate and sophistication of attacks against mobile platforms and social networking sites," SpiderLabs stated.
"As the security of mobile networks has improved, mobile devices are increasingly the target of attacks, while social networking sites are quickly becoming cybercriminals’ platforms of choice to expand and propagate destructive botnets. Drive-by infections and mobile phishing attacks were among the most popular client-side attacks in 2010."
A botnet is a collection of software agents that function as digital robots that run autonomously and automatically.
A drive-by infection occurs when someone unknowingly downloads code that plants spyware, a virus or any kind of malicious software, or “malware,” on a computer.
Phishing is when a hacker attempts to acquire otherwise secure information such as user names, passwords and credit card numbers by distributing malware that masquerades as a harmless electronic communication.
Mobile: The next hacker frontier
Unfortunately, Percoco said, there is little travelers can do right now to protect data that their smartphones store and communicate to merchants.
"There is a bit of mobile security software budding out there, but none of it is very mature," he said.
He said it was not necessarily apps that render mobile devices vulnerable.
Instead, he said, "What we see are things like drive-by malware installations."
For example, he said, "You are browsing on an iPhone or an iPad and you come across a website that looks legit. … Unbeknownst to you, there is flaw in your mobile browser that this website is taking advantage of. And now it’s on your phone."
The problem with most smartphones, he said, is that there is no way to see what is running behind the browser, like you can on a computer. "That’s where the mobile world is running into problems," Percoco said.
He and Roman said that protecting oneself goes back to basics: carefully checking bank statements and physically protecting credit cards while traveling, things as simple as making sure someone standing behind you can’t memorize the numbers or being alert to a hotel or restaurant employee disappearing with your card for too long.
"The No. 1 thing to watch is your statement," Percoco said. "You don’t have to wait until the statement is sent to you. You can log in to your account online. You can even call and get a list of transactions. You’ve just got to use common sense."
Even a traveling security expert is not immune to hackers, Percoco said: "I travel quite a bit, and my credit card gets compromised about a once a year."