Credit card hackers visit hotels all too often

Here is something the struggling hotel sector prefers not to spotlight that it is a favourite target of hackers.

A study released this year by SpiderLabs, a part of the data-security consulting company Trustwave, found that 38 per cent of the credit card hacking cases last year involved the hotel industry.

The sector was well ahead of the financial services industry (19 per cent), retailing (14.2 per cent), and restaurants and bars (13 per cent).
Why hotels? Well, to paraphrase the bank robber Willie Sutton, hackers hit hotels because that is where the richest vein of personal credit card data is.

At hotels with inadequate data security, “the greatest amount of credit card information can be obtained using the most simplified methods,” said Anthony C Roman, a private security investigator with extensive experience in the hotel industry.

“It doesn’t require brilliance on the part of the hacker,” Mr Roman said. “Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to properly store or transmit, this kind of data, and that starts with the point-of-sale credit card swiping systems.”

The sophistication of such systems vary widely from one hotel to the next, even within the same corporate chain, making it an easy route for hackers.

The Trustwave report said that “organisations large and small were found to be moving forward with plans to implement new technology, while leaving basic security threats overlooked.”

Mr Roman works with hotels to improve security technology, but he said that as the industry hit tough economic times and hotel owners cut spending, security upgrades sometimes lagged.

Proper technology security “requires purchasing not only of software and hardware, firewalls and encryption programmes,” but training staff and constantly monitoring transactions and data access, he said.

“We’re seeing thousands and thousands of credit cards being hacked out of hotel systems. So I would say the industry is not doing incredibly well on this,” Mr Roman said.

The full extent of credit card fraud by those who breach hotel systems is unknown. But anecdotally, hacking incidents occur with disturbing regularity.
Compromised
Last month, Destination Hotels and Resorts, a chain of luxury properties in the United States, notified customers that credit cards “may have been compromised.”

ABC News reported that Destination had been victimised by “an intense database attack that lasted over three months,” and quoted law enforcement authorities saying that losses, which totalled hundreds of thousands of dollars, averaged $2,000 to $3,000 on each of the estimated 700 credit card numbers stolen.

Also last month, Wyndham Hotels sent customers a statement saying that a “sophisticated hacker had penetrated our computer system” at as many as 31 hotels from Nov 7, 2009, to Jan 23. Wyndham said it was improving its security technology.

It often takes months for these attacks to be discovered by hotels — and by customers who may be on the road frequently and not monitoring card activity reports carefully.

My wife and I had separate credit cards that we used for business travel, but each account was compromised in the last eight months shortly after hotel stays. In both cases, hackers made multiple unauthorised purchases — all for small amounts and as many as 10 in one day — from merchants like the Apple iTunes Store.

Fraud
In both cases, the total charges exceeded $400 before we noticed the fraud and called our card companies. Fortunately, we had called in a timely manner and were not responsible for the charges.

Fraud experts say that hackers often steal personal data and make multiple small charges to validate a card, probe its vulnerability and test the vigilance of a cardholder before making bigger charges.

Meanwhile, credit card companies are pressuring merchants, including hotels, to adopt uniform security standards.

After all, the credit card company usually gets stuck with most of the bill if a consumer notifies the company of the misuse promptly, Mr. Roman said. To guard against such problems, he advises travellers to be vigilant about checking charges online after business trips.

And one additional piece of advice he offered to hotels and travellers alike: “Shred everything.