Hotel Data Breaches and You: Welcome to Anxiety

July 17, 2018 | rjmcgarvey | InfoSec, Travel

 

By Robert McGarvey

 

The 2018 Verizon Data Breach Investigations Report has terrifying news for hotel guests.  

For some years I have written about how porous hotel data and credit card security are.  Loyalty programs, hotel restaurants, and more are under continuing assault by cyber criminals.  I have urged people not to use hotel wifi and not to use debit cards at hotels (they have poorer protection under federal law than do credit cards).  It’s a jungle out there and, in hotels, we travelers are the gazelles.

We need to really toughen our defenses – more on that below.

Start first with just how treacherous hotels are for us. A chilling PDF of info about hotel data breaches – data culled from the Verizon report – is available via HotelNewsNow.  Download it.

It makes for disturbing reading.

There should be no surprises here.  Hotels attract guests with money – definitionally.  There’s no real point in hacking into a Skid Row flophouse.  A 4 star hotel is a different matter.

Per Verizon, hotels are much more likely than most businesses to be a target. As Willy Sutton is said to have exclaimed when asked why he robbed banks, that’s where they keep the money. Hotels aren’t banks but they are tasty targets nonetheless.

Hotels also have demonstrated a long running lack of seriousness about mounting real cyber defenses.  Why? This is expensive stuff, it requires highly skilled personnel (more expenses), hotels typically have many systems running and thus may points of vulnerability (from the gift shop to loyalty programs) and, well, so far we – the hotel guests – have shrugged off the industry’s vulnerabilities.

There were 338 reported incidents involving hotels tallied in the most recent Verizon report.  Don’t assume that is a complete count. That’s because, according to Verizon, 68% of the breaches took months or longer to detect – and maybe some still haven’t been detected.  

More factoids in the study: 93% of incidents involved hacking and 93% focused on payment information. 99% of attackers were financially motivated.

50% of the breaches involved organized criminal gangs.  

87% of the breaches took a minute or less.

Bottomline: Don’t trust hotels to protect you.  Just don’t.

What can a business traveler do?  Standard advice from security professionals to executives visiting countries where eavesdropping is the norm is to bring a “clean” electronic device – a new Chromebook, under $200 is a good choice.  Reserve it for travel use, put no personal information on it, and never log into a significant website (which includes an email server, a company data server, really anything that involves a password).

Sure, that nullifies a lot of the reason for bringing a computer on a trip. But at least you’ll know you are safe.

I now advise many domestic travelers to follow this advice.

Do that particularly if you plan to use hotel wifi because you have to view hotel wifi as potentially compromised.  

An alternative: always use your phone to create a personal hotspot and let it power your Internet connections.  Yes, there are (small) costs involved – $10 per gig via Project Fi which is what I use. But the cellular data connection is significantly more secure than is hotel wifi.

The drawback to cellular is that – usually – it runs slower than a decent hotel wifi connection.  Sure, some hotel wifi networks are dreadful but lately I am finding many offer adequate speeds.

And some employers just don’t want to pay data bills for their business travelers which is another reason to use the wifi.

But I do use my own computer with a cellular hotspot and have had no security lapses.

Want more security but using hotel wifi? Many travelers swear by VPN – virtual private networks – but typically they offer slower speeds and costs ordinarily are involved.  There also are reports that slick Russian hackers know how to penetrate at least some VPN connections.

Still – VPN is a lot better than using the naked hotel wifi when accessing email, files, etc.

I have also lately been playing with a secure, cloud-based browser called Silo that, for nominal charges (fees start at $100/year), provides you with a special browser you install on your computer.  You browse anonymously, and if you encounter malware, it downloads not to your computer but to Silo’s. What most impresses me about Silo is that in my tests it runs about as fast as Chrome. And it delivers much more safety than do the standard browsers.

Which proves the point: you can continue to use your own computer and visit the secure sites you want to visit (such as email) using hotel wifi if you install special, high security browsers.

Less won’t work.  Use VPN. Or a special security browser. Or a clean computer. 

Hotels are danger zones for business travelers.  Accept that as a reality in the Verizon research.

Accept also that airport public wifi is radically unsafe.

Accept that it’s up to you to protect yourself.

And take the necessary steps.

Leave a Reply

Your email address will not be published. Required fields are marked *