Friday, July 1, 2011

Lax Hotel Network Security Leads to Credit Fraud

Have you ever wondered what happens to your credit card information after it’s swiped at the hotel front desk? New York Times reporter Joe Sharkey knows. Sharkey told petergreenberg.com that he discovered a small unauthorized merchant charge on his credit card the same day he checked out of the Arizona Biltmore in Phoenix. It wasn’t the first time. Earlier, Sharkey reported in The New York Times that he and his wife had their credit card accounts compromised following hotel stays. In both cases, hackers made multiple small unauthorized purchases. Why were the charges small, you might ask? That’s how hackers check whether card holders are paying attention and whether credit card accounts are vulnerable.

Hackers Are the Hotel Industry’s Frequent Uninvited Guests

According to a 2011 Global Survey Report released by Trustwave SpiderLabs, Sharkey has plenty of company. The report shows that one in ten of the data breaches that Trustwave investigated in 2010 happened in the hotel industry. If you’re a frequent hotel guest, that’s not good news.

Hotel hacking that leads to credit fraud seems to be as easy as shooting ducks in a barrel. The reasons: Point of sale devices are vulnerable; there’s huge volume of credit card transactions; and credit card information is retained for reservations and loyalty programs.

Unsecured hotel wireless networks at hotels have also proven to be an ideal place for hackers to commit a variety of other crimes. At the luxury Thompson Hotel chain, a hacker captured embarrassing emails belonging to guests and staff members that were transmitted over its wireless network and threatened to make them public.

In many states across the country, hackers staying at hotels or parked nearby have used the anonymity of hotel wireless networks to download kiddie porn.

Guests looking to use their hotel’s wireless Internet may face another security threat. In 2010, The CBS Early Show had an ethical hacker set up a fake WiFi access point at a New York City hotel, calling it “Best Free Public WiFi.” Before long, dozens of unsuspecting wireless device users tried to log on. When an unsuspecting hotel guest connects to a rogue WiFi access point like that, his sensitive financial information can be harvested by a hacker.

How to Hide From Hotel Hackers

Remember, staying at a nice hotel with good security doesn’t guarantee that your financial information will be safe from hackers. Here’s what you can do to protect your most valuable possession – your identity.

• Find out what your hotel is doing to protect your credit card information. Ask whether its wireless network uses WPA (WiFi Protected Access) encryption. It requires a password to get onto the network and encrypts all the information transmitted on it. This prevents eavesdropping over wireless. But it may not stop other guests connected to the same hotspot from stealing your information.

• Watch out for Evin Twins. Some WiFi networks you spot at hotels may look like the real thing. They may even contain your hotel’s name. But they can still be rogue access points created by hackers to steal your data. Check with the establishment to make sure which network is the real one.

• Always assume you’re not alone on any public WiFi network. Disable file sharing; and never send Social Security numbers or financial information when over a wireless connection.

• Use a credit card instead of a debit card at hotels so your bank account will be protected.

• Use a VPN (virtual private network) like Private WiFi to ensure that the information transmitted over your WiFi connection is invisible to hackers.

Jan Legnitto is an investigative journalist and documentary producer who writes about criminal justice and intelligence issues.

No comments: