Several recent cyber attacks on loyalty cards has shown it's not always cash that hackers are after and that such attacks are increasingly being used to support traditional crime or fraud.
We spoke to Kirill Slavin, general manager at Kaspersky Lab, to find out more about how organisations can assess these potential dangers and deploy defence to help reduce the risks.
- How can a travel company be hacked? i.e. Which methods would cybercriminals most likely use to gain access?
Travel companies can be hacked in similar methods to other organisations. Take, for example, the recent hack on Hilton Worldwide, which saw its systems targeted through payment card-stealing malware. The global hospitality company has confirmed that the malware could potentially steal cardholder names, security codes, payment card numbers and expiry dates.
Or look back to the hack on its loyalty card ‘Hilton HHonors’ last year. Brendan Brothers, a frequent traveller logged into his Hilton Honors account to find that more than 250,000 points had been stolen. First, thieves had accessed his online account and changed the e-mail address so that he would not receive any correspondence regarding the use and abuse of his rewards. Then they helped themselves to six different Hilton hotel reservations from Atlanta all the way up the Atlantic coast to Stamford, CT. using his points.
- What gain would cybercriminals be looking for by hacking travel companies?
One thing the recent influx of attacks on loyalty cards and schemes targeting companies (including Hilton, Costa Coffee, British Airways and Tesco) has taught us is it’s not just passwords or money that cybercriminals are after.
The above stories highlight the fact that cyber-attacks are being increasingly used to support traditional crime or fraud. It’s not always the money that hackers are after, many are increasingly realising they can turn a profit by stealing assets many people treat as an afterthought – loyalty rewards. This should remind organisations that protection against cybercriminals includes more than just sensitive personal information.
- Is this a bigger risk now due to the introduction of inflight and hotel Wi-Fi?
Where Wi-Fi is public, there’s certainly a bigger security risk. Even just casually browsing in a hotel cafe or restaurant could put you under threat. If someone is able to capture your log-in details, or other sensitive information, they have the key to unlock your digital lives. And it doesn’t have to be the guy at the next table. A typical Wi-Fi router has a range of around 100 metres. So it could just as easily be someone sitting in the cafe over the road, or in the nearby car park.
- How much awareness is there of this trend at the moment?
Data breaches on large organisations are very much in the public eye at the moment, for example the TalkTalk hack, in addition to that on Hyatt hotels at the end of last year. Although awareness is on the rise, much more needs to be done by both businesses and consumers to safeguard sensitive data.
- What can companies do to protect their customers?
There are a number of risks that all organisations that transact online need to consider. For example, cybercriminals can use phishing messages to redirect customers to fake websites, they can use install malware on customer computers to steal their account details and passwords, or they can use malware to intercept financial transactions and create fraudulent transactions.
Any business that handles financial transactions has a responsibility to secure the personal data of its customers, in addition to securing its own data. This must start with providing a security of web-based transactions. It must also include hashing and salting of passwords and encryption of other personal data - so if they are to experience a breach, its customers feel safer in the knowledge that the data is encrypted. To further reduce the risks, it’s important that they implement anti-fraud monitoring technologies to analyse a customer’s behaviour during online transactions and to detect other suspicious activity within their IT infrastructure. This mitigates the risks of a possible lack of security at the customer’s endpoint, over which they have no direct control.
In light of the upcoming EU data legislation which will force companies to disclose data breaches, organisations need to begin to consider how they may deal with such an attack. Last week’s news that Hyatt has published a list of all its hotels hit by malware that was found on its customer payments system last year is certainly a step in the right direction in terms of data breach transparency by large organisations.
In addition, the fact that the hotel chain has teamed up with a security firm to give its customers who have stayed at one of its compromised hotels free security protection for one year, demonstrates that companies holding customer data do recognise that they have a huge responsibility to keep it safe, and make sure it doesn’t fall into the wrong hands.
Unfortunately, for anyone affected by the breach, this response has come too late and highlights that businesses and consumers need to consider security procedures before a data breach forces them to – prevention is always better than cure.
- What should consumers be doing to protect themselves?
While travelling through any network, even semi-private ones in hotels or business centers, Wi-Fi should be viewed as potentially dangerous. Take for example, The Darkhotel APT, discovered by Kaspersky Lab in 2014, which illustrates an evolving threat vector: individuals who possess valuable information can easily fall victim to something similar to a Darkhotel attack. To prevent this, we would recommend consumers do the following:
- Update all third party software before you go on your trip.
- Use a strong anti-malware product, best practices.
- Use a separate ‘travel’ computer or, alternatively, use a dedicated virtual computer while you’re travelling.
- Use a VPN while traveling.
- Use two-factor authentication for e-mail and other confidential services.
- Use strong, unique passwords for each resource you access.
- Use separate e-mail, Skype and IM accounts while travelling.
Image Credit: ra2studio / Shutterstock