Tag Archives: Cybersecurity

by | April 4, 2011 · 8:22 am

Hospitality Industry Information Security Risks: Large Email Marketing Services Company To Many Hotels Has Data Breach And Guest Email Accounts Are Stolen

In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.

“…customers should “exercise extreme caution,” as email addresses are all cyber-criminals need to initiate a phishing attack. Users can expect to see more spam, and should be vigilant about email offers that ask for personal information or have links to other sites that ask for personal information.”

Many of these phishing attacks tend to take the form of security alerts—informing users that their accounts have been compromised and they should verify their log-in credentials to reset their accounts—or direct marketing scams promising special deals that require a credit card number.

Epsilon, a large email marketing services company with a roster of A-list clients, reported a data breach that is impacting practically anyone who has ever signed up to receive a retail offer or alert through its email account. The company warned that thieves may use the information to launch a phishing campaign to trick users into disclosing more critical data.

On March 30, Epsilon detected “an unauthorized entry” into its email system. During this time, a subset of clients’ customer data was exposed. Epsilon only has the information of people who opted-in to receive marketing emails, and the theft was limited to email addresses and customer names, according to the company.

“A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway,” Epsilon said in a terse statement on April 1.

“Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses,” used books retailer AbeBooks wrote in a message to customers on April 3.

For more:  http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-154971/

Comments Off on Hospitality Industry Information Security Risks: Large Email Marketing Services Company To Many Hotels Has Data Breach And Guest Email Accounts Are Stolen

Filed under Crime, Guest Issues, Maintenance, Management And Ownership, Risk Management, Technology

Tagged as , , , ,

by | March 16, 2011 · 4:29 pm

Hotel Industry Credit Card Security Risks: Major Hotel Industry Associations Issue "Joint Statements" On Actions To Prevent Cyber-Crime

 Three major hotel industry associations, including the American Hotel & Lodging Association (AH&LA), Hotel Technology Next Generation (HTNG), and Hospitality Financial and Technology Professionals (HFTP) today issued the following joint statement to hotels regarding organized cyber crime attacks on credit card data. It identifies actions that hotels — and not their system vendors — need to take immediately in order to minimize their vulnerabilities and to avoid the potential for hundreds of thousands of dollars in costs and fines that typically result when just a single hotel system is breached.

  • Cyber criminals are systematically attacking systems that store credit card data
  • Criminal organizations are highly structured and integrated with the world’s organized crime rings
  • Attacks on hotels are highly targeted and effective
  • Many hoteliers believe they are not vulnerable because they use Point-of-Sale and Property Management Systems that have been validated as conforming to the latest PCI security standards.
  • The most important security measures are those that keep cyber criminals from getting inside the hotel network in the first place
  • Once inside, there are many ways for them to steal the data, even if the PMS or POS system itself is secure.

The three actions are:

  1. Eliminate EVERY default password on EVERY machine on your network — server, workstation, router, firewall, and any other device that has a password.
  2. Eliminate holes in remote access to systems inside your network
  3. Get a firewall and configure it properly. Operating without an Internet firewall is just as risky. Yet many hotels, especially smaller ones, don’t have a firewall

For more:  http://www.hospitalitynet.org/news/154000320/4050609.html

Comments Off on Hotel Industry Credit Card Security Risks: Major Hotel Industry Associations Issue "Joint Statements" On Actions To Prevent Cyber-Crime

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Training

Tagged as , , , ,

by | March 10, 2011 · 7:33 pm

Hospitality Industry Information Security Risks: "Electronic Pickpocketing" Allows Criminals To Steal Credit And Debit Cards Containing RFID Technology

“…criminals can steal credit cards, debit cards, passports and other valuable information…This crime is referred to as “electronic pickpocketing”.  The technology used to perform this type of theft is called radio frequency identification or “RFID”….

Hundreds of millions of credit cards, debit cards and all passports issued since 2006 are embedded with a radio frequency identification chip—or RFID.  RFID chips are also commonly used in hotel keys, cards that raise gates in parking garages and unlock doors at businesses.  Government, military and port of entry ID cards are also vulnerable to this type of theft.  You need only swipe the card in front of a reader.  The RFID chip is always on, making consumers more susceptible to identity theft. 

Thieves can steal this information by using a frequency reader.  These readers are inexpensive and easy to obtain.  The thief can simply walk next to you and acquire your credit card number and expiration date without any physical contact. While these cards are in your wallet or purse they can transmit your card or passport number and in some states, your digital drivers’ license information when placed near a reader.  The information almost immediately appears on a computer screen without you ever knowing about it.  Apparently U.S. passports are more difficult to read than cards with RFID chips because they require a password.  However, hackers with enough knowledge can see everything on the passport’s front page.   A thief can be long gone before the consumer ever realizes his information has been stolen.  This is “electronic pickpocketing”.

For more: http://www.ktnv.com/story/14225766/consumers-beware-of-electronic-pickpocketing

Comments Off on Hospitality Industry Information Security Risks: "Electronic Pickpocketing" Allows Criminals To Steal Credit And Debit Cards Containing RFID Technology

Filed under Crime, Guest Issues, Insurance, Liability, Maintenance, Management And Ownership, Risk Management, Theft

Tagged as , , , , ,

by | March 8, 2011 · 5:07 am

Hospitality Industry Information Technology (IT) Risks: "Network Security and Privacy Liability" Insurance Is Available To Protect First-Party Risks And Third-Party Liability Involved In Cyber-Crime

“…Network Security and Privacy Liability policies are generally designed to address first-party risks and third-party liability–sometimes in the same policies, sometimes separately…”

“…first-party losses. These might include business interruption, which could be caused by a flood or fire in a data center, or malicious hacking by a disgruntled employee or even a cyber-crook half a world away...”

There is also the risk of being sued by third parties for somehow allowing–or failing to prevent–unauthorized access to sensitive information.

When IT goes down, business screeches to a halt. Indeed, for businesses such as online retailers, brokerages and some financial firms, the IT and data assets are the entire business–every bit as critical as the factory and warehouse are to the hard-goods manufacturer, or the vehicle fleet to a trucking company.

As more and more companies–and their insurers–are realizing, this reliance on IT creates a hornet’s nest of risks that can result in crippling losses that conventional, turn-of-the-century P&C insurance coverages won’t respond to. These new issues call for a new category of coverage.

Perhaps even more ominous are the all-new liability exposures inherent in IT operations. A raft of relatively new regulations and legislation makes companies responsible for safeguarding personal and confidential data they collect as part of everyday e-commerce operations.

Companies are liable for customer credit card numbers, financial transactions, medical history, credit information and other sensitive data.

For more:  http://www.propertycasualty360.com/2010/03/15/cyber-coverage-the-new-must-have-in-the-property#

Comments Off on Hospitality Industry Information Technology (IT) Risks: "Network Security and Privacy Liability" Insurance Is Available To Protect First-Party Risks And Third-Party Liability Involved In Cyber-Crime

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology

Tagged as , , , ,

by | March 2, 2011 · 2:14 pm

Hospitality Industry Information Security: British Courts Jail Operators Of World's Largest Internet Crime "Forum" Which Provided "Hacking Software" And Credit Card Theft Instructions

The site contained manuals such as “14 ways of hacking credit cards” and “running cards on eBay” and information on staying anonymous. It sold hacking software and instructions on how to manufacture crystal meth and explosives.

Nicholas Webber, who masterminded the criminal website Ghostmarket.net, has been jailed for five years.

Three teenagers who founded and operated one of the world’s largest English-language internet crime forums, described in court as “Crimebook”, have been sentenced to up to five years in custody. Police estimate that losses from the thousands of credit details traded over the site, Gh0stMarket.net, amount to £16.2m. The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts.

Nicholas Webber, the site’s owner and founder, was arrested in October 2009 with the site’s administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.

After seizing Webber’s laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.

Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers’ addresses.

For more:  http://www.guardian.co.uk/uk/2011/mar/02/ghostmarket-web-scam-teenagers

Comments Off on Hospitality Industry Information Security: British Courts Jail Operators Of World's Largest Internet Crime "Forum" Which Provided "Hacking Software" And Credit Card Theft Instructions

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Technology, Theft

Tagged as , , , , ,

by | February 21, 2011 · 10:52 am

Hospitality Industry Internet Risks: Hotel Management Must Train Employees To "Check Security Software And Certifications On Websites" To Prevent Downloading Internet Viruses

“These Internet scammers are very sophisticated…They’ll send an e-mail that looks like eBay or PayPal, asking for your information. The attorney general speaks often about Internet safety, and he encourages consumers to check the security software and certifications on websites and never store their personal information there. We have an identity theft protection tool on our website, www.Ag.ky.gov…”

Every website you visit tags your computer with a tracking device called a “cookie.” Your every move online — e-mail, downloads, credit-card purchases — is stored on your own computer’s hard drive as a digital footprint, even though you religiously delete and empty your recycle bin.

(A woman) was digitally minding her own business and was accosted by a phony website phishing for her personal information — something all too common on the Internet. As technology insidiously pervades every aspect of life, personal privacy becomes more endangered and difficult to maintain. Erik Eckel, a managing partner at Louisville Geek and Berg’s computer service tech, called her problem “one of the biggest trends we’ve seen.

Users will click on a link on someone’s Facebook page, or travel to a site that’s infected and they receive a pop-up window saying, ‘You’re infected. You want to go ahead and license the software? Only $39.95.’ The pop-up won’t go away, people buy it and then an illegitimate user has their credit-card number.” And then there are hackers, like David Kernel, now serving a yearlong sentence at the Ashland Federal Correctional Institution in Kentucky for invading Republican vice presidential candidate Sarah Palin’s private e-mail account during the 2008 election and sharing her password and telephone number.

Even Kentucky Attorney General Jack Conway was a victim of identity theft, weeks after announcing a special unit on cybercrime.

For more:  http://www.courier-journal.com/article/20110222/FEATURES/302220033/With-latest-Web-perils-it-s-wise-to-be-paranoid?odyssey=tab%7Cmostpopular%7Ctext%7CFEATURES

Comments Off on Hospitality Industry Internet Risks: Hotel Management Must Train Employees To "Check Security Software And Certifications On Websites" To Prevent Downloading Internet Viruses

Filed under Crime, Guest Issues, Labor Issues, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , ,

by | February 15, 2011 · 8:49 am

Hospitality Industry Data Security: Hotel And Restaurant Management Should Consider "Tokenization" For Credit Cards And Sensitive Data

“…tokenization is a data security model that generates surrogate values, called tokens, to replace sensitive data—credit card numbers, for example—in applications and database fields. The sensitive data is simultaneously encrypted and stored in a central data vault, where it can be unlocked only with proper authorization credentials...”

In 2011…expect to see many more mid-sized to large enterprises adopt tokenization more broadly to protect many other types of sensitive information, including electronic health records (EHR).

It does this by removing sensitive data from applications and databases, which has the added benefit of reducing scope for Payment Card Industry Data Security Standards (PCI DSS) compliance audits.  Over the past couple of years, the tokenization data security model has taken its rightful place alongside data encryption, and it is well on its way to becoming a commonplace solution for credit card protection.

What’s more, a particular version of tokenization—Format Preserving Tokenization™—is equally adept at protecting personally identifiable information (PII) and electronic health records (EHR) to help organizations comply with data privacy laws like the EU Data Privacy Directive and HIPAA.

For more:  http://www.thetechherald.com/article.php/201107/6818/RSAC-2011-Data-Security-Wunderkind-Tokenization

2 Comments

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Technology

Tagged as , , ,

by | December 28, 2010 · 7:15 am

Hospitality Industry Internet Security Risks: Hotels Can Offer Wireless Internet With WPA2 (Wi-Fi Protected Access 2) To Offer Guests Greatest Wireless Security

IS WIRELESS INTERNET IN HOTELS SAFE?

  • The short answer is: No. Wi-Fi was born to be convenient, not secure. Unsecured, unprotected wireless is everywhere. When a device connects to unprotected Wi-Fi, all the data stored on that device is available to a hacker with the proper sniffing tools.
  • The longer answer is: It depends on what kind of wireless that is provided.
  • Free, unsecured Wi-Fi is the least secure. Any Wi-Fi connection, whether in public, at home, or in the office, that is shared with anyone with any wireless device, lacks encryption of the data packets streaming from the connected devices.
  • A simple Firefox add-on called Firesheep can allow anyone with a Firefox browser to sniff out other devices using the same Internet connection, and to spy on their browser activity. Even if the victim’s login is encrypted, once they visit an unencrypted site, their data becomes vulnerable.
  • Wi-Fi with a WEP encryption is slightly more secure. Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security. But WEP has been cracked, hacked, and decimated.
  • Wi-Fi with a WPA encryption is better. Wi-Fi Protected Access is a certification program that was created in response to several serious weaknesses researchers found in WEP, the previous system. WPA and WPA2 are tougher to crack, but not impossible.
  • Mobile Broadband has a degree of encryption that has been cracked, but the necessary hardware isn’t widely deployed by criminals. Researchers have demonstrated how the system can be hacked, but it’s still more secure than other options.
  • WPA2 Wireless Internet IS THE MOST SECURE 

For more:  http://advice.cio.com/robertsiciliano/14923/hacking_wireless_for_identity_theft

Comments Off on Hospitality Industry Internet Security Risks: Hotels Can Offer Wireless Internet With WPA2 (Wi-Fi Protected Access 2) To Offer Guests Greatest Wireless Security

Filed under Guest Issues, Management And Ownership, Risk Management, Technology, Theft

Tagged as , ,

by | December 15, 2010 · 10:01 am

Hospitality Industry Identity Theft: Las Vegas Hotel Industry Is Target Of Cybercriminals Who “Skim Wireless Transmissions” And Intercept Credit Card Data And PIN Numbers On Low-Cost/High Tech Devices

Law enforcement officers learned last week how easy it is to have one’s identity stolen when a cybercrimes expert powered a $30 machine and intercepted some of the wireless transmissions coming from their smart phones as they sat in a UNLV conference room.

“It’s absolutely an arms race,” said Feffer, who also investigates cybercrime for the Los Angeles County district attorney’s office. “You see vulnerabilities in software exploited by criminals. Then you see the software companies patch those vulnerabilities and then the criminals develop new ones. That’s why you have to make sure everything is up-to-date and currently patched. What was good last year is by no means safe this year.”

As cybercriminals seek new ways to outsmart police and the public, crime-fighting agencies are increasingly turning to cyber-experts to show them the latest high-tech equipment used in identity theft scams.

One of those experts is Justin Feffer, who conducts seminars for identity theft detectives nationwide on behalf of the FBI and LifeLock, an Arizona company that specializes in identity theft protection.

“It’s absolutely an arms race,” said Feffer, who also investigates cybercrime for the Los Angeles County district attorney’s office. “You see vulnerabilities in software exploited by criminals. Then you see the software companies patch those vulnerabilities and then the criminals develop new ones. That’s why you have to make sure everything is up-to-date and currently patched. What was good last year is by no means safe this year.”

That’s the reason nearly 100 officers from Metro Police, North Las Vegas, Henderson, the state Gaming Control Board and other agencies attended the conference.

It included a demonstration of skimming devices that criminals use to steal credit and debit card information, including PIN numbers, from card-swiping machines that have become increasingly present at Las Vegas restaurants and retail outlets.

Speaking outside the conference room, LifeLock spokesman Mike Prusinski emphasized the importance of training. “Most of the individuals in that room have absolutely no idea what a skimming device looks like or what the wiring looks like. We’re opening their eyes to these things.”

The interview took place outside the room because the FBI and LifeLock don’t want the public — including the media — to know what law enforcement is learning about the tricks of identity thieves.

Nevada has been a hotbed of identity theft for years. The state last year ranked fifth in the nation with 106 complaints per 100,000 residents — 2,802 complaints total — that were fielded by the Federal Trade Commission. That’s down from 130.2 complaints per 100,000 residents in 2005, when Nevada ranked second. The agency did not explain why the numbers for Nevada are down.

The FTC data paint only a partial picture of the problem because many victims file complaints only with police instead of also with the commission. But the number of identity theft crime reports filed with Metro from January through Nov. 13 — 2,063 — is down from the 2,440 filed during the same period in 2009.

For more:  http://www.lasvegassun.com/news/2010/dec/15/pickpockets-strike-through-ether/

2 Comments

Filed under Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , ,

by | December 6, 2010 · 7:15 am

Hospitality Industry Credit Card Risks: Hotel Owners And Management Must Store “Credit Card And Guest Receipts” In Secure Locations To Prevent Identity Theft

“… (the defendents) found boxes of monthly credit card receipts from previous hotel guests. Box by box, they and others lifted them from the hotel, officials allege…”

The receipts, officials say, helped the men manufacture counterfeit credit cards in document “boiler rooms” and card “chop shops,” which they then used to buy $300,000 worth of merchandise in Texas, Oklahoma and Louisiana.

The merchandise, which included tow trailers, televisions, all-terrain vehicles and tires, then was resold or pawned.

The hotel didn’t learn of the thefts until August 2008, and since then, federal investigators have learned at least 17,000 receipts were stolen in what they say is San Antonio’s largest identity theft case.

Details had remained sketchy until the ringleader, Ruben “Hollywood” Costello, 36, recently pleaded guilty to ID theft fraud conspiracy, access device fraud, and conspiracy to launder money, and documents in the case were unsealed.

They identify Jones, 34, as his partner in the crimes and name him and Flaharty, 31, as two people who helped take the records from the Emily Morgan.

They also reveal Costello used a network of associates, methamphetamine addicts and others to maintain the scheme, and used an Elmendorf trucking company he ran, RD&N Hauling, to launder the money.

The cardholders never realized their credit card accounts had been compromised until months, even years, after they stayed at the hotel. But the damage made it hard for some of them to get loans and left lingering headaches in trying to straight things out, officials said.“When you look at these types of crimes, you may think the victim is the vendor or the credit card companies,” Assistant U.S. Attorney Tom McHugh said. “What we see is that the person whose identity is stolen, his problems may go on for years.”

For more:  http://www.mysanantonio.com/news/local_news/article/Ringleader-pleads-in-S-A-s-largest-ID-theft-case-859510.php

Comments Off on Hospitality Industry Credit Card Risks: Hotel Owners And Management Must Store “Credit Card And Guest Receipts” In Secure Locations To Prevent Identity Theft

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , ,