Hacking at hotels has not slowed down with the latest breaches occurring at Kimpton Hotels and Restaurants last month since the industry has been lax at adopting more secure technology.
Kimpton, which is owned by InterContinental Hotels Group, reported a malware attack on credit card payments. This attack followed a data breach in the U.S. which occurred at 20 hotels operated by HEI Hotels & Resorts for Marriott International, Hyatt Hotels, InterContinental and Starwood Hotels and Resorts.
"Hotel companies are considered low hanging fruit by attackers because they are usually somewhat behind the curve on cybersecurity and hotel chain networks are well-connected," said Shlomo Touboul, CEO of illusive networks, a Tel Aviv, Israel-based cyber security company. "Once an attacker penetrates the network, they have nothing in place to detect and mitigate the attack. While hotel companies are generally well invested in prevention tools, they haven't focused much on post breach detection."
Not all hackers are focused on obtaining credit data through the payments system. Others are more subversive, opting to concentrate on public WiFi, keyless entry or check-in apps.
Why the WiFi Is Not Secure
Updating security has not been a priority at many hotels, especially Internet access, which has become a commonplace amenity that guests expect, said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco- based independent security consulting company. Many guests mistakenly believe that the WiFi networks are maintained by the hotel, making them a large target for hackers who are eager to steal passwords and other personal data.
"They have poor, if any, security measures in place," he said.
Guests should always opt to use their cellular network and not the guest WiFi network when they want to access their bank accounts or make a purchase, said Touboul.
Apps for Door Keys Another Security Issue
Hackers now have another readily available target as more hotels are adding apps to check in and to enter and open their rooms. While these apps are convenient for guests, the security of the internal networks controlling these wireless internet services are often overlooked. The Bluetooth or NFC-enabled applications which act as door keys for your hotel room can be easily breached.
"More and more hotel chains are providing their customers with keyless entry systems that are powered by applications they download to their phones," Wenzler said. "When they reach their room door, they activate the application and it wireless transmits the authorization to open the door and allow the customer access."
Security researchers have demonstrated multiple times by utilizing various techniques that these apps are easily compromised, which means the same hackers who target the WiFi can "now just as easily also target the use of these keyless entry systems," he said.
Consumers who want to use these keyless entry systems should be aware of people who are lurking by because a shrewd attacker can easily target you by using their smartphone, tablet or laptop to detect Bluetooth or NFC-enabled applications, which are short-range signals and try to compromise the entry transmission as it happens.
"If you see someone nearby when you're entering your hotel room, it's safest to wait a moment to let them pass by before using the keyless entry system," Wenzler said.
Sticking with using a standard keycard decreases the odds a hotel guest will be the target of a hacker and also means compromising between convenience and security.
"While hotels are getting much better about securing both their applications which the user downloads to their devices and their internal networks which support the keyless entry locks on the doors inside the hotel, if there is the slightest concern on the customer's part, it's probably safer to just get a physical keycard and use it instead," he said.
While these keyless entries are touted as being just as secure as a key card, the opposite is true, said Yossi Zekri, CEO of Acuant, a Los Angeles-based provider of intelligent data capture and authentication solutions. Instead, hotels should be adopting solutions which verify identities of the guests with multi-factor authentication are more secure whether the entry is conducted from a key card or keyless entry.
"Currently, the industry standard for verifying IDs on hotel apps is by text message," he said. "By employing a more stringent verification process, consumers are more protected. Identity documents and ID can be verified as well as by text and password layers."
Other Hacking Entries
Hackers are not only targeting the WiFi and keyless entry, they are also focusing on other methods such as apps which allow digital booking or checking in.
When consumers use a mobile app to check into a hotel before they arrive, determining the person is authentic is crucial, said Zekri.
"The only way to get a confirmation is to verify the ID and this can be multi-factored to ensure a high protection level," he said. "Identity verification at the front desk or via a mobile app is an essential part of providing hotel guests a safe and secure environment."
Other guests are checking in through a self-service kiosk and the level of security varies widely. Many hotels use scanners and mobile devices at the front desk which authenticates driver's licenses and passports.
"However, many hotels also simply do a visual check of the ID and might make a photo copy," Zekri said. "This is the least secure method. Mobile and kiosk solutions can easily and swiftly ask for documents to authenticate."
Hotels need to be proactive and "to act as though it's only a matter of time until its network will be penetrated and prepare now for this day," said Touboul. "Since penetration is unavoidable, their plan should include high fidelity detection combined with high quality real-time forensics obtained from the attack source as it happened."