By Robert McGarvey
Another day, another hotel breach. Face reality. Hoteliers suck at protecting your data. There is no gentle way to put that. They really, really stink.
Can you in fact stay in hotels and protect yourself? Maybe, we offer tips below. But, first, feast on how inept hoteliers are at data security.
Hotels treat your personal data – name, address, credit card numbers, passport info – the way a deadbeat treats yet another bill collection notice.
HNN traces the history back to 2010 when there was a big Wyndham data breach. That prompted an FTC suit against Wyndham that eventually was settled. I covered this and, honestly, I find it increasingly tiresome to write about the hotel industry’s cluelessness, or maybe just indifference, to guest data security.
Along the way White Lodging, a management company, had data breaches. So did Trump. Mandarin Oriental. Hilton. Hard Rock. Kimpton. Noble House. IHC. Sabre.Hyatt. Radisson. Many more.
And now there’s Marriott where maybe 500 million guests were compromised. Apparently because of Starwood data insecurities.
Marriott has not been forthcoming about specific details pertaining to the breach. It has said it is notifying customers who have fallen victim – so expect a phone call, or email, if you’ve stayed at a Starwood in memory. (For the record here’s the company statement on the breach.)
Word of immediate advice: right now go and check any rewards accounts you maintain at Marriott. There are suggestions that maybe these crooks were after those points – there is no confirmation on that front – but it is believable because there’s increasing evidence that hackers are hungry for points and miles that are fairly easy to convert into cash or cash equivalents (like an iPad or iPhone). Make sure all is copacetic and if it’s not, raise a loud yell at the nearest Marriott rep.
Should you in fact expect meaningful compensation? Nah. That rarely is on offer. If points were stolen, almost certainly they can be restored. But beyond that I suggest never holding one’s breath in expectation of real compensation for pains suffered in a data breach.
The usual compensation is a year or two of monitoring of credit and dark web activity by a namebrand cybersecurity outfit. My favorite such is when T-Mobile revealed some 15 million applicants for credit – yours truly among them – had their data compromised when a server maintained by Experian was hacked. Victims were offered free credit monitoring by, you guessed it, Experian.
What can you do to protect yourself?
Do make it a practice to get free activity reports from such as MasterCard. Closely monitor credit activity and do stay on top of accrued rewards points. If offered free credit monitoring by Marriott, sure, take it.
Accept that by now bad guys know all your private data, from Social Security to your health insurance number (yes, there’s brisk trade in health insurance documents).
So what more can we do to protect our data security? Personally, I cannot recall the last time I booked directly with a hotel, despite their massive push for that. I use OTAs and many of them have tech company roots and, as an industry, tech has fared a lot better in regard to data privacy than have hotels. OTAs aren’t perfect but I’ll bet on them before a hotel company. In that regard I’ve liked Expedia and will soon start using Google.
But what about the nasty business of check-in where the desk clerk asks for a photo ID and credit card? I am increasingly tempted to buy a fake (“novelty) Nova Scotia driver’s license – on sale for $89 or maybe an Irish driver’s permit for 30 quid. Use a fake name – maybe Michael Collins – a fake address and I have a good ID to flash at check in at a hotel.
Then I can ask an issuer of a credit card that I already have to issue a supplementary card in Mr. Collins’ name. Bills continue to go to me and I would make monitoring the account a prime task because there really is no trusting the hotel.
Isn’t this extreme? Of course. But if hoteliers refuse to take the proper precautions to safeguard our data we have to take our own precautions. And traveling under a false flag may be just the answer.
Have different suggestions on staying safe? Have at it in the comments box below. I’m at wit’s end myself, forced to cogitate on forgeries. Better ideas are welcome.
By Robert McGarvey
The dark web is aflood with stolen airline miles for sale. That’s the surprising punch to the face in a recent report from Comparitech.
The subhead delivers the message: “There’s a black market for your frequent flyer miles. Stolen frequent flyer accounts and rewards points are a hot commodity on the Dark Net.”
According to Javelin Strategy + Research, in 2017 11% of attacks on existing financial accounts were on loyalty programs. That’s up from 4% in 2016.
According to Barry Kirk, Vice President of Loyalty, Maritz Motivation Solutions, “Every sizable loyalty program was a victim of attempted fraud or hacking in 2017. Those who believe they weren’t simply haven’t paid attention.”
Maritz research says that 7% of us self identify as victims of program fraud.
Left unknown is how many of us are victims but haven’t realized it – probably because a little used account was pilfered. If we do eventually return to that site, we may have forgotten what our miles total should be and just accept that, well, I must have emptied it out, I forget on what.
Headline winning breaches of loyalty programs are few. The Hilton attack four years ago comes to mind.
In 2015 United and American admitted their programs had been hacked – but both were relatively small thefts. Some 10,000 accounts were said to be compromised at American, fewer at United.
Yet hackers are continually nibbling away at our stashes of miles and points.
A proof is that brisk dark web marketplace, reported by Comparitech, which observed: “On Dream Market, one of the largest black markets on the dark web, a single vendor sells reward points from over a dozen different airline reward programs, including Emirates Skywards, SkyMiles, and Asia Miles. Going by the handle @UpInTheAir, they sell a minimum of 100,000 points for the reward program of your choice, starting out at $884 as of time of writing (this was probably $1,000 originally, but Bitcoin price fluctuations caused it to go down).”
A rule of thumb is that miles are worth 1 to 2 cents apiece (of course smart shoppers can get significantly greater value and less astute shoppers will get lower returns).
On the dark web, however, the going rate, according to Comparitech, appears to be much lower – often as little as 1/10th of the typical value.
There’s a reason for that. Stolen miles probably will not get cashed in for flights, mainly because of ID issues. So what are they good for?
For instance, in 2017, Air Miles, a Canadian loyalty scheme, issued a warning that thieves were using miles to buy merchandise in stores that participate in the program.
In other cases, bolder crooks redeem miles for flights and then sell the travel on websites, often at huge discounts. See a flight going for half what it’s worth and that’s a red flag for trouble ahead.
How do thieves get most of their stolen miles? Generally by hacking into individual accounts – meaning they figure out your user name and password, or they use a robot to try enough combinations until it stumbles into the proper formula. It sounds labor intensive but, increasingly, it is automated.
Loyalty programs now are in a fast track mode to contain fraud. According to Maritz’ Kirk, “Until very recently, program fraud was only discussed in hushed tones or dismissed as a non-issue. Now all major loyalty agencies proudly promote their fraud protection tools and process.”
Even so, the burden is on you. The miles and points are yours and that also means they are yours to safeguard.
How? That’s easy. Comparitech offered a number of tips, including:
“Shred your boarding pass after a flight.
Never post a photo of your boarding pass online.
Use a strong and unique password for your frequent flyer account.
Monitor your account for suspicious activity.”
The last is crucial. Make it a habit to stop into your loyalty accounts at least monthly.
And also make it a habit to change your passwords occasionally, certainly yearly.
One last bit of advice: just don’t use public wifi to access your loyalty accounts. Of course it’s tempting when you are sitting at the airport to put the time to use surfing your airline and hotel websites. Don’t. At least don’t on public wifi. Use a cellphone hotspot instead.
It’s up to you to protect your miles. Know that and do it.
By Robert McGarvey
Talk with credit union AML/BSA staffers as well as senior executives and you will hear a torrent of woe is me complaining about rising workloads, intransigent regulators, too tight budgets, and inadequate resources.
And then there is a new report from Aite Group’s Julie Conroy – based on extensive interviews with over 40 BSA/AML experts – and the title tells you the theme: The AML of Tomorrow: Here Today.
In the second paragraph Conroy puts out the good news: “Advanced technologies such as machine learning, robotic process automation (RPA), and natural language processing and generation are helping to even the playing field by enhancing both detection and operational efficiency. The even better news: Regulators are gradually growing comfortable with the use of these advanced technologies for AML.”
Read that again. What she is insisting is that financial institutions now have access to technologies that will let them keep pace with – maybe get a step ahead of – criminals who want to launder money.
The stakes are high. Two credit unions in the past decade have effectively been put out of business because of AML deficiencies – Bethex and North Dade.
No credit union wants to be linked with money laundering. But, frankly, trying to keep up with this with a small staff who are doing everything by hand is a loser’s tactic.
How much money is laundered annually? Nobody knows. The United Nations has estimated it’s somewhere between $800 billion and $2 trillion. The high end is about the GDP of Brazil and more than Italy’s. That’s a lot of money in motion and, accordingly, you have to assume that the people who have put it in motion are savvy, wily, and of course know exactly the defenses used by banks and credit unions.
Accordingly, FIs are spending a lot to defend themselves – much of it on payroll. Conroy cited a report from the Clearing House that estimated that major US FIs spent $8 billion on compliance in 2017. She also noted that one large US FI interviewed for her report employed more than 5000 in compliance and “can’t hire fast enough.”
All those workers push out an avalanche of SARs. In 2013 they filed 1.22 million. By 2017 that rose to 2.03 million.
Conroy also pointed to a numerical disconnect that frustrates AML workers and their bosses. “the fact remains that there are on average only 1,200 moneylaundering- related convictions per year in the U.S., compared with over 1 million SARs filed per year.”
In other words: is all the work really worth the effort and expense?
It gets worse. In many institutions, said Conroy, business line execs grumble that AML teams are “hassling” their customers, making it harder to do the business that brings in money to the FI. AML, in many institutions, is seen as a nuisance that wastes money while making it harder to make money.
Wrote Conroy: “All of this points to the need for the AML function to find technology that enables precise detection while minimizing false positive noise.”
She continued: “The trifecta of increasing criminal sophistication, a steady increase in regulatory expectations, and under-resourced AML departments are bringing AML efforts to a breaking point. As a result, financial services firms are beginning to embrace technologies such as machine learning, RPA [robotic process automation], and natural language processing and generation.”
“Today’s AML function can no longer rely on legions of AML analysts, investigators, and rules-based automation. The use of advanced technologies is needed to aid AML departments in the gathering, filtering, and meaningful assessment of data from multiple sources in multiple formats.”
That prescription puts fear in the hearts of many credit union leaders – they worry about the costs and also the complexities of advanced technologies.
But Conroy has this absolutely right. The only way to stay ahead the AML wars is with technology that can automate much detection and even reporting. There just aren’t enough AML staffers to be hired and so they get paid ever more.
But – and this is crucial – many of them are burning out, even quitting.
The machines won’t quit on you.
What should your next step be?
In her report Conroy reviews the many technology options out there. Get the report, read her reviews.
And then what? Her advice is simple: accept that you can’t wait, delay is not an option.
She added: “Try starting small. Cloud-based solutions can be implemented in modules that wrap around or interact with legacy systems to improve performance without a ‘rip and replace’ scenario. In this way, FIs can address the most pressing system deficiencies relatively quickly with less impact to budget and IT resources.”
It’s good advice.
Just don’t wait.
By Robert McGarvey
Highly regarded security researcher Brian Krebs has published a bombshell report that maintains a flaw in some Fiserv banking technology leaves customer data potentially exposed to criminals.
Krebs does not finger credit unions that may have fallen victim to this but there is no reason to think some aren’t.
Krebs credited the flaw discovery to independent security researcher Kristian Erik Hermansen who noticed that when he setup an alert on his bank account, the alert was assigned an event number. So Hermansen, on a hunch, tried to log into an event number a digit different and what he found was that he indeed could log in. This matters because, said Krebs, “In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.”
That means a criminal could add his email address to the account and get alerts on, for instance, all transactions.
Krebs also noted that a criminal could hunt for customers who had set up high minimum balance alerts – $5000, say. Which would tell the crook he could siphon out $4999 and he might be undetected for some time.
Krebs said he personally signed up for accounts at two small banks that use Fiserv. Here’s what he found: “In both cases I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request.”
He said he found “hundreds” more banks with similar vulnerabilities.
Krebs told Fiserv what he had discovered. The company responded this way: “Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave said. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”
Cave elaborated to Credit Union Times: “This is related to a one-way messaging feature on a limited number of bank websites. Upon notification, we promptly developed a patch to update the feature, deployed the patch to clients using the feature and completed testing to confirm the issue has been fully resolved. Our ongoing research and continued monitoring have not identified, and we have not received reports of, any adverse consumer impact.”
There is no count of the number of websites impacted by this flaw.
Any credit union running a Fiserv core and/or online banking ought to quickly contact Fiserv and inquire into the availability of that patch. They ought also to see if they can replicate Krebs’ hack of the alerts system. And – above all else – check your own systems to see if you can replicate the Hermansen hack.
If you can, take action.
Krebs said that, in his inspection, the Fiserv patch in fact works. “This author confirmed that Fiserv no longer shows a sequential event number in their banking sites and has replaced them with a pseudo-random string.”
But Fiserv is not blowing trumpets to announce the patch or the flaw.
A scan of Fiserv’s Twitter feed found no mention of the flaw or Krebs’ reporting or the purported patch.
There’s silence over at Facebook too.
Julie Conroy of Aite told Krebs this about Fiserv’s customers: “These financial institutions use a core banking provider like Fiserv because they don’t have the wherewithal to do it on their own, so they’re really trusting Fiserv to do this on their behalf,” Conroy said. “This will not only reflect on Fiserv’s brand, but also it will impact customer’s perception about their small local bank, which is already struggling to compete with the larger, nationwide institutions.”
What she is saying is that big banks – that ordinarily don’t buy off the shelf technology from a Fiserv – may have a competitive advantage because they build their own.
I’m not sure that is true – I doubt most consumers have a clue as to whether their bank or credit union technology is off the shelf or bespoke.
But Conroy is right: in some ways the big banks keep expanding their technology lead over small institutions. That does not have to be the case. A smart credit union can use fintech alliances to create an institution that is the rival of even the most polished money center banks.
But the credit union has to want to get there.
And a necessary first step is cleaning up that Fiserv mess if your institution is a victim. Do it now.
By Robert McGarvey
Ask a senior credit union executive what’s new at his/her institution in regard to anti money laundering (AML), Patriot Act, and Bank Secrecy Act initiatives and the reality is that you will have a longer and friendlier conversation if you asked about his/her last colonoscopy.
Yes, it’s that bad.
And that’s despite the reality that a credit union can be shut down if it grievously botches its BSA and AML analysis.
Buckle up because in December 2016 FinCEN issued a press release where it announced a $500,000 fine against a credit union named Bethex in the Bronx.
Bethex has assets of under $13 million.
They were folded into USALLIANCE, a Rye NY credit union. Bethex was no more.
FinCEN outlined Bethex’s sins: “In 2011, Bethex began providing banking services to many wholesale, commercial money services businesses (MSBs). Many of these MSBs were located in high-risk jurisdictions outside New York and engaged in high-risk activity, including wiring millions of dollars per month to countries at risk for money laundering. When Bethex began to service these MSBs, it did not take steps to update its AML programs.”
“Among other violations, Bethex failed to timely detect and report suspicious activity to FinCEN and did not file any Suspicious Activity Reports (SARs) from 2008 through 2011. In 2013, as a result of a mandated review of previous transactions, it late-filed 28 SARs. The majority of the suspicious activity involved high-volume, large amount transfers outside of Bethex’s expected customer base by MSBs capable of exploiting Bethex’s AML weaknesses. Most of those SARs were inadequate and contained short, vague narratives encompassing a broad summary of multiple and unrelated instances of suspicious activity. For example, one SAR covered over $906 million in total aggregate of suspicious transactions, but provided little information useful to law enforcement investigators.”
In 2015, North Dade – a small Florida credit union – was effectively put out of business because of AML and BSA violations. In 2013, tiny North Dade moved over $1 billion in wires, often overseas. According to FinCEN: “When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage,” said FinCEN Director Jennifer Shasky Calvery. “This case raises pretty obvious questions that no one seems to have asked. Why would MSBs located all over the world choose a small Florida credit union to conduct close to $2 billion in transactions? Credit unions pride themselves on close and low- risk relationships with known neighborhood customers. However, North Dade welcomed customers far beyond its field of membership, without adequate policies and procedures to ensure AML compliance.”
Face this reality: the big banks have big teams in place to handle BSA, AML, etc. They also have invested – heavily in many cases – in automation that takes a lot of the heavy lifting out of compliance. Machines do the work.
Credit unions – especially the vast majority with assets under $1 billion – generally have not invested in automation for compliance. “There are case management systems that are good. They can be expensive for a small FI. A lot of bigger banks are using robotics to get screenshots of bank statements and so on – an analyst doesn’t have to spend an hour collecting it. Only the biggest banks are doing this,” said Alma Angotti, managing director in the Global Investigations & Compliance practice of management consulting firm Navigant Consulting, Inc.
Another issue that many small financial institutions now face: “Many employees in compliance are burning out,” said John Podvin, a Dallas lawyer well known in BSA circles. He added: “There are people in BSA who are asking themselves, do I want to be second guessed all the time. Some are leaving the field.”
A reality in BSA/AML is that the easier course is to file a SAR (suspicious activity report – this documents flags an action for possible investigation by law enforcement). Do that and a financial institution probably has satisfied its regulators. “There is no downside to filing,” said Angotti.
Where the credit union may find itself in a pothole is when it does not file a SAR. In that case the credit union needs to justify why it did not file – and an examiner may well challenge the credit union.
And that means many more hours get invested in explaining and justifying decisions. Said Podvin: “There are increasing expectations from examiners – that’s the biggest problem now.”
“It’s one thing for a big bank with a staff of several hundred working in compliance. It’s different for a community bank.”
Or credit union.
A result is that slender compliance staffs may be worn down in many small credit unions.
Another barrier at credit unions: there may be “competition for scarce IT resources,” said Angotti. Doing BSA/AML research is computer intensive and, at least at smaller institutions, there may be a battle for resources and ask yourself this: who will win if the fight is between marketing, which needs IT resources to power a new campaign that may bring in lots of new members, and compliance which wants to research possibly suspicious activity by members?
It’s a fight that compliance usually does does not win.
Don’t expect BSA/AML workloads to magically lighten.
Possible light at this tunnel’s end, said Podvin, is a federal effort to streamline some BSA/AML compliance. He pointed to pending legislation, HR 6068, as offering hope to financial institutions. The aim of the bill, in its own words, is to “reduce regulatory burdens, and ensure that the information provided is of a ‘high degree of usefulness’ to law enforcement.”
Don’t count on relief until a bill is signed into law.
Meantime, good advice for top credit union management is keep your ear to the ground and ask – and ask again- your BSA and AML teams what issues are they facing and what resources they need to do their jobs better and smarter.
No credit union CEO wants to increase the budget for compliance work.
But no credit union CEO wants his/her institution to go the way of Bethex.
That makes the choice easier.
By Robert McGarvey
It’s about time: travel providers, at least the big ones, now are edging into an embrace of the payments revolution that in the past half dozen years have given us contactless payments, also mobile payments such as Apple Pay and Google Pay, and also EMV cards.
Reports Pymnts in a recently published report “Travel Payments Study:” “More than two decades after PayPal was founded, and four years since the launch of Apple Pay, the travel industry is taking its first cautious steps into its own payments revolution.”
The staggering reality is that travel has been under assault by hackers for at least a decade – it numbers among the most attacked verticals in the Verizon Data Breach Report. Just converting to EMV at gift shops, bars and restaurants at hotels would put a serious crimp in hacker styles, but hoteliers are among the slowest to move into the new technologies.
Taking Apple Pay at check in would also be a boon to guest data security.
A peculiar irony is that credit card data insecurities may be a reason why travel providers have not innovated. Said Pymnts: “At 78 percent, consumer data security was, by far, the most-cited inhibitor to payments innovation. Following that was credit card data security imperatives, at 74 percent, which were listed as either ‘very’ or ‘extremely’ inhibiting. Incurred fraud losses came third, cited by 64 percent of respondents.”
Except now Pymnts reports that changes are coming.
It’s not your imagination that travel providers have been notorious laggards. Says Pymnts: “PYMNTS’ most recent research revealed that just 15 percent of all travel companies have attempted new payments innovations over the last three years, let alone those that succeeded in implementing them.”
Just 15%. Wow. This has been a span of feverish innovation, at least when viewed from the stodgy perspective of bankers. And travel has sat it out.
Operating internationally and a broad industry dependence on third party payments processing services are cited among the reasons for delays in adoption of payments innovations.
Guests, too, have not insisted on innovations. Consider: most of us still, docilely, hand over a credit card in a restaurant, the server vanishes, and a few minutes later a receipt comes at us. I cannot remember the last time I saw that at a restaurant in Europe, where servers – for at least 15 years in my recollection – have been equipped with miniature credit card processing gadgets that also print out a receipt, all in your plain view.
You just have to wince when you hand over a credit card at a hotel because the data just has been so insecure. But a big driver for payments innovation – maybe the biggest – has been enhanced security.
And still travel providers stayed on the sidelines.
That’s changing. According to Pymnts, about 80% of travel providers plan payments innovations in the next three years.
14% say they plan to roll out “a lot” of innovations.
Just 5% say they have nothing in the hopper.
What’s prompting travel providers to invest in payment innovations? 91% pointed to customer suggestions as a prod – meaning our grumbles have been heard. 83% also said they had lost customers because they hadn’t innovated.
Reported Pymnts: “The demand for new payment methods isn’t being driven by companies looking to cut costs or boost efficacy, though, but by consumers in search of a more convenient and compelling payment experience.”
Travel providers also expect that although innovations have price tags, they may wind up actually saving money. Reported Pymnts: “We asked respondents whether they believed the financial gains to be had from payments innovations would outweigh the costs, and an impressive 96 percent of the sample had a positive outlook. These companies believe that the revenue gained would outweigh its costs, that innovation would have no effect on costs or that it would actually decrease costs.”
Large companies are much more optimistic about cost reductions than are small – and travel remains a business where there are many small players: travel agents, independent hotels, independent restaurants, local destination marketing companies, etc.
Big players also see payments innovations as a way to drive down their payments processing costs – and probably they are right.
Should we in fact be optimistic that payments innovations are in fact coming – and that we’ll see more travel providers accepting Apple Pay et. al., installing EMV card readers, and – dare we hope – equipping servers in restaurants with portable reader/printers?
Just maybe we can expect to see all this. Said Pymnts: “One thing is clear, though: Travel companies must invest in improving their payments structures if they want to maintain a competitive edge.”
My advice: grumble about the absence of current payments technology when checking in, when paying in a bar, when paying in a restaurant. Our grumbles do matter – the research underlines – so keep it up. And just maybe more travel providers will roll out contemporary payments tools.
By Robert McGarvey
The 2018 Verizon Data Breach Investigations Report has terrifying news for hotel guests.
For some years I have written about how porous hotel data and credit card security are. Loyalty programs, hotel restaurants, and more are under continuing assault by cyber criminals. I have urged people not to use hotel wifi and not to use debit cards at hotels (they have poorer protection under federal law than do credit cards). It’s a jungle out there and, in hotels, we travelers are the gazelles.
We need to really toughen our defenses – more on that below.
Start first with just how treacherous hotels are for us. A chilling PDF of info about hotel data breaches – data culled from the Verizon report – is available via HotelNewsNow. Download it.
It makes for disturbing reading.
There should be no surprises here. Hotels attract guests with money – definitionally. There’s no real point in hacking into a Skid Row flophouse. A 4 star hotel is a different matter.
Per Verizon, hotels are much more likely than most businesses to be a target. As Willy Sutton is said to have exclaimed when asked why he robbed banks, that’s where they keep the money. Hotels aren’t banks but they are tasty targets nonetheless.
Hotels also have demonstrated a long running lack of seriousness about mounting real cyber defenses. Why? This is expensive stuff, it requires highly skilled personnel (more expenses), hotels typically have many systems running and thus may points of vulnerability (from the gift shop to loyalty programs) and, well, so far we – the hotel guests – have shrugged off the industry’s vulnerabilities.
There were 338 reported incidents involving hotels tallied in the most recent Verizon report. Don’t assume that is a complete count. That’s because, according to Verizon, 68% of the breaches took months or longer to detect – and maybe some still haven’t been detected.
More factoids in the study: 93% of incidents involved hacking and 93% focused on payment information. 99% of attackers were financially motivated.
50% of the breaches involved organized criminal gangs.
87% of the breaches took a minute or less.
Bottomline: Don’t trust hotels to protect you. Just don’t.
What can a business traveler do? Standard advice from security professionals to executives visiting countries where eavesdropping is the norm is to bring a “clean” electronic device – a new Chromebook, under $200 is a good choice. Reserve it for travel use, put no personal information on it, and never log into a significant website (which includes an email server, a company data server, really anything that involves a password).
Sure, that nullifies a lot of the reason for bringing a computer on a trip. But at least you’ll know you are safe.
I now advise many domestic travelers to follow this advice.
Do that particularly if you plan to use hotel wifi because you have to view hotel wifi as potentially compromised.
An alternative: always use your phone to create a personal hotspot and let it power your Internet connections. Yes, there are (small) costs involved – $10 per gig via Project Fi which is what I use. But the cellular data connection is significantly more secure than is hotel wifi.
The drawback to cellular is that – usually – it runs slower than a decent hotel wifi connection. Sure, some hotel wifi networks are dreadful but lately I am finding many offer adequate speeds.
And some employers just don’t want to pay data bills for their business travelers which is another reason to use the wifi.
But I do use my own computer with a cellular hotspot and have had no security lapses.
Want more security but using hotel wifi? Many travelers swear by VPN – virtual private networks – but typically they offer slower speeds and costs ordinarily are involved. There also are reports that slick Russian hackers know how to penetrate at least some VPN connections.
Still – VPN is a lot better than using the naked hotel wifi when accessing email, files, etc.
I have also lately been playing with a secure, cloud-based browser called Silo that, for nominal charges (fees start at $100/year), provides you with a special browser you install on your computer. You browse anonymously, and if you encounter malware, it downloads not to your computer but to Silo’s. What most impresses me about Silo is that in my tests it runs about as fast as Chrome. And it delivers much more safety than do the standard browsers.
Which proves the point: you can continue to use your own computer and visit the secure sites you want to visit (such as email) using hotel wifi if you install special, high security browsers.
Less won’t work. Use VPN. Or a special security browser. Or a clean computer.
Hotels are danger zones for business travelers. Accept that as a reality in the Verizon research.
Accept also that airport public wifi is radically unsafe.
Accept that it’s up to you to protect yourself.
And take the necessary steps.
By Robert McGarvey
All of us are atwitter about perceived loss of privacy when it comes to the acres of our thoughts, photos, outbursts that we have posted to Facebook and which, apparently, could be harvested by third party buyers.
But just maybe business travelers have a much bigger worry that should consume them: the safety of their personal data that is in the hands of the hotels where we sleep.
“Bigger?” Yes, definitely.
And that is not to minimize the size of the Facebook mess. If you want to see how to check what data Facebook has on you – just about everything you’ve done since you signed up – and with whom it has shared much of it – just about anything with a checkbook – read Brian Chen’s NYTimes piece on this. It’s quite easy to check and, in my case, I got my file from Facebook literally a few minutes after requesting it. I’m not a terribly prolific Facebooker – your mileage may vary. Did I see anything that made me sick? Nope, but I have always been prudent about what I posted to Facebook, mainly because I understood that the business model of the free Internet services is to harvest user data and sell it to marketers and fellow travelers. That is baked in. I am not sure there is a way around it. (Read my 2000 interview in MIT’s Technology Review with Google’s founders.)
Back to your hotel worry. Hotel lawyer Jim Butler wrote this: “Protecting guests’ information (and employees’ information) from hackers is one of the biggest business challenges faced by hotel owners today. ”
Traditionally the focus have been on theft by hackers of information involving credit and debit cards used at hotels – and bars, restaurants and gift shops have been notoriously porous, so have loyalty programs – but what if the bigger concern is, well, your private info?
You check into the hotel. You watch four hours of porn (maybe there’s a Stormy Daniels festival?). Drain the minibar’s Scotch. Get in a loud, verbal argument with security over the volume of your TV. Maybe you go full gonzo and you use the in-room phone call up a local escort service for a little company.
Okay, that’s not you, nor me, but I have known business travelers who have done pretty much all of the above.
Here’s the rub: a good hotelier gets good by noting and collecting guest preferences. I have a friend who told me he swore by Four Seasons because he personally dotes on very soft pillows, hates wool anything, and doesn’t like a bed covered with decorative pillows. Apparently Four Seasons noted his interests because as he traveled from city to city whatever Four Seasons he checked into knew his preferences and of course if he were forced into, say, a Ritz Carlton, they didn’t. And he grumbled accordingly.
Just how safe is that kind of data? Could clever hackers find it?
All that kind of data is what data scientists call big data. And big data has emerged as a key to delivering us the personalized services we want without us having to ask.
Understand: credit card data falls under specific federal guidelines. It has to be handled with deliberate care.
That’s not necessarily so regarding guest preference data – big data – and a lot of it is not encrypted, not put under a meaningful lock and key.
Front Desk anywhere, in a blog post, noted: “For too long, the hotel sector has been viewed as a soft target by hackers seeking to steal guest data. While some hoteliers take guest data security seriously, there are still too many operators using inadequate technology and processes to fully protect data.”
Some hotel groups in fact promise to do a good job protecting your data. Here’s the Accor policy : “Confidentiality and security: We will ensure reasonable technical and organizational measures are in place to protect your personal data against alteration or accidental or unlawful loss, or unauthorized use, disclosure or access.”
Word of caution: ask at the hotels where you stay what the policies regarding guest preference data storage. Be clear: we are not talking about credit cards. We’re talking about bedding and the many other little things that when they are done our way make a hotel stay much more comfortable.
The EU, incidentally, has a get tough attitude about data privacy. Many companies that do business in Europe say they have brought those policies here. And maybe some actually have.
If you have doubts about your data, ask and keep asking.
Personally, I want hotels where I stay often to remember me and to provide my preferences unasked. That’s what great hoteliers have always done and today’s big data tools make it easier to collect and share the random bits of information that shape who we are as a hotel guest.
I am all for that, when the data are shared within the hotels where I frequently bunk.
I just don’t want hackers to know what kind of pillows I like.
By Robert McGarvey
The ACLU has now filed suit against TSA, claiming that agents are searching the devices of domestic travelers.
“Domestic” is the key word. For some years, the US government – along with many foreign governments – has searched devices owned by international travelers. That’s handled by US Customs and Border Patrol agents and, in 2017, searches were in fact up 60% from 2016.
But the total number of searches in 2017 hit only 30,200. Customs, by the way, has a clear right to search such devices – only diplomats are excepted – and it can search people arriving or departing, US citizens as well as foreign nationals.
About 80% of searches are on devices of non US citizens.
And, really, not many people are searched. 0.0007 of international travelers in 2017.
Domestic travel searches of devices is an entirely different matter.
And I know many very senior executives who sometimes travel with highly confidential documents – pertaining to merger and acquisition targets, for example – who would freak out if they feared their documents might have been scanned in a TSA search. And maybe they could have been.
There’s a lot we just don’t know about domestic data searches.
For what it’s worth, TSA denies it conducts searches: “TSA does not search the contents of electronic devices,” a TSA executive told The Guardian.
ACLU has a different perspective. “We’ve received reports of passengers on purely domestic flights having their phones and laptops searched, and the takeaway is that TSA has been taking these items from people without providing any reason why,” staff attorney Vasudha Talla told the Guardian.
One fact: I personally don’t give much of a hoot if TSA wants to search my devices. Not personally. But I do care a great deal if civil liberties are trampled upon and, per the ACLU, that’s exactly what is occuring.
The ACLU staff lawyer, in a press statement, elaborated: “TSA is searching the electronic devices of domestic passengers, but without offering any reason for the search,” said Talla. “We don’t know why the government is singling out some passengers, and we don’t know what exactly TSA is searching on the devices. Our phones and laptops contain very personal information, and the federal government should not be digging through our digital data without a warrant.”
As far back as July 2017, TSA in fact did issue some details in a press statement:“As new procedures are phased in, TSA officers will begin to ask travelers to remove electronics larger than a cell phone from their carry-on bags and place them in a bin with nothing on top or below, similar to how laptops have been screened for years. This simple step helps TSA officers obtain a clearer X-ray image.”
Notice the phrase: “similar to how laptops have been screened for years.” I recall the days when , occasionally, TSA would ask a traveler to remove a laptop from a bag and boot it up. I recall sidelining a computer with a bad battery because it couldn’t reliably perform that chore. I doubtless grumbled…but it didn’t bother me particularly.
What about today? And the apparent entry of TSA into device data searches? The ACLU suit fingers the hottest button: “the federal government’s policies on searching electronic devices of domestic air passengers remains shrouded in secrecy.”
Thus the ACLU suit.
ACLU, by the way, said it had previously filed Freedom of Information Act demands for data from TSA but the agency had ignored those filings.
The US Customs and Border Protection has issued a detailed, 12 page report on its search of devices of international travelers. It’s extensive and if you have questions, probably the answers are in this January 2018 document.
TSA, by contrast, is opaque. Per the ACLU suit: “TSA has not made publicly available any policies or procedures governing searches of electronic devices, especially those held by passengers engaged in purely domestic air travel. As such, the public is unaware of the legal basis for TSA’s searches of electronic devices of passengers not presenting themselves at the border and flying on a domestic flight. Further, the public is unaware of TSA’s policies and procedures for advanced or forensic searches, in which external equipment is used to search, examine, or extract data from passengers’ electronic devices and SIM cards. And the public has no knowledge of TSA’s policies and procedures relating to seizure of electronic devices, retention or destruction of data resident on those devices, or use of the device to access data held on a ‘cloud’ or elsewhere.”
Question: if you have a confidential document, how can you shield it from TSA? I’m guessing if it resides in the cloud, not on the device, you might be good to go. But that’s just a guess.
There’s just a lot savvy business travelers need to know to keep organizational secrets safe – and right now we just don’t know all we need to know to make shrewd decisions. Maybe the ACLU suit will shed the light that’s needed.
At least we can hope.