Hotels have been opening their doors to the wrong kind of guest lately: hackers, and a lot of them. In the past few months, Hyatt, Hilton, Trump Hotel Collection, Starwood and White Lodging Services properties have all announced data breaches that compromised customers' payment card information.
In most of these cases, the malware used to steal the payment data lived on the hotel systems for weeks, months and even up to a year at a time. Seemingly no one saw it happening, and no guests had a weapon held up to them, but affected customers were essentially robbed. A hotel would never stand for a physical burglary, nor should it ever tolerate a virtual one.
Cybersecurity should not be treated as an afterthought. Here are three ways hotels can make it more top of mind:
All the aforementioned incidents impacted the point of sale. Payment systems at boutiques, restaurants and bars were the primary attack points. To the credit of some of these hotels, many of the breaches occurred prior to the Oct. 1, 2015, liability shift that holds merchants responsible for credit card theft. But if the deadline was not enough to spark quick and immediate adoption of EMV card reading technology, hopefully the flurry of recent breaches will be.
The key to EMV chip cards is that they leverage several layers of authentication that make it harder for thieves to commit credit card fraud. To defend against memory-scraping malware – which has been the bane of so many hotels recently – EMV chip cards generate a unique transaction code for each purchase. Like a one time password, any hacker that manages to steal this information can't actually do anything with it.
As anyone who has already used an EMV card reader knows, the process involves the insertion of the card into a little slot. The process takes a few more seconds than the standard swipe, but it can save hours of frustration down the road for businesses and customers alike. A lot of merchants still have not made the switch, but the majority are expected to have EMV card readers by the end of the year, according to The Chicago Tribune.
Just because EMV chip cards make it difficult for skimmers and memory-scraping malware to steal anything useful doesn't mean that the problem is solved. As long as there are dishonest people in the world, the risk of internal theft can never be negated.
That's not to suggest that it can't be mitigated, however. Traditionally, organizations have used a password with a number and special-character requirement to prevent unauthorized users from accessing important systems. But one password isn't enough anymore. It's time to tighten the reins on access at the POS and other critical systems in hotels. Two-factor authentication can help with this by creating a second checkpoint that's more difficult to bypass. This reduces the risk of internal theft from staff that may be attempting to access information they aren't authorized to see.
"MDM can ensure the safety of smartphones used by hotel staff."
Furthermore, as mobile devices become a mainstay in a variety of industries, they too will have to be properly secured. A lost or stolen mobile device used by staff in a hotel has the potential to result in compromised data, especially if the device is being used as a mobile POS. Mobile device management is therefore just as vital to the hospitality industry as any enterprise or office. Combined with fingerprint scanning technology, MDM can ensure the safety of smartphones used by hotel staff.
Cybersecurity is a blanket term, and the assumption is often that it pertains mainly to computers. But digitally-based security systems that prevent unauthorized access are also a form of cybersecurity. In hotels, this entails the use of key cards to keep guests and their belongings safe. The use of eIDs in this format has become the norm.
Staff also rely on them to gain access to certain areas of a hotel that are off limits to guests. For example, an office behind the front desk may lead to computers that store a lot of personal information including payment cards, addresses and other data that hackers and fraudsters might find useful for on the Dark Web. An eID is one way to safeguard these off-limits rooms. But if this ID is lost and ends up in the wrong hands, there's really nothing to stop a thief from tapping it against a reader and walking in like they own the place.
This is where hotel staff get to be a little bit more creative. Imagine, for example, that a computer will not turn on unless an authorized user's mobile device is in the direct vicinity of the system. A one time password would then be sent to the mobile user, who only then would be able to log in. Even if an unauthorized person somehow managed to procure an eID, they would also need the right mobile device for authentication, and even then, they would require the password, or fingerprint, to log into that mobile device.
This is exactly the type of multifactor authentication that hotels are need of in the neat future. Combined with EMV card readers, hackers and other criminals will hardly stand a chance. Hotel systems will be safer and guests will be much more inclined to make themselves feel at home.