Hotel Data Breaches and You: Welcome to Anxiety


By Robert McGarvey


The 2018 Verizon Data Breach Investigations Report has terrifying news for hotel guests.  

For some years I have written about how porous hotel data and credit card security are.  Loyalty programs, hotel restaurants, and more are under continuing assault by cyber criminals.  I have urged people not to use hotel wifi and not to use debit cards at hotels (they have poorer protection under federal law than do credit cards).  It’s a jungle out there and, in hotels, we travelers are the gazelles.

We need to really toughen our defenses – more on that below.

Start first with just how treacherous hotels are for us. A chilling PDF of info about hotel data breaches – data culled from the Verizon report – is available via HotelNewsNow.  Download it.

It makes for disturbing reading.

There should be no surprises here.  Hotels attract guests with money – definitionally.  There’s no real point in hacking into a Skid Row flophouse.  A 4 star hotel is a different matter.

Per Verizon, hotels are much more likely than most businesses to be a target. As Willy Sutton is said to have exclaimed when asked why he robbed banks, that’s where they keep the money. Hotels aren’t banks but they are tasty targets nonetheless.

Hotels also have demonstrated a long running lack of seriousness about mounting real cyber defenses.  Why? This is expensive stuff, it requires highly skilled personnel (more expenses), hotels typically have many systems running and thus may points of vulnerability (from the gift shop to loyalty programs) and, well, so far we – the hotel guests – have shrugged off the industry’s vulnerabilities.

There were 338 reported incidents involving hotels tallied in the most recent Verizon report.  Don’t assume that is a complete count. That’s because, according to Verizon, 68% of the breaches took months or longer to detect – and maybe some still haven’t been detected.  

More factoids in the study: 93% of incidents involved hacking and 93% focused on payment information. 99% of attackers were financially motivated.

50% of the breaches involved organized criminal gangs.  

87% of the breaches took a minute or less.

Bottomline: Don’t trust hotels to protect you.  Just don’t.

What can a business traveler do?  Standard advice from security professionals to executives visiting countries where eavesdropping is the norm is to bring a “clean” electronic device – a new Chromebook, under $200 is a good choice.  Reserve it for travel use, put no personal information on it, and never log into a significant website (which includes an email server, a company data server, really anything that involves a password).

Sure, that nullifies a lot of the reason for bringing a computer on a trip. But at least you’ll know you are safe.

I now advise many domestic travelers to follow this advice.

Do that particularly if you plan to use hotel wifi because you have to view hotel wifi as potentially compromised.  

An alternative: always use your phone to create a personal hotspot and let it power your Internet connections.  Yes, there are (small) costs involved – $10 per gig via Project Fi which is what I use. But the cellular data connection is significantly more secure than is hotel wifi.

The drawback to cellular is that – usually – it runs slower than a decent hotel wifi connection.  Sure, some hotel wifi networks are dreadful but lately I am finding many offer adequate speeds.

And some employers just don’t want to pay data bills for their business travelers which is another reason to use the wifi.

But I do use my own computer with a cellular hotspot and have had no security lapses.

Want more security but using hotel wifi? Many travelers swear by VPN – virtual private networks – but typically they offer slower speeds and costs ordinarily are involved.  There also are reports that slick Russian hackers know how to penetrate at least some VPN connections.

Still – VPN is a lot better than using the naked hotel wifi when accessing email, files, etc.

I have also lately been playing with a secure, cloud-based browser called Silo that, for nominal charges (fees start at $100/year), provides you with a special browser you install on your computer.  You browse anonymously, and if you encounter malware, it downloads not to your computer but to Silo’s. What most impresses me about Silo is that in my tests it runs about as fast as Chrome. And it delivers much more safety than do the standard browsers.

Which proves the point: you can continue to use your own computer and visit the secure sites you want to visit (such as email) using hotel wifi if you install special, high security browsers.

Less won’t work.  Use VPN. Or a special security browser. Or a clean computer. 

Hotels are danger zones for business travelers.  Accept that as a reality in the Verizon research.

Accept also that airport public wifi is radically unsafe.

Accept that it’s up to you to protect yourself.

And take the necessary steps.

How Safe Is Your Personal Data at Your Favorite Hotel?


By Robert McGarvey


All of us are atwitter about perceived loss of privacy when it comes to the acres of our thoughts, photos, outbursts that we have posted to Facebook and which, apparently, could be harvested by third party buyers.  

But just maybe business travelers have a much bigger worry that should consume them: the safety of their personal data that is in the hands of the hotels where we sleep.

“Bigger?” Yes, definitely.

And that is not to minimize the size of the Facebook mess.  If you want to see how to check what data Facebook has on you – just about everything you’ve done since you signed up – and with whom it has shared much of it – just about anything with a checkbook – read Brian Chen’s NYTimes piece on this.  It’s quite easy to check and, in my case, I got my file from Facebook literally a few minutes after requesting it.  I’m not a terribly prolific Facebooker – your mileage may vary. Did I see anything that made me sick? Nope, but I have always been prudent about what I posted to Facebook, mainly because I understood that the business model of the free Internet services is to harvest user data and sell it to marketers and fellow travelers.  That is baked in. I am not sure there is a way around it. (Read my 2000 interview in MIT’s Technology Review with Google’s founders.)

Back to your hotel worry. Hotel lawyer Jim Butler wrote this: “Protecting guests’ information (and employees’ information) from hackers is one of the biggest business challenges faced by hotel owners today. ”

Hotel breaches have been epidemic in recent years.  Here are many accounts.  

Traditionally the focus have been on theft by hackers of information involving credit and debit cards used at hotels – and bars, restaurants and gift shops have been notoriously porous, so have loyalty programs – but what if the bigger concern is, well, your private info?

You check into the hotel.  You watch four hours of porn (maybe there’s a Stormy Daniels festival?). Drain the minibar’s Scotch.  Get in a loud, verbal argument with security over the volume of your TV. Maybe you go full gonzo and you use the in-room phone call up a local escort service for a little company.

Okay, that’s not you, nor me, but I have known business travelers who have done pretty much all of the above.

Here’s the rub: a good hotelier gets good by noting and collecting guest preferences.  I have a friend who told me he swore by Four Seasons because he personally dotes on very soft pillows, hates wool anything, and doesn’t like a bed covered with decorative pillows. Apparently Four Seasons noted his interests because as he traveled from city to city whatever Four Seasons he checked into knew his preferences and of course if he were forced into, say, a Ritz Carlton, they didn’t. And he grumbled accordingly.

Just how safe is that kind of data?  Could clever hackers find it?

All that kind of data is what data scientists call big data. And big data has emerged as a key to delivering us the personalized services we want without us having to ask.

Understand: credit card data falls under specific federal guidelines. It has to be handled with deliberate care.

That’s not necessarily so regarding guest preference data – big data – and a lot of it is not encrypted, not put under a meaningful lock and key.

Front Desk anywhere, in a blog post, noted: “For too long, the hotel sector has been viewed as a soft target by hackers seeking to steal guest data. While some hoteliers take guest data security seriously, there are still too many operators using inadequate technology and processes to fully protect data.”

Some hotel groups in fact promise to do a good job protecting your data. Here’s the Accor policy : “Confidentiality and security: We will ensure reasonable technical and organizational measures are in place to protect your personal data against alteration or accidental or unlawful loss, or unauthorized use, disclosure or access.”

Word of caution: ask at the hotels where you stay what the policies regarding guest preference data storage.  Be clear: we are not talking about credit cards. We’re talking about bedding and the many other little things that when they are done our way make a hotel stay much more comfortable.

The EU, incidentally, has a get tough attitude about data privacy.  Many companies that do business in Europe say they have brought those policies here.  And maybe some actually have.

If you have doubts about your data, ask and keep asking.

Personally, I want hotels where I stay often to remember me and to provide my preferences unasked. That’s what great hoteliers have always done and today’s big data tools make it easier to collect and share the random bits of information that shape who we are as a hotel guest.

I am all for that, when the data are shared within the hotels where I frequently bunk.

I just don’t want hackers to know what kind of pillows I like. 

Would you?


Will TSA Search The Content of Your Electronic Devices on Domestic Flights?


By Robert McGarvey


The ACLU has now filed suit against TSA, claiming that agents are searching the devices of domestic travelers.

“Domestic” is the key word.  For some years, the US government – along with many foreign governments – has searched devices owned by international travelers.    That’s handled by US Customs and Border Patrol agents and, in 2017, searches were in fact up 60% from 2016.

But the total number of searches in 2017 hit only 30,200.  Customs, by the way, has a clear right to search such devices – only diplomats are excepted – and it can search people arriving or departing, US citizens as well as foreign nationals.

About 80% of searches are on devices of non US citizens.

And, really, not many people are searched.  0.0007 of international travelers in 2017.

Domestic travel searches of devices is an entirely different matter.

And I know many very senior executives who sometimes travel with highly confidential documents – pertaining to merger and acquisition targets, for example – who would freak out if they feared their documents might have been scanned in a TSA search. And maybe they could have been.  

There’s a lot we just don’t know about domestic data searches.

For what it’s worth, TSA denies it conducts searches: “TSA does not search the contents of electronic devices,” a TSA executive told The Guardian.  

ACLU has a different perspective.  “We’ve received reports of passengers on purely domestic flights having their phones and laptops searched, and the takeaway is that TSA has been taking these items from people without providing any reason why,” staff attorney Vasudha Talla told the Guardian. 

One fact: I personally don’t give much of a hoot if TSA wants to search my devices. Not personally. But I do care a great deal if civil liberties are trampled upon and, per the ACLU, that’s exactly what is occuring.

The ACLU staff lawyer, in a press statement, elaborated: “TSA is searching the electronic devices of domestic passengers, but without offering any reason for the search,” said Talla. “We don’t know why the government is singling out some passengers, and we don’t know what exactly TSA is searching on the devices. Our phones and laptops contain very personal information, and the federal government should not be digging through our digital data without a warrant.”

As far back as July 2017, TSA in fact did issue some details in a press statement:As new procedures are phased in, TSA officers will begin to ask travelers to remove electronics larger than a cell phone from their carry-on bags and place them in a bin with nothing on top or below, similar to how laptops have been screened for years. This simple step helps TSA officers obtain a clearer X-ray image.”

Notice the phrase:  “similar to how laptops have been screened for years.”  I recall the days when , occasionally, TSA would ask a traveler to remove a laptop from a bag and boot it up. I recall sidelining a computer with a bad battery because it couldn’t reliably perform that chore.  I doubtless grumbled…but it didn’t bother me particularly.

What about today? And the apparent entry of TSA into device data searches? The ACLU suit fingers the hottest button: “the federal government’s policies on searching electronic devices of domestic air passengers remains shrouded in secrecy.”

Thus the ACLU suit.

ACLU, by the way, said it had previously filed Freedom of Information Act demands for data from TSA but the agency had ignored those filings.

The US Customs and Border Protection has issued a detailed, 12 page report on its search of devices of international travelers.  It’s extensive and if you have questions, probably the answers are in this January 2018 document.

TSA, by contrast, is opaque.  Per the ACLU suit: “TSA has not made publicly available any policies or procedures governing searches of electronic devices, especially those held by passengers engaged in purely domestic air travel. As such, the public is unaware of the legal basis for TSA’s searches of electronic devices of passengers not presenting themselves at the border and flying on a domestic flight. Further, the public is unaware of TSA’s policies and procedures for advanced or forensic searches, in which external equipment is used to search, examine, or extract data from passengers’ electronic devices and SIM cards. And the public has no knowledge of TSA’s policies and procedures relating to seizure of electronic devices, retention or destruction of data resident on those devices, or use of the device to access data held on a ‘cloud’ or elsewhere.”

Question: if you have a confidential document, how can you shield it from TSA? I’m guessing if it resides in the cloud, not on the device, you might be good to go. But that’s just a guess.

Question: do you need to start carrying sanitized devices on domestic flights – and that’s been the advice of corporate security for international travelers for as long as I’ve covered the space.

There’s just a lot savvy business travelers need to know to keep organizational secrets safe – and right now we just don’t know all we need to know to make shrewd decisions.  Maybe the ACLU suit will shed the light that’s needed.

At least we can hope.


Choosing the Right Multi-Factor Authentication Tools for Your Credit Union


By Robert McGarvey


The multi-factor authentication tools your credit union implements may win you members – but the wrong ones just may cost you members while driving away mobile and online banking users.  It’s also very, very possible that soon authentication will become a key battleground in member retention.

That’s how important multi-factor authentication (aka MFA) has become in today’s financial services.

Passwords plainly are broken.  Between epidemic breaches – Equifax for instance – and rampant user laziness (such as using the same password at multiple sites), a password alone is not adequate protection for most accounts involving money.

Enter multi-factor authentication which, often, rides on top of a password. The password may be adequate for low value tasks but when bigger money is on the line, it’s time to bring out multi-factor to provide beefed up protection.

FFIEC provides interesting insights into the role of multi-factor authentication in financial institutions:  “A common example of two-factor authentication is found in most ATM transactions where the customer is required to provide something the user possesses (i.e., the card) and something the user knows (i.e., the PIN). Single factor authentication alone may not be adequate for sensitive communications, high dollar value transactions, or privileged user access (i.e., network administrators). Multi-factor techniques may be necessary in those cases.”

Plainly we have entered an age where consumer expectation about the availability of multi- factor has vaulted ever higher. Personally I use multi-factor on Amazon.  I also have it setup on Google.  So of course I expect it, and use it, at Affinity Federal Credit Union.

Understand this however: there is ample evidence that many consumers rebel against MFA that is deemed too cumbersome, too much of a hassle.  It’s something of a double-bind. They want to feel protected by their financial institution but they also don’t want to feel hassled.

Yet good, trustworthy MFA increasingly looks to be critical in fueling credit union account growth, especially usage of lower cost digital channels (online and mobile).  But lots of Americans shy away from online and mobile banking because of fears of data insecurity in the digital channels. Multi-factor can be the cure.

Mark this as a key 2017 challenge: offering members MFA they will use, gladly, and that leaves them feeling their financial data are safe.  

That is easier to say than to deliver.

Increasingly, multi-factor offers a choice among something the user knows (a PIN perhaps, or a favorite teacher in grammar school), something the user has (a cellphone perhaps or an ATM card), and something the user is, that is, a biometric solution and gaining traction there are fingerprints of course – think Apple Pay and Touch ID – but also retinal scans, which have gained popularity at money center banks (particularly Wells Fargo).  

More attention nowadays is going into biometrics because, thanks to Apple, more of us are comfortable using a biometric tool to perform a financial task and, to most of us, biometric factors seem beyond the reach of most criminals.  

What should you offer? Best advice is to offer members a choice of multiple tools and let the member decide.  Some people still think retinal scans are creepy, others have seen it at high security office buildings and like them.  There is no disputing member tastes.

Put out a menu of maybe five or six tools and let members decide what they like.

Key is that what they use cannot seem intrusive or a hassle – to them. They get the only vote that counts.

Also good are protective tools the consumer may be unaware of, such as looking for trusted, known devices and trusted, known locations. When a member who lives in Phoenix, AZ is signing into a sharedraft account at a local credit union, that institution can breath easier when it recognizes the computer and the member location – and the member has no need to know these checks have been made.

Key also is providing flexibility. A member may like using voice as a biometric when signing into the credit union in the early a.m. from home – but probably would think it weird when signing in from a busy Starbucks at noon.

Give members choices and they will use them.

Also stay on top of news developments and, definitely, there is news in the multi-factor space.

A sore spot to watch is SMS which, frequently, figures into multi-factor authentication, where a PIN is sent to a registered cellphone number. The user then inputs that PIN at a banking site.  But – increasingly – there is evidence that smart crooks have figured out how to simply steal cellphone numbers and thereby hijack the SMS traffic.  Worries are big enough that the National Institute of Standards and Technology (NIST) has begun to back away from SMS, as awareness grows that the safety of the cellphone channel is in doubt.

Right now, cellphones and SMS remain integral in the multi factor techniques deployed by most financial institutions but smart money is betting that will change unless cellphone carriers impose better processes to safeguard number transfers.

Note: this author recently transferred a number from one carrier to another and from one device to another and, frankly, the process was frictionless – which has to raise security worries.  But – again – it would be easy enough to erect some hurdles in the process and that might restore confidence in cellphone SMS.

The message there: stay on top of developments. Crooks are energetic in hunting for new weaknesses to exploit. Credit unions have to be as energetic in their self-defense tactics.

Want more ideas about what tools to use? Good advice is to look at leaders in the field and recent ratings from Javelin Strategy & Research heap particular praises on USAA, Wells Fargo, Bank of America, Bank of the West, and Fifth Third when it comes to preventing fraud involving member accounts. Only the very largest institutions were compared so don’t look for credit unions.  

Are your tools in the same class? They should be. That’s how to keep members.

Meantime, CU-2.0’s Kirk Drake pointed to emerging tools that credit unions need to know about.  Said Drake: “Using things like DAON, AnchorID, DUO, Averon, etc. really allow you to elevate the member experience while increasing security.” 

The point: credit unions have a growing number of authentication options. New ones are emerging. Learn about them, use them.  This just may become a key battleground in member retention in the years ahead. Falling behind is not an option.


Russian Hackers May Be Targeting Your Hotel and Your Data


By Robert McGarvey

The statement from security firm FireEye has to put a chill in you: “FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East.”

There’s no doubt that there has been a hacking campaign. The “moderate confidence” applies only to attribution to the Russian hackers.

FireEye continued: “FireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July. Successful execution of the macro within the malicious document results in the installation of APT28’s signature GAMEFISH malware.”

Then the news turned awful: “Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks.”

WIRED Magazine fanned the anxieties: “APPROPRIATELY PARANOID TRAVELERS have always been wary of hotel Wi-Fi. Now they have a fresh justification of their worst wireless networking fears: A Russian espionage campaign has used those Wi-Fi networks to spy on high-value hotel guests, and recently started using a leaked NSA hacking tool to upgrade their attacks.”

This is not fretting about kiddie hackers. According to Reuters, “Several governments and security research firms have linked APT 28 to the GRU, Russia’s military intelligence directorate. ”

That’s significant. That means we all need to be just a bit worried. This is a slick, professional attack. Nobody denies that, even though some aren’t convinced Russians are the actors.

The attacks have been slick. That’s the issue.

Remember, the biggest worries involve hotels outside the US.

In the US, many of know to use hotel WiFi sparingly if at all.  Domestic hotels have been under assault by hackers for some years and good advice is just don’t use the WiFi for anything meaningful that involves a password. That means corporate email, banking, even frequent flier accounts.  

That’s because the odds are high that criminals are sniffing the data stream over any public WiFi network and are seeking to pull out usernames and passwords.

But here’s the kicker: ignoring public WiFi domestically is easy.  I just create a personal hotspot, either on my TMobile iPhone or Google Fi Pixel, and I am good to go – often at speeds that rival hotel WiFi anyway.  That communication over the cellular network is significantly more secure than a public WiFi network so my advice is use it.

Abroad our choices are more complicated.  That’s because data abroad either is very slow or it comes at a price or both.

Set up a hotspot for data in Paris and very likely you will pay.

But now that is emerging as the better solution.

AT&T offers a calculator to help guide how much data to buy.  

Personally I will keep it simple by using T-Mobile, which offers free data – at slower speeds – in some 140 countries.  

Google Project Fi – in 135 countries – costs $10 per gigabyte for whatever speed Google can deliver.  

You want to know how you will create your own hotspot before your next foreign trip.

That’s because you – not the hotel – apparently are the target of the hackers.

FireEye elaborated: “Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations. Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad.”

What kinds of hotel are the Russian hackers targeting? Here’s Fire Eye’s info: “FireEye says that the hacked networks were those of moderately high-end hotels, the kind that attract presumably valuable targets. ‘These were not super expensive places, but also not the Holiday Inn,’ FireEye’s [Ben] Read says. “They’re the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business.”

Sound like the kind of place you’d stay in?

Definitely it is my profile.

Note: FireEye is adamant that using a VPN may not provide complete protection against the tools the Russian are deploying.  Definitely, use a VPN when traveling abroad – just don’t be certain it is protecting against sophisticated intercepts.

So create your own hotspot.  Right now, that looks to be safe, abroad just as it is domestically.