Poorly secured Wi-Fi networks at hotels are spurring on cyber criminals to swoop in and steal guests’ private information, warns PricewaterhouseCoopers (PwC).
The security of guest information and operational technology has emerged as a business risk for the hotel industry, according to PwC’s Hospitality Outlook 2015-2019.
“For business travellers, access to fast and low-cost internet is a must have. But these Wi- Fi connections are not always secure. And that is a security gap that cyber criminals are making use of,” says Nikki Forster, hospitality industry leader for PwC, Southern Africa.
PwC says cyber criminals are targeting hotel networks and infecting computers with an aim to steal personal information of guests.
Techniques that hotel hackers use range from the mathematical to crypto-analytical, says PwC.
“This is usually done by hackers waiting for guests to check in and log on to the hotel Wi-Fi by usually submitting their room number and surname,” says Veneta Eftychis, senior manager, PwC hospitality and gaming industry.
“Thereafter the hotel guest gets tricked into downloading and installing a so-called backdoor file, which pretends to be an update for legitimate software, such as the Google Toolbar or Adobe Flash.”
PwC explains that unsuspecting guests could risk downloading this hotel ‘welcome package’ only to infect their machines with spyware.
The likes of key logger malware could then find its way onto a guest’s computer, possibly resulting in hackers snooping on login credentials or private information.
PwC’s Eftychis says some hackers even appear to know the names, arrival and departure times, and room numbers of hotel guests in these attacks.
The hotel hackers also typically delete their tools from the network and go back into hiding afterwards, notes PwC.
One such group dubbed ‘DarkHotel’ group is said to have been active for the past four years and targets high profile guests in free Wi-Fi zones.
Meanwhile, South African hotels were also targeted by fraudsters in 2012 and 2013 who used malware known as Dexter. The malware skimmed and transmitted credit cards’ magnetic-strip information, allowing clones to be made.
Tips for hotels and their guests
Safeguards that hotel guests can employ to protect themselves range from ensuring they have the latest antivirus installed to not updating software or opening files on untrusted networks.
PwC’s Eftychis also advises that hotel guests use a virtual private network (VPN) to establish an encrypted communication channel when accessing hotel Wi-Fi.
In addition, hotels can also do more to protect their networks by implementing up-to-date prevention and risk management practices.
Theft by employees should also be accounted by hotels as food and beverage servers can use small devices - hidden in pockets - to swipe customer credit cards and steal this data.
Hotels should also make sure that responsibility for data security is part of the chief information officer or chief security officer’s responsibilities.
A risk assessment of hotel Wi-Fi networks should also be conducted, says Eftychis.
“Unfortunately cyber criminals are getting faster and more sophisticated – to stem the tide hotels also need to stay proactive and put a strategy and incident response plan in place. As part of the plan hotels should be aware of policies and processes relating to data breach, and educate staff on protocols,” says Eftychis.