Category Archives: Technology

by | March 17, 2013 · 7:04 am

Hospitality Industry Cybercrime Risks: Hotel And Restaurant “Connected Point-Of-Sale (POS) Systems” Attacked By New Malware Called “Dexter”; Steals Credit Card Data And Transmits It “Encrypted” Back To Attacker

“…Just before the 2012 festive period, a new piece of malware surfaced and was found in hundreds of POS systems in hotels, restaurants, retailers and private parking providers. The malware was discovered by Israel-based security cybercrime in hotelsfirm Seculert: ‘Dexter’ (which comes from the string ‘BKDR_DEXTR.A’) is a data-theft tool used to target and attack POS systems. The program, which is Microsoft Windows-based, uses common techniques to search the memory of running processes to identify credit-card track data, but with the uniqueness of the attacker having full control…”

Connected point-of-sale (POS) systems – that’s the checkout to you and me – are the most recent targets of the cybercriminal, and a specially-crafted malware, dubbed Dexter, is further indication that now all kinds of connected devices may be vulnerable to attack.

Seculert CTO and co-founder Aviv Raff explains that while the company is as yet uncertain as to who is behind Dexter, the author is fluent in English: Dexter mainly targeted English-speaking countries. The malware was located in 40 different countries, but notably 42 per cent of POS systems targeted were in North America and 19 per cent UK-based. “Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware,” Raff says.

The malware injects itself into the iexplore.exe file in Windows servers, through rewriting in the registry key. It then’ pinches sensitive credit-card data from the server, before transferring it through a remote command and control system. Windows-based POS systems are used increasingly in the industry, and according to Seculert’s findings, 51 per cent of targeted POS systems use the outdated Windows XP. The high percentage indicates Windows-based machines that process unencrypted track data are viable targets.

Microsoft Windows XP may be the ‘preferred’ choice for POS systems, especially among smaller retailers who feel that they cannot afford to upgrade, but with the operating system to be discontinued in 2014, the question is over what support will be offered for remaining XP users and if they will be able to handle the upgrade to Windows 7 or 8.

“Dexter only has three purposes in life,” says Trustwave’s security researcher Josh Grunzweig. “To always be running on the victims’ machine, to find any card, or track, data in any running program on the victim, and to communicate with the attacker who is controlling it.”

The latter is what makes the malware stand out and impresses Grunzweig. “I can’t remember the last time I saw a piece of malware that targeted POS systems that had a nice command and control structure to it,” adds Grunzweig.

He explains the hacker maintains control of the attack by using normal communication methods, but with the skill to hide what it was sending by encoding the data. This involved sending out a message to the attacker, by default, every five minutes and also checks the victim to see if there is any track data running every 60 seconds.

The magnetic strip on a credit card contains three tracks and the malware attempts to extract data from memory relating to tracks one and two, containing numeric or alphanumeric data that can be used to clone the card that was used in a transaction. If Dexter finds any of this track data, it alerts the attacker in the next message sent and the process is repeated. The attacker has the control to change the times and install additional malware or even remove Dexter altogether.

“The most unusual thing about Dexter is the small amount of public attention it has received,” says Trustwave’s Josh Grunzweig. “The issues that make POS-specific malware difficult to discuss in the industry also affects the ability of antivirus companies; without samples they are unable to provide detailed protections for specific threats.”

For more:  http://eandt.theiet.org/magazine/2013/03/turn-on-log-in-checkout.cfm

Comments Off on Hospitality Industry Cybercrime Risks: Hotel And Restaurant “Connected Point-Of-Sale (POS) Systems” Attacked By New Malware Called “Dexter”; Steals Credit Card Data And Transmits It “Encrypted” Back To Attacker

Filed under Claims, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , , , , ,

by | March 7, 2013 · 7:18 am

Hospitality Industry Payment Risks: Hotel Tech Trade Association Releases “Secure Payments Framework For Hospitality”; Best Practices Advocates “Tokenization” And “Removal Of All Guest Credit Card Data From Systems”

Hospitality Industry Secure Payment Framework-page-001

Click on “Hospitality” to view online

Hospitality Industry Secure Payment Framework Executive Summary-page-001

For more:  http://www.scmagazine.com/hotel-tech-trade-association-offers-best-practices-for-reducing-payment-card-risk/article/283129/

Comments Off on Hospitality Industry Payment Risks: Hotel Tech Trade Association Releases “Secure Payments Framework For Hospitality”; Best Practices Advocates “Tokenization” And “Removal Of All Guest Credit Card Data From Systems”

Filed under Crime, Guest Issues, Insurance, Labor Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , , , , ,

by | March 3, 2013 · 7:40 am

Hospitality Industry Payment Risks: Restaurants Can Utilize New “Smartphone Apps” To Reduce Credit Card Fraud, Increase Guest Satisfaction

“Tabbedout” is a new free app for smartphones. The credit card number is encrypted in the phone and tied to a tab…(the guest) can walk in, open (their) tab and show the phone to TabbedOut Merchant Payment Smartphone Applicationthe bartender (or waiter) and literally start ordering food and beer right away…when they feel like leaving the venue, press one button on (the) smartphone and leave…”

Crooks are constantly stealing credit card numbers. Often times it’s skimmers attached to credit card machines or some other crafty way to lift information. Now a new app may help reduce the chances of that and simplify the dining out experience.

Denver is a test market for a new service that makes paying a tab in a restaurant or a bar as simple as just one quick click. It’s a legal way of “dining and dashing.”

Who hasn’t been frustrated while waiting to pay a tab? And how safe is sending a credit card off with a waitperson? Now there are options. “Credit card fraud is the handing the cards back and forth. Someone will snap a picture of it and then steal your identity or take your credit card,” bartender Josh Finocchiaro said. “With this, it’s set up through your phone, so the card isn’t passed back and forth.”

Restaurants like the Ice House in LoDo like it because it means the wait staff can focus on serving good food and drinks without worrying about serving up a check at the end of a meal. Diners gain more control over their experience and there’s no waiting around to pay.

Tabbedout is now in 25 restaurants around Denver and some in the mountains as well.

For more:  http://denver.cbslocal.com/2013/03/02/tabbedout-app-helps-pay-restaurant-bill-avoid-credit-theft/

Comments Off on Hospitality Industry Payment Risks: Restaurants Can Utilize New “Smartphone Apps” To Reduce Credit Card Fraud, Increase Guest Satisfaction

Filed under Crime, Guest Issues, Labor Issues, Management And Ownership, Risk Management, Technology

Tagged as , , , , , ,

by | February 20, 2013 · 6:42 am

Hospitality Industry Social Media Management: Hotel Management Must Have Policies In Place To Deal With An “Online Reputation Crisis” Including “Act Quickly, Publish Official Response, Remove Content And Rally Supporters”

Given the rapid-fire pace at which content can spread via social networks, hotels have never been more vulnerable. A seemingly minor issue can quickly escalate into a full-blown crisis, causing serious damage to Hospitality Industry Social Media Managementreputation.

After a power outage at a Texas hotel last summer, a paralyzed American war veteran called the front desk to request help from his room. For reasons not entirely clear, the clerk allegedly laughed at the request and mocked him. The guest got down by throwing his wheelchair and bags down three flights of stairs and sliding down on his backside. Then he went to straight to the media.

The incident incited a public furor that quickly spread to social networks. The hotel, its employees and the entire brand came under attack, with expressions of outrage and calls for a brand-wide boycott. Despite a solid reputation, it seemed nothing the brand could do—issue a refund and a public apology, dismiss the employee, implement staff training—would appease detractors.

  • Be prepared – Given the risks involved, a social media policy with a crisis management component must be a priority. Outline the steps to take in the event of a crisis, the people responsible, and the role social media will play in messaging. Keep a list of emergency contacts at hand, including your social media administrator.
  • Act quickly – When a crisis hits, there’s no time for bureaucracy. You must respond quickly and decisively. But first you must assess what’s at stake. Include senior management in decisions, and if appropriate seek advice from a PR firm or lawyer.
  • Publish an official response -  An official response is a critical step. It should be honest and sincere, should speak to your company’s credentials, and should be authored by a senior executive. Post it to one channel—your website or blog, a video—and direct all inquiries there.
  • Rally supporters – Call on your community of fans to help get your messaging out. Their words will have more impact and reach than official brand messages.
  • Don’t fuel the fire – Buchmeyer tells me of another incident in which a client attempted to quell a spate of angry comments on its Facebook page by deleting them and blocking detractors. This only resulted in escalating the situation. Monitor conversations and respond as appropriate, but resist the urge to sanitize. In some cases it may be better to “go dark” on social media rather than draw attention to the issue and further provoke detractors. This is especially true in the case of a tragedy or natural disaster, when communications should be restricted to community support and keeping guests informed.
  • Get the content removed – Getting damaging content taken down can be challenging, especially if it has spread to multiple channels. Go to the source and ask them to remove it, but don’t be heavy handed. At the same time, appeal to the host site to have it removed. Litigation is an option if the content is libelous, but use it as a last resort. Engage in charitable causes and community work that will garner positive content to displace the negative.
  • Reputation management—a company wide function – The media loves a scandal, and exposés of security, sanitation and safety issues are popular topics that can be highly damaging to business. Employees must be aware that social media has raised the stakes. The consequences of guest mistreatment, negligence and lapses in quality, service and security can be severe. Management must play its part by providing the training, empowerment and support necessary to ensure standards are understood and upheld.

For more:  http://www.hospitalitynet.org/news/154000320/4059521.html

Comments Off on Hospitality Industry Social Media Management: Hotel Management Must Have Policies In Place To Deal With An “Online Reputation Crisis” Including “Act Quickly, Publish Official Response, Remove Content And Rally Supporters”

Filed under Guest Issues, Labor Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Training

Tagged as , , , , ,

by | February 18, 2013 · 7:09 am

Hospitality Industry Information Security Risks: Hotels, Restaurants And Retailers Accounted For 78% Of “Data Breaches By Cyber-Criminals” In 2012; “Weak Or Guessable Passwords” Is Most Common Vulnerability

“…Almost one-third of all victims had critical systems administered by a third party…Attackers had no trouble exploiting that weakness, with vulnerable remote-access systems accounting for the method of entry in 47 cybercrime in hotelspercent of the cases…in most cases, users – not software vulnerabilities – were to blame. Almost 90 percent of systems had weak or easily guessable passwords, with “Password1″ continuing to be the most common, according to Trustwave’s report…”

An analysis of breach data for 2012 found that retailers and the hospitality industry continued to command the most interest from cyber-criminals, accounting for 78 percent of the breaches documented by security services firm Trustwave.

The businesses are typically easy targets, having outsourced the administration of important servers and business data to firms that focus more on keeping the systems functioning than on security, says Christopher Pogue, director of digital forensics and incident response for Trustwave’s SpiderLabs.

“An integrator may have 1,000 customers and may do remote administration for all of them using, not 1,000 passwords, but maybe two or three,” Pogue said. “That leaves a vulnerability that can be exploited by attackers.”

For more:  http://www.techweekeurope.co.uk/news/retailer-hotel-crime-107589

Comments Off on Hospitality Industry Information Security Risks: Hotels, Restaurants And Retailers Accounted For 78% Of “Data Breaches By Cyber-Criminals” In 2012; “Weak Or Guessable Passwords” Is Most Common Vulnerability

Filed under Crime, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , , , ,

by | January 5, 2013 · 7:45 am

Hospitality Industry Crime Risks: Washington Hotel Room Used By “Major Identity Theft And Forgery Ring”; Police Seize Laptops, Lamination Machine And Bags Of Stolen Mail

“These labs tend to be mobile…they go from hotel to hotel…the room contained a computer, two laptops, laminating paper, card stock, check stock and a hot laminator machine along with identification, checks and identity theftbags of mail that had been stolen. Also seized were more than 100 licenses and other IDs, roughly 20 hard drives and numerous other media storage devices, such as thumb drives and memory chips.

Police and U.S. Secret Service agents believe they have taken down a major identity theft and forgery ring involving at least a dozen suspects and more than 100 victims. The number of victims could grow as experts analyze computer hard drives and video surveillance footage from businesses where the suspects tried to get money. As of Friday evening, authorities estimated more than $45,000 had been stolen, but said that amount is likely to grow.

Evidence is being examined at the Secret Service’s Electronic Crimes Task Force lab in Seattle. Many of the victims — both individuals and businesses — are from Everett, but the center for the operation was traced to a hotel room in Shoreline.

That’s where police and the Secret Service found what amounted to a ID-theft factory Thursday.

For more:  http://heraldnet.com/article/20130105/NEWS01/701059947

Comments Off on Hospitality Industry Crime Risks: Washington Hotel Room Used By “Major Identity Theft And Forgery Ring”; Police Seize Laptops, Lamination Machine And Bags Of Stolen Mail

Filed under Crime, Guest Issues, Liability, Management And Ownership, Technology, Theft

Tagged as , , , , , ,

by | January 3, 2013 · 8:02 am

Hospitality Industry Theft Risks: California Hotel Guest Arrested For Using Stolen Credit Card To Pay For Room; Used Laptop On Open Wi-Fi Network To Steal Account Information

“…(suspect) allegedly rented a room at the Montage by using a stolen credit card. The fraud went undiscovered for two days while Larson accrued a $2,134 tab, but he disappeared from the resort prior to the arrival of cyber securitypolice…he used a laptop to collect credit card information from people making purchases or checking their accounts…”

An admitted identity thief, apparently expert at stealing credit card account information over open wi-fi networks, was arrested last week after skipping out on a $2,134 bill at Montage Laguna Beach, police said. Police tracked Harold Eric Larson, 37, to his hometown of Orange and arrested him on Thursday, Dec. 27, on several theft related charges, Capt. Jason Kravetz said in a statement. He is accused of using stolen credit card numbers to rent hotel rooms to for himself and friends in Laguna Beach, Newport Beach and Costa Mesa, Kravetz said.

Coincidentally, on Dec. 26 police received a complaint about guests using drugs in a room at Laguna Cliffs Inn and arrested Edward Richard York, 40, of Tustin, allegedly for possessing methamphetamine and marijuana, Sgt. Louise Callus said. Officers learned the room was rented with a stolen credit card number provided by Larson, said Kravetz.

Larson was previously arrested by Laguna police last April on 23 felony counts of fraud and theft after he was caught using stolen credit card information to rent hotel rooms.  He pled guilty to the charges and was sentenced to three years probation, one year in jail and restitution.

For more:  http://www.lagunabeachindependent.com/2013/01/02/identity-thief-held-hotel-scam/

Comments Off on Hospitality Industry Theft Risks: California Hotel Guest Arrested For Using Stolen Credit Card To Pay For Room; Used Laptop On Open Wi-Fi Network To Steal Account Information

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , , , ,

by | December 14, 2012 · 7:05 am

Hospitality Industry Security Risks: Hotel Electronic Door Locks In "Various Stages Of Being Repaired"; "Mechanical Caps And Security Screws" Provided To Block Hackers

In October, hotel insurance-related company Petra Risk Solutions issued its hotel clients an alert headlined, “Crime Alert – Onity Guestroom Door hackers are for real.”

Onity Electronic LockIn Florida, Petra loss prevention expert Todd Seiders said he received reports that a hacker had been seen carrying a laptop and using a key card – possibly connected to the laptop – to open locked guestroom doors.

The locks on more than 1 million guestroom doors are in various stages of being repaired, following the revelation this summer that they may be vulnerable to hackers.

The New York Marriott Marquis, the biggest hotel in Manhattan, for instance, just completed updating all of its nearly 2,000 door locks. The hotel is one of thousands of properties with guestroom locks manufactured by Onity, a division of United Technologies. An Onity website also shows Sheraton, Hyatt, Holiday Inn, Fairmont, Radisson and other well-known hotels from Paris to Perth as also having its locks updated.

The hacking tool, according to Petra’s alert, could be made for about $50 in easy-to-acquire electronic parts.

“Please train and notify your hotel staff that these burglaries are spreading across the country,” Petra’s alert cautioned hoteliers. “Hotel staff should be vigilant while they are on the guest floors and paying attention to guests walking through hallways…Take time to watch guests walking through your hallways to ensure they are going to a room and entering it. Be very suspicious of someone carrying a laptop or small bag wandering the hallways. Greet guests and ask them if they need assistance.”

Onity did not immediately return an e-mail seeking comment about the issue. But in a statement updated for December on its website, Onity says that as of Nov. 30, it has shipped hardware to fix 1.4 million hotel door locks. The hardware includes mechanical caps and security screws that “block physical access to the lock ports that hackers use to illegally break into hotel rooms.”

For more:  http://www.usatoday.com/story/hotelcheckin/2012/12/14/hotels-fixing-flaw-that-made-room-locks-vulnerable-to-hackers/1769081/

Comments Off on Hospitality Industry Security Risks: Hotel Electronic Door Locks In "Various Stages Of Being Repaired"; "Mechanical Caps And Security Screws" Provided To Block Hackers

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , , , , , , ,

by | November 29, 2012 · 8:47 am

Hospitality Industry Guest Satisfaction: Hotels Must Develop And Facilitate A "Mobile Device Strategy" That Pays "Careful Attention To Guests' Needs"

“…Given the rapid move to mobile devices by travelers, (hotels must) develop a “mobile strategy” that facilitates the use of mobile devices to make sure a hotel is noticed during a mobile search–and gets the business. Hotels must find a way to become part of guests’ mobile ecosystem, in part by paying more careful attention to guest needs…”

Two new publications from the Cornell Center for Hospitality Research (CHR) at the School of Hotel Administration outline technology issues and the effects of social media on the hospitality industry. A study by Cornell’s Chris Anderson confirms what hospitality operators have long suspected–social media reviews drive hotel reservations.

One particular value of analytics is that they can highlight and resolve problems with guest satisfaction that may not show up in conventional guest surveys. Hotel operators are aware that their property needs to appear near the top of web search results, and analytics can present techniques for making this happen, such as connecting the hotel with local attractions or events.

  • First, he documented the increasing influence of TripAdvisor, as the number of reviews consulted by consumers prior to booking a hotel room has steadily increased over time.
  • Second, an analysis of transactional data from Travelocity illustrated that a 1-point increase on Travelocity’s 5-point scale allows the hotel to increase its price by 11.2 percent and still maintain the same occupancy or market share.
  • Third, by matching ReviewPRO’s Global Review IndexTM with STR’s hotel sales and revenue data, Anderson’s analysis finds that a 1-percent increase in a hotel’s online reputation score leads up to a 0.89-percent increase in a hotel’s average daily rate (ADR), as well as an occupancy increase of up to 0.54 percent and up to a 1.42-percent increase in revenue per available room (RevPAR).

Perhaps most critically, customer reviews have now become a major discriminating point for customers’ determination of a hotel’s quality. Whereas price used to be used for that purpose, customers now put a greater weight on user-generated content on social media sites. Surprisingly, the fashion industry may be a model for how to use social media to promote hotel sales. People like to hear comments on how they look in a new outfit, so the issue is how to translate that kind of interaction to a restaurant meal or hotel stay.

For more:  http://www.equities.com/news/headline-story?dt=2012-11-29&val=770928&cat=service

Comments Off on Hospitality Industry Guest Satisfaction: Hotels Must Develop And Facilitate A "Mobile Device Strategy" That Pays "Careful Attention To Guests' Needs"

Filed under Guest Issues, Management And Ownership, Risk Management, Technology, Training

Tagged as , , , , , ,

by | November 26, 2012 · 1:41 pm

Hospitality Industry Security Risks: Recent Texas Hotel Room Robberies Linked To "Electronic Lock Hacking"; Thefts Involving Digital Devices Expected To "Explode Nationally"

“…the Houston Hyatt may not be the only site hit with the Onity hack. An alert published by the insurance firm Petra Risk Solutions in October claimed that “several” hotels in Texas have had their locks opened with Brocious’ technique. Todd Seiders, a former Marriott security director who now works as director of risk management at Petra, says he spoke with the general manager of one of those hotels, who knew of at least three Texas hotels affected in total…”

“…hotels with Onity locks need to either shell out for Onity’s circuit board fix or at least block access to their locks’ ports, says Todd Seiders of Petra Risk Solutions–he estimates that more than 80% of his customers have implemented a fix since August, but says that many more hotels around the world may not have been so careful…”

Whoever robbed Janet Wolf’s hotel room did his work discreetly. When Wolf returned to the Hyatt in Houston’s Galleria district last September and found her Toshiba laptop stolen, there was no sign of a forced door or a picked lock. Suspicions about the housekeeping staff were soon ruled out, too—-Wolf says the hotel management used a device to read the memory of the keycard lock and told her that none of the maids’ keys had been used while she was away.

Two days after the break-in, a letter from hotel management confirmed the answer: The room’s lock hadn’t been picked, and hadn’t been opened with any key. Instead, it had been hacked with a digital tool that effortlessly triggered its opening mechanism in seconds. The burglary, one of a string of similar thefts that hit the Hyatt in September, were real-world cases of a theoretical intrusion technique researchers had warned about months earlier—one that may still be effective on hundreds of thousands or millions of locks protecting hotel rooms around the world.

Last month Houston police arrested 27-year-old Matthew Allen Cook and charged him with theft in a September 7th break-in at the Hyatt House Galleria. Police also listed Cook as a suspect in the theft from Wolf’s room four days later and that of another guest at the hotel. Cook, who has a prior history of arrests for thefts and burglary, was identified when an HP laptop stolen from one of the hotel rooms was found in a local pawn shop, where staff helped police to identify him.

For more:  http://www.forbes.com/sites/andygreenberg/2012/11/26/security-flaw-in-common-keycard-locks-exploited-in-string-of-hotel-room-break-ins/?goback=.gde_76056_member_189780979

Comments Off on Hospitality Industry Security Risks: Recent Texas Hotel Room Robberies Linked To "Electronic Lock Hacking"; Thefts Involving Digital Devices Expected To "Explode Nationally"

Filed under Crime, Guest Issues, Insurance, Liability, Maintenance, Management And Ownership, Technology, Theft

Tagged as , , , , , ,