by Robert McGarvey
If you are reading this on hotel WiFi, sign off now. A new Bloomberg report underlines how porous hotel WiFi networks are. This is a long look at the problem and that’s good because it is a grim reality that savvy travelers need to know about.
Do you care if hackers have your credit card numbers, maybe passport info, possibly driver’s license details, hotel loyalty program log in and password, and probably more? Because they do. Because hotels do not care about your privacy. They just don’t.
Of course this week’s news is about airlines and breaches – specifically BA – and they have a sorry history of poor defense against hackers. Don’t get distracted however. Airlines are bad at this. But hotels are simply the worst.
Forgive me a Cassandra moment. I have been writing about how much hotel WiFi sucks for at least a decade. The stories are manifold and they always say the same: hackers long ago figured out that hotels have essentially no protections on their wifi networks so it is very much a wild west where an Internet caveat emptor prevails.
Except the odds are stacked against you: the hackers are very good at their work, which is stealing salable data. Hotels are very bad at protecting our data. Hotel group after hotel group has fallen victim to hackers. Trump. Hard Rock. Hilton. Marriott.
In a mea culpa, Marriott said: “The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
As for who hacked these hotels, nobody knows. In many cases it doubtless is ordinary, common criminals. In other cases, something else may be afoot. Noted Bloomberg: “Marriott hasn’t found any evidence of customer data showing up on dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in March. That sounds like good news but may actually be bad. The lack of commercial intent indicated to security experts that the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets, and business leaders.”
Yep. The Chinese are believed to be voluminous acquirers of data. But the Russian aren’t slouches. Several European governments are in the game too. And the US government increasingly is active. In that last case it is difficult to see a hack on a domestic company. But impossible? Not really.
Understand this: hotels are truly bad at protecting data. It’s an industrywide malady. And hotels are lots worse than most other industries. Bloomberg posits a theory: “Hospitality companies long saw technology as antithetical to the human touch that represented good service. The industry’s admirable habit of promoting from the bottom up means it’s not uncommon to find IT executives who started their careers toting luggage. Former bellboys might understand how a hotel works better than a software engineer, but that doesn’t mean they understand network architecture.”
That rings true to me.
Bloomberg went on: “There’s also a structural issue. Companies such as Marriott and Hilton are responsible for securing brand-wide databases that store reservations and loyalty program information. But the task of protecting the electronic locks or guest Wi-Fi at an individual property falls on the investors who own the hotels. Many of them operate on thin margins and would rather spend money on things their customers actually see, such as new carpeting or state-of-the-art televisions.”
In the big chains the vast majority of hotels are owned by “asset holders” – everything from pension funds and big insurance companies to wealthy individuals. They have to be persuaded to fund big ticket campaigns. And often they haven’t been.
The result in the hotel business is a patchwork of old, cruddy, unreliable technology.
But you do not have to be a victim. There is nothing we can do to strengthen the defenses around a hotel’s property management system, etc. But we can take steps to protect ourselves when it involves WiFi.
You have three options. Definitely use them in hotels, but also in airports, coffee shops, and airport lounges. I don’t guarantee your safety but I promise you will be much, much safer than if you don’t take such steps.
O Create a personal hotspot with your cellphone and log in via it. Cellular data is much, much more secure than is hotel network data. Not perfect. But good enough for most of us. This has been my go to for some years.
O Use VPN, a virtual private network. There are known limitations to the security delivered by VPNs. I personally no longer use one. But I know many companies require their traveling execs use a vpn and if that’s policy, it is much, much better than logging on naked to a hotel network.
O Use Silo or a similar secure browser. The secure browser processes all web data inside a secure container so even if a user accesses malware it’s no harm, because the data won’t reach the user’s computer. Silo also encrypts traffic to shield it from prying eyes. A tool such as Silo offers more robust protection than do VPNs. (Note: I have been paid by Silo’s developer for past work. That company had no involvement in this column and did not pay me for this.)
That’s three choices. On your next hotel stay when you log into the Internet use one of the three and know that you will be a lot safer than the guests who log into the hotel’s computer. There is no excuse for not protecting yourself. Not when you know just how perilous hotel networks are and will almost certainly remain.