Destination Scary: The Truth About Hotel Cyber Security

     In July 2014, the National Cybersecurity and Communications Integration Center (NCCIC) and the United States Secret Service (USSS) issued an advisory warning the public about the proliferation of  keyloggers on hotel business center computers which are usually made available to guests for personal use. Keylogging malware is designed to copy the keystrokes of anyone using the computer and transmit or save that information. Criminals use the captured keystrokes to steal personal and business information like credit card numbers, userids/passwords, and other vital proprietary information. The advisory discusses how a recent sting operation in the Dallas/Fort Worth area uncovered an ongoing criminal venture where keyloggers were being loaded to public use computers at local area hotels to steal credit card numbers, retirement account information, and bank account logins.
     The advisory is just another example of poor computer security in the hotel industry. In 2011, Bloomberg News reported that an anonymous government intelligence official tipped them that IBAHN, who supplies internet and Wi-Fi service to over 3,000 hotels worldwide was allegedly hacked by attackers based in China who stole personal emails and logins. IBAHN denied the claims and launched an internal investigation that showed no signs of the reported breach. The sensationalism of cyber security breaches has led to some false reporting which has left consumers flummoxed.  This confusion has caused some to dismiss breach reports or become desensitized to the real threat. Having responded to suspected data breaches reportedly involving advanced persistent threats in the past, I can honestly say that the evidence that a breach has occurred or how it occurred is often times very difficult to ascertain. Often the first bits of information that is received about a breach is false. Just because allegations don’t always result in hard evidence of a breach though, doesn’t mean that consumers should ignore the warning signs. As my dad used to say, “Where there is smoke, there is often fire.” Since the allegations, several security professionals and even criminal hacker sites have noted various compromise techniques for hotel Wi-Fi in general.
     When using hotel computers and internet services it is advisable to not transmit or access personal accounts or company proprietary information. If you must use their services for such activity ensure that you do so through your own antivirus protected devices using a secure and encrypted connection like HTTPS. Many password managers now offer the capability to access accounts through the password manager without typing anything. I even know some people who carry a small Wi-Fi router with them that they connect to the Ethernet cable in the room and set up their own personal secured Wi-Fi connection. The story is simple be cautious and aware of the cyber dangers when travelling.