Another Marriott Breach, Ho Hum

By Robert McGarvey

In other news on March 31, Marriott disclosed what it called a “Property System Incident.”

We interrupt that to report a shoplifting at a dollar store, cutting now to the live police feed of this dramatic story.

You probably missed the Marriott news because it was an otherwise busy day with acres of – grim – Covid-19 reporting and with projected US death totals now reaching into six figures, shortages looming for ventilators, inexplicable mask shortages, and, well, who really had the bandwidth to process yet another report of a hotel data breach?

Not us.

Marriott doubtless hoped you would miss it because the company’s statement is calculatedly blah.  It says just about nothing and that’s tipped off by the word “incident” in the headline. Meaning absolutely nothing.

But the Marriott statement does note the personal info of about 5.2 million Marriott loyalty members apparently was compromised in the “incident.”  It elaborated:

“At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved:

* contact details (e.g., name, mailing address, email address, and phone number)

* loyalty account information (e.g., account number and points balance, but not passwords)

* additional personal details (e.g., company, gender, and birthday day and month)

* partnerships and affiliations (e.g., linked airline loyalty programs and numbers)

* preferences (e.g., stay/room preferences and language preference).”

Marriott added: “Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

The real take away from this: the continuing indifference of the hotel sector to protection of guest data. How many breaches have to occur – from Trump hotels to Starwood and Hilton and just about everybody else? How many stories have to be written? Somebody needs to say, this is a problem.  It needs to be fixed.

Actually we’ve been saying all for that for some years now and nothing has changed.

We need a new campaign.  Complaining about hotelier incompetence is not enough.

Real change will start with us. 

We share culpability. We put up with it.  For some time I have suggested that probably the only safe way to stay in a hotel is with a bogus travel credential (a novelty Irish driver’s license for instance) and using a credit card paired to the bogus ID. Then annually burn that identity and create a new one.

Shop for ID online. Here for instance.  Note: I am not suggesting using any such ID to drive a car or any similar activity – many of which might be illegal.  Rather, I am suggesting we take a trick from the oldime restaurant critic’s playbook – from the era where they practiced anonymity – when every big newspaper and magazine handed out credit cards in bogus names to their critics so they could make anonymous reservations. As long as the bills got paid, no harm done.

We’d be a lot safer in hotels if we did something similar today.

A lot of work? Yeah. But so is the persistent credit monitoring we all do because we have been involved in so many data breaches, many involving hotels and restaurants.

In Marriott’s defense this breach was detected quickly by hotel standards – often years go by. In this case, just months.

But worrisome is that two employee accounts were apparently the tools.  And that they were used to perpetrate large amounts of data exfiltration that should have been detected and stopped quickly.  Screens against substantial data exfiltration just are good practice in well run organizations.

Not apparently in Marriott.

So what should you do now?  Paul Bischoff, privacy advocate with Comparitech, said: “The biggest threat Marriott guests might face as a result of this breach is targeted phishing. Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company. Don’t click on links or attachments in unsolicited emails. Check email addresses and don’t just trust display names. If you’re uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google.”

Remember that. If you are among the 5.2 million you will begin getting targeted phishing emails as soon as the data sells on the dark web. And it will go on for years.

That novelty driver’s license is making ever more sense? 

It’s up to us to protect ourselves.  It’s become that obvious.

They Are Still Stealing Your Loyalty Miles and Points

By Robert McGarvey

Call it deja vu all over again: A March 2, 2020 Travel Weekly headline screams: “Latest targets of fraudsters are hotel and airline loyalty points.”

I first recall writing about this in 2014: The Hilton HHonors Hack: Loyalty Programs Under Siege and How to Protect Yourself.   

Again in 2015: United’s MileagePlus, American’s AAdvantage Loyalty Programs Have Been Hacked.

I wrote about it most recently a year and a half ago in this space: Do You Know Who’s Stealing Your Airline Miles?

You might think the bad news is that nothing has changed. You’d be wrong.  The worse news is that, yes, nothing has changed and cyber thieves – knowing we now have so many ways to accumulate miles and points – are more energetically emptying out our accounts because, apparently, neither hotels nor airlines have done much to batten those hatches and secure their loyalty program against pickpockets.

What’s the allure for crooks? As I wrote in the Hilton story six and one-half years ago: “Huge buckets of Hilton points – sometimes in the hundreds of thousands – have shown up in hacker bazaars, where one vendor, for instance, offered 250,000 points for $3.50. At the Hilton shopping mall, an Apple iPad Air 64G is yours for 489,000 points – so at that criminal exchange rate, maybe $7 (payable in Bitcoin) will grab it. There are other, reported cases where around $10 in Bitcoin bought enough points to claim over $1,000 in hotel room nights.”

What a deal.

The Loyalty Security Association meanwhile estimates that 1% of airline mile redemptions are fraudulent.

But that number may be growing, oddly in part because of a consumer friendly gesture on the part of carriers. Reported Travel Weekly, “Jeff Wixted, vice president of product management and operations for Accertify, an American Express subsidiary that provides fraud-prevention services, said loyalty fraud has especially accelerated in the past 15 to 18 months, with fraudsters buoyed recently by the growing trend among airlines to do away with point expirations.”

That of course meant there are more miles to steal from more inattentive consumers.

Wixted added that the value of US loyalty accounts is around $100 billion.

US consumers belong to some 3.8 billion loyalty programs, according to Clarus.  54% are inactive and those dormant accounts of course are prime for thievery.  If you haven’t checked your Delta account in years, would you even notice if miles had been pilfered?  Of course not.

I know I wouldn’t and, yes, over the years I’ve left multiple airline and hotel loyalty accounts go fallow and I have no idea if the zero balances I see are because the vendor wiped the account after X months of inactivity or if an enterprising thief hoovered them out.

Amex’s Wixted, by the way, predicted to Travel Weekly that the value of loyalty fraud will eventually eclipse the value of credit card fraud.

As for how criminals get our loyalty program details, the surest answer is the many breaches suffered by travel companies.  From Starwood to BA, there have been massive breaches involving hundreds of millions of us, probably billions of us all accounted.  

Experts warn that many of us also fall victim to phishing schemes – where we get a tasty offer from what appears to be a known travel provider, we respond with our program details and they are off to the races, while not only don’t we get the proferred deal, our loyalty balances are emptied out.

Criminals also are known to erect sham great deal pages where they harvest credit card and loyalty program info from bargain hunters who stumble in and can’t resist a prime New York hotel room at $49, for instance.

Know this: smart crooks increasingly are determined to rob our loyalty points and miles and they are succeeding at this larceny.

That does not mean the situation is hopeless.

Here’s our best defense: check loyalty programs regularly. My habitual practice was to review an account only when I wanted to cash in miles or points.

No more. Now I check the few accounts I  have decided to maintain – three airline programs, two hotels, one credit card – monthly. I do not rely on the hotels and airlines; their track records don’t breed confidence. So I provide my own vigilance.

Nope, I have detected no fraud.  

You might want to check more often, or maybe quarterly.  A right answer varies with how many miles and points are at stake.  And what those balances mean to you.

But accept this: in 2020, protection of our loyalty balances is on us.  

Talking at cross purposes: Where credit union cybersecurity goes awry

by Robert McGarvey

For years I have pondered a puzzle: why do financial institutions spend so much on cybersecurity and employ wonderfully smart and talented people – but the results are not as good as one would hope.

Frequently financial institutions simply are whipped by their criminal opponents.

Just look back on how DDOS – distributed denial of service – brought innumerable institutions to their knees a few years ago.  It took months for credit unions to get it together to repel the attack.

Then look at ATM jackpotting. New account opening fraud. ATM skimming. The list could go on and on but you get the message: criminals often outwit credit unions and banks and that is despite the money spent and the talent employed.

Why don’t credit unions gain the upperhand?

Hear the related podcast with Authentic8 CEO Scott Petry here.

A new report, sponsored by cybersecurity firm Authentic8, involves a survey of 163 financial services professionals, and it tackles just that question: why do financial services firms so often fall victim to cyberattacks?

Here’s a hint at the reason: “Financial firms have some of the best-funded IT departments of any industry, that’s no secret,” said Scott Petry, CEO of Authentic8. “What’s perplexing to me, with data breaches and privacy violations at an all-time high, is how deep the divide still runs between IT, compliance and legal professionals in many firms.”

The report’s title spells out the problem: “Surprising Disconnect Over Compliance and Secure Web Use at Financial Firms.”

Keep reading at CUInsight

CU 2.0 Podcast Episode 75 Milind Borkar Illuma Labs

Passwords are broken. You know that.

But do you know call centers are heading that way?

Call centers are under attack by criminals. Smart criminals. And they are targeting credit unions.

Credit unions are responding by asking more members ever harder questions. Just one problem. As the questions get more obscure – what was the make of the second car you owned – more members give wrong answers.

Fraudsters incidentally often can perform quite well on these tests because they have amassed data via the dark web.

They probably know the name of that kindergarten teacher that you have forgotten.

Tough questions are no cure.

The better solution is to implement biometric authentication that eliminates the need for answering a series of obscure questions. Enter Illuma Labs which is focused on helping small and mid sized financial institutions – that means you, credit unions – implement passive voice recognition.

As for what passive recognition means it’s that it happens in the background, the member needs do nothing special. In a matter of quick seconds he/she is authenticated and you can get down to business.

That means quicker call times, lower costs, happier members and happier call center staff.

This podcast is a guided tour into how voice rec works, how to implement it quickly and at low costs, and why this is the 21st century solution to a lot of the fraud credit union call centers are experiencing.

Listen here

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto

Cybersecurity in 2020, Roadwarrior Edition

By Robert McGarvey

Now is the time to take stock of our defenses and I’m not talking about pickpockets and hotel safe thieves. What I mean is guarding against cybercriminals who, unfortunately, prey on business travelers particularly – everywhere from coffee shops to airports to hotels, even whole foreign countries.

A few steps will keep your data safe on the road and it is vastly more valuable than the devices themselves. At least in my case where I usually travel with a five yearold Chromebook, somtimes an iPad Air 2 , neither having much value. The Pixel 3 XL phone has a little value but not much. A suggestion: always travel with disposable tech gear that you won’t miss.

It’s the data that I am concerned about because a criminal could feast on my financial accounts and maybe find a way to monetize data gleaned from emails and documents, many thousands of both on my devices.

Here are my steps towards safe travels.

Countries That Spy on You

Whole countries? You bet.  Visit China and you will hear that the “Great Firewall” means you cannot access Gmail and lots of other websites. You will also hear that, psst, use a VPN – only certain vendors pass muster and the list is a changing target – and you will be able to surf to Gmail, Facebook, you name it.

But you have to wonder: is the Chinese government monitoring that VPN traffic and do they have keys that decode it?

Know too that high level security consultants – with clients inside the Beltway and on the highest floors of Fortune 100 office towers – urge their clients to bring a clean computer and a clean phone, no business data on either, and to never access sensitive information while in China because your devices will be copied on your travels.

Not might be. Will be.

Maybe not the gear of Bob Schub, average citizen, but if there is a reason to think you might have interesting info on your computer or phone know it will be copied.

Do not bring your every day business computers or phones to China. Don’t.

China is not alone. Here’s a map of the world with nations that heavily monitor Internet traffic highlighted. There are places you might not go – Saudi Arabia – and there are places you might go that monitor at least some traffic (Russia, Turkey).  Know before you go and, when in doubt, use clean devices when traveling overseas.

Password Protect Your Phone

At least once a month a friend or neighbor asks me, what do I do, I was traveling and I lost my phone?

Sometimes they say it was stolen.

It doesn’t matter.  You probably will never see it again.

Know this happens, take steps now to protect yourself.

Set up Find My Device (Android) or Find My iPhone in Settings.  Now. When you lose a device it may help you find it and – crucially – it may let you wipe the device which means erasing all personal data.

Also, lock the phone, with a PIN or biometric, in Security (Android) or TouchID and Passcode (Apple).  That simple step will keep most criminals away from your data and, in most cases, they only want the phone hardware anyway.

The data is more valuable than the hardware but most criminals are grab and run small change crooks and that’s the good news.

Just take the two simple steps above and, yes, you can cry about losing a $1000 piece of hardware but at least your data and bank accounts will stay safe and that is what matters.

Never Use a Public Phone Recharging Station

You see them in airports, also at meeting venues. Don’t use them.  They are a fast track to getting hacked. It’s tempting. Your phone is beeping for juice.  Just let it die. Or always carry a plug when on the road, as I do. Often there are two in my bag.  They do get forgotten in hotels, a spare is a good idea.

Don’t Use Public WiFi

Never, don’t.  That means no public WiFi at airports, coffee shops, and definitely not hotels.

You say you are protected because you use a VPN.  Good luck with that (read about China above). Know that there are known vulnerabilities in consumer facing VPNs and there also are vulnerabilities with enterprise grade VPNs.

Personally I sometimes use Google’s VPN on a Google Fi phone when accessing the Internet but generally I am reading the news or checking a website and if that traffic is hijacked, so be it.

My preference is to create a cellphone hotspot and access the Internet via cellular data networks. A few clicks in setting and you are in business.

You really think public WiFi is faster and of course it usually is cheaper? There is one safe way to use public WiFi – read the next step.

Use a Secure Cloud Based Browser

When on the road and accessing sensitive data via public WiFi, I use Silo, a remote browser that processes all data remotely, in the cloud. (Here’s a paper on the technicalities.) It then transmits an encrypted display of the data to you so you “see” the web page but any computing functions have occurred in the cloud, at a remove from your computer.

There are other remote browsers.

Whichever you use, know that when you look at a page with toxic code, no prob, the bad stuff happens in the cloud. Not on your computer.

And eavesdroppers – who often listen in on public WiFi sessions – will only see an encrypted data steam that won’t mean a thing to them.

That’s five steps. Take them and there’s no guarantee of data security on the road. But you can know you are taking steps to secure your phone, your computer, your Internet traffic. And that puts you in a safer place than 99% of travelers

A Fraud Epidemic Engulfs Airlines

by Robert McGarvey

Online fraud in the aviation sector is up – by a lot. 61% to use the number offered by Forter. “The fraud prevention specialist says the rise can be attributed to loyalty programs as well as data breaches, such as that suffered by British Airways just over a year ago,” reports Phocuswire.

Last week I reported that airlines were doing better than hotels in fighting cybercriminals. But just maybe the fortunes of airlines have shifted from positive to a shambles. Forter’s new numbers tell the sad story.

What’s stunning is that in 2018 fraud attacks on the airline industry in fact went down, 28%.

However, Forter plainly said this was no cause for joy. In its report the company noted: “This indicates that the large data hacks within the industry, some of which made passport information available along with other stolen data, have yet to be reused to commit air travel fraud. This data is valuable enough to be leveraged for fully fledged identity theft (which may have many stages) rather than ‘thrown away’ on a single fraud attempt.”

That prophecy has come true in 2019 with the steep jump in airline fraud – particularly involving miles and loyalty, according to the just released numbers.

Forter especially highlighted this fraud in its most recent fraud index: “Loyalty fraud increased by 89% year over year, while the total dollar amount in online fraud increased by 12% year over year. “

In some respects this is not exactly news. As I wrote last week, “Loyalty programs have for some years been hacker targets. ” The reasons are plain. Most of us are lax about keeping tabs on loyalty accounts and the miles and points are easy for a thief to turn into cash equivalents. Airline tickets are always salable – but so are airline points and miles because they readily convert to air travel.

Loyalty programs are especially vulnerable because companies strive to deliver a frictionless experience – and where there is no friction, generally the on ramp for fraudsters is that much more welcoming.

Said Forter: “As a result, loyalty point programs become more vulnerable to opportunistic fraudsters. Points accrued in a customer’s account are treated like digital goods — redemption is wholly conducted online, and requires no stolen credit card information to execute. Fraudsters are thereby able to leverage these points as ‘free’ funding sources and given the minimal
mitigation efforts by merchants, are able to consistently do damage without raising suspicions.”

The massive BA breach of course fueled much of the jump in airline related fraud. About 500,000 customer details were harvested in the breach.

Land travel incidentally also saw a jump in fraud, up 38%. Said Forter: “This increase is attributed to the fact that car rentals and ride services apply less friction in their platforms (ease of pick up in parking, no ID required, etc.), in order to remain competitive in the market and for the perceived better customer experience. The push for an excellent and friction-free customer experience has created vulnerabilities in these platforms, which fraudsters have been targeting.”

Protecting your accounts – especially your loyalty accounts – is squarely on you. Regularly check balances and, hey, I know it’s tempting not to bother until you want to cash in miles but wait until then and when you look, the miles may be gone.

Now also is a good time to log into any car rental accounts you have. Ditto Uber, Lyft, etc.

Focus in on the loyalty accounts because that’s where fraudsters are hunting. Personally I have in the past couple weeks set up new, complex passwords and I have also set up four airline accounts to work on biometrics. The goal: to never actually input the password and always to use the biometrics.

What to do if miles have in fact been pilfered from an airline account?Prepare for what may turn out to be a prolonged battle. Particularly when many months have elapsed between when a theft occurs and when it’s reported, some airlines are proving to be stubborn about restoring miles. You may get them, you may not, and a real key to success is quick notification on your part.

Which bring us back to our core advice to regularly check balances. How often is good enough? Personally I aim now for once monthly. You may check more frequently with high balance accounts, you may want less frequently with low balance accounts.

But know it’s up to you. Use a very strong password, use biometrics, and stay aware of account activity.

That’s how to protect what is yours. Because – plainly – it’s on you because you can’t depend on the airlines’ defenses.

Sign Off That Hotel WiFi Right Now!

by Robert McGarvey

If you are reading this on hotel WiFi, sign off now.  A new Bloomberg report underlines how porous hotel WiFi networks are. This is a long look at the problem and that’s good because it is a grim reality that savvy travelers need to know about.

Do you care if hackers have your credit card numbers, maybe passport info, possibly driver’s license details, hotel loyalty program log in and password, and probably more? Because they do. Because hotels do not care about your privacy. They just don’t.

Of course this week’s news is about airlines and breaches – specifically BA – and they have a sorry history of poor defense against hackers. Don’t get distracted however. Airlines are bad at this. But hotels are simply the worst.

Forgive me a Cassandra moment. I have been writing about how much hotel WiFi sucks for at least a decade. The stories are manifold and they always say the same: hackers long ago figured out that hotels have essentially no protections on their wifi networks so it is very much a wild west where an Internet caveat emptor prevails.

Except the odds are stacked against you: the hackers are very good at their work, which is stealing salable data.  Hotels are very bad at protecting our data. Hotel group after hotel group has fallen victim to hackers. TrumpHard Rock. Hilton. Marriott

Information security blogger Brian Krebs has reported that the Marriott (Starwood) breach involved 500 million of us.  

In a mea culpa, Marriott said: “The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.  For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

As for who hacked these hotels, nobody knows.  In many cases it doubtless is ordinary, common criminals.  In other cases, something else may be afoot. Noted Bloomberg: “Marriott hasn’t found any evidence of customer data showing up on dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in March. That sounds like good news but may actually be bad. The lack of commercial intent indicated to security experts that the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets, and business leaders.”

Yep.  The Chinese are believed to be voluminous acquirers of data. But the Russian aren’t slouches. Several European governments are in the game too.  And the US government increasingly is active. In that last case it is difficult to see a hack on a domestic company. But impossible? Not really.

Understand this: hotels are truly bad at protecting data. It’s an industrywide malady.  And hotels are lots worse than most other industries. Bloomberg posits a theory: “Hospitality companies long saw technology as antithetical to the human touch that represented good service. The industry’s admirable habit of promoting from the bottom up means it’s not uncommon to find IT executives who started their careers toting luggage. Former bellboys might understand how a hotel works better than a software engineer, but that doesn’t mean they understand network architecture.”

That rings true to me.

Bloomberg went on: “There’s also a structural issue. Companies such as Marriott and Hilton are responsible for securing brand-wide databases that store reservations and loyalty program information. But the task of protecting the electronic locks or guest Wi-Fi at an individual property falls on the investors who own the hotels. Many of them operate on thin margins and would rather spend money on things their customers actually see, such as new carpeting or state-of-the-art televisions.”

In the big chains the vast majority of hotels are owned by “asset holders” – everything from pension funds and big insurance companies to wealthy individuals.  They have to be persuaded to fund big ticket campaigns. And often they haven’t been.

The result in the hotel business is a patchwork of old, cruddy, unreliable technology.

But you do not have to be a victim. There is nothing we can do to strengthen the defenses around a hotel’s property management system, etc. But we can take steps to protect ourselves when it involves WiFi.

You have three options.  Definitely use them in hotels, but also in airports, coffee shops, and airport lounges. I don’t guarantee your safety but I promise you will be much, much safer than if you don’t take such steps.

O Create a personal hotspot with your cellphone and log in via it.  Cellular data is much, much more secure than is hotel network data. Not perfect. But good enough for most of us. This has been my go to for some years.

O Use VPN, a virtual private network.  There are known limitations to the security delivered by VPNs.  I personally no longer use one. But I know many companies require their traveling execs use a vpn and if that’s policy, it is much, much better than logging on naked to a hotel network.  

O Use Silo or a similar secure browser. The secure browser processes all web data inside a secure container so even if a user accesses malware it’s no harm, because the data won’t reach the user’s computer. Silo also encrypts traffic to shield it from prying eyes. A tool such as Silo offers more robust protection than do VPNs.  (Note: I have been paid by Silo’s developer for past work. That company had no involvement in this column and did not pay me for this.)

That’s three choices.  On your next hotel stay when you log into the Internet use one of the three and know that you will be a lot safer than the guests who log into the hotel’s computer. There is no excuse for not protecting yourself.  Not when you know just how perilous hotel networks are and will almost certainly remain.

In VPN Should We Trust?

By Robert McGarvey

Mea culpa.  I probably have misled you about road warrior Internet security in the past. But today I am here to make amends.

The problem is the public WiFi so many of us use daily. In coffee shops, hotel rooms, meetings venues, airplanes – we hear the Siren call of public WiFi and often succumb to the temptation. We tell ourselves we will be safe because we use VPN.

For some time I have said that probably is good enough protection.

Now I am rethinking that position. A small project I’ve done with Authentic 8, a security company that has developed Silo, a secure remote browser, is what’s persuaded me that oftentimes VPN just isn’t good enough.

The problem with computing on the road starts with public WiFi which is – well documented – a hacker’s paradise.  Noted Kaspersky: “The biggest threat to free Wi-Fi security is the ability for the hacker to position himself between you and the connection point. So instead of talking directly with the hotspot, you’re sending your information to the hacker, who then relays it on.

“While working in this setup, the hacker has access to every piece of information you’re sending out on the Internet: important emails, credit card information and even security credentials to your business network. Once the hacker has that information, he can — at his leisure — access your systems as if he were you.”

If that didn’t scare you, read it again.  It’s saying that when using public WiFi you are a sitting duck.

Enter VPN, the putative magic bullet.  Many believe it makes public WiFi safe. I wrote as much myself. What VPN does is create a so-called secure tunnel and, they say, that’s ample protection against hackers.

Is it really?  That’s not what I discovered. In fact VPN often is hacked.  Here’s one write up that documents five ways VPNs can fail to deliver protection.

Here’s a headline from ComputerWeekly:  “VPN hacks can be lethal, warns security expert.”  

Here’s another headline: “DEF CON Update: Researcher Shows How To Hack VPN Services Via VORACLE Attacks.”

VPN can be hacked, it can be used to distribute malware, and, even worse, there are ever more bogus VPN apps that exist to herd the unwary sheep to hacker wolves.

Understand, I use VPN probably daily. It’s set up to self deploy on my Pixel phone when I’m in range of a public WiFi network.  I agreed to that offer from Google Fi, my cellular provider. But I am very cautious about what info I access under that arrangement. And it’s a Google VPN in the bargain.

If you are accessing public WiFi and all you have is VPN, use it.  Most of the time VPN will probably be good enough. And it’s definitely better than nothing.

But be very careful about what you access. Stay aware of VPN’s limits.

What if I want more access, and to access more sensitive data? For looking at brokerage accounts, company financial data, maybe even loyalty program balances, personal bank and credit accounts, VPN alone may not be good enough. That’s where I now say a user ought to deploy the secure, remote Silo browser or similar.  Advantages are plentiful. With it, the user location is opaque. No Web data ever touches the endpoint – what’s distributed are pixels, no more.

This document tells you what you want to know about Silo.  

What Silo does is process all web data remotely, inside a cloud container. It then transmits an encrypted display of the data back to the user. And when it’s done, Silo destroys the browser session, leaving no traces on the user’s device.

That’s the beauty of it. The web data is handled inside a secure, web based container.  There can be all manner of bad stuff in it and it won’t matter to your user session because it will live only in the cloud.  

Oh, and in my tests, I don’t see speed losses when using Silo. There of course are usually significant speed losses with VPN. If there’s a reason users don’t deploy VPN when they have it available, it’s the speed bump.  That isn’t a problem with Silo.

Note: Silo does not run on phones. For them, you will still want to use VPN. It does run on iPad. Also laptops of course.

The key point is if you want something better – more secure – than VPN, know it exists.

Full disclosure: I have done contract writing for Authentic 8, which is how I grew aware of Silo. I was not paid by Authentic 8 for this column, which I wrote on my own initiative, in large part because I remember the many cases where I scolded friends and colleagues about public WiFi and told them they needed VPN.  So I was half right. But also half wrong. Mea culpa.

After the Marriott Breach, What Now? Can You Protect Yourself?


By Robert McGarvey


Another day, another hotel breach. Face reality. Hoteliers suck at protecting your data. There is no gentle way to put that. They really, really stink.

Hotel News Now has a piece that explores the many hotel data breaches over the last decade. Read it and weep because it is your data that now is in play on the dark web.  

Can you in fact stay in hotels and protect yourself? Maybe, we offer tips below. But, first, feast on how inept hoteliers are at data security.

Hotels treat your personal data – name, address, credit card numbers, passport info – the way a deadbeat treats yet another bill collection notice.  

HNN traces the history back to 2010 when there was a big Wyndham data breach. That prompted an FTC suit against Wyndham that eventually was settled. I covered this and, honestly, I find it increasingly tiresome to write about the hotel industry’s cluelessness, or maybe just indifference, to guest data security.

Along the way White Lodging, a management company, had data breaches. So did Trump. Mandarin Oriental.  Hilton. Hard Rock. Kimpton. Noble House. IHC. Sabre.Hyatt. Radisson. Many more.

And now there’s Marriott where maybe 500 million guests were compromised. Apparently because of Starwood data insecurities.

Marriott has not been forthcoming about specific details pertaining to the breach.  It has said it is notifying customers who have fallen victim – so expect a phone call, or email, if you’ve stayed at a  Starwood in memory. (For the record here’s the company statement on the breach.)

Word of immediate advice: right now go and check any rewards accounts you maintain at Marriott.  There are suggestions that maybe these crooks were after those points – there is no confirmation on that front – but it is believable because there’s increasing evidence that hackers are hungry for points and miles that are fairly easy to convert into cash or cash equivalents (like an iPad or iPhone). Make sure all is copacetic and if it’s not, raise a loud yell at the nearest Marriott rep.  

Should you in fact expect meaningful compensation? Nah. That rarely is on offer. If points were stolen, almost certainly they can be restored. But beyond that I suggest never holding one’s breath in expectation of real compensation for pains suffered in a data breach.

The usual compensation is a year or two of monitoring of credit and dark web activity by a namebrand cybersecurity outfit. My favorite such is when T-Mobile revealed some 15 million applicants for credit – yours truly among them – had their data compromised when a server maintained by Experian was hacked. Victims were offered free credit monitoring by, you guessed it, Experian.

What can you do to protect yourself?

Do make it a practice to get free activity reports from such as MasterCard. Closely monitor credit activity and do stay on top of accrued rewards points. If offered free credit monitoring by Marriott, sure, take it.

Accept that by now bad guys know all your private data, from Social Security to your health insurance number (yes, there’s brisk trade in health insurance documents).

So what more can we do to protect our data security? Personally,  I cannot recall the last time I booked directly with a hotel, despite their massive push for that. I use OTAs and many of them have tech company roots and, as an industry, tech has fared a lot better in regard to data privacy than have hotels. OTAs aren’t perfect but I’ll bet on them before a hotel company. In that regard I’ve liked Expedia and will soon start using Google.

But what about the nasty business of check-in where the desk clerk asks for a photo ID and credit card? I am increasingly tempted to buy a fake (“novelty) Nova Scotia driver’s license – on sale for $89 or maybe an Irish driver’s permit for 30 quid.  Use a fake name – maybe Michael Collins – a fake address and I have a good ID to flash at check in at a hotel.

Then I can ask an issuer of a credit card that I already have to issue a supplementary card in Mr. Collins’ name.  Bills continue to go to me and I would make monitoring the account a prime task because there really is no trusting the hotel.

Isn’t this extreme? Of course.  But if hoteliers refuse to take the proper precautions to safeguard our data we have to take our own precautions. And traveling under a false flag may be just the answer.

Have different suggestions on staying safe? Have at it in the comments box below. I’m at wit’s end myself, forced to cogitate on forgeries. Better ideas are welcome.