Traditionally, financial institutions have remained the top targets of cyber-criminals across the globe. Of late, hackers are eyeing so many other things that, one would normally consider unworthy of hacking. They are even finding novel ways to monetize the data gathered through such attacks.
During the past few months, United Airlines, American Airlines, Park ‘N Fly, Starwood Hotel, and Hilton have all reported breaches (not necessarily attacks on their network or systems, but breaches resulting from attacks on other businesses). This clearly indicates that the hospitality industry, particularly business travelers, are facing the biggest threat to information security.
Here is an analysis of a few recent attacks:
-
On November 3, 2014, hackers reportedly cashed-in on Hilton HHonors reward points through a distributed denial of service (DDoS) attack. Hilton later added additional security features to prevent such attacks.
-
On January 12, 2015, media reports revealed that cyber-criminals gained access of American Airlines (AAdvantage) and United Airlines (MileagePlus) customers who have frequent flyer program accounts and stole their miles. They have exploited the stolen miles for free trips and upgrades. The airlines later announced compensatory measures such as restoring lost miles and a one year credit-watch service.
-
On January 13, 2015, Park ‘N Fly , the leader in affordable off–site airport parking, faced a security compromise involving the payment card data processed through its e-commerce website. Compromised data potentially includes card numbers, user names, billing addresses, email addresses, and telephone numbers.
-
On January 22, 2015, cyber-criminals apparently succeeded in stealing Starwood SPG reward points from guest accounts and began selling the rewards on the internet. Starwood announced that points lost to fraud would be refunded.
These few instances that were reported in the media clearly indicate that business travelers are facing the biggest threat for information security.
The Global Business Travel Association has projected that the U.S business travel spending would touch $310 billion in FY 2015. Business travelers often don’t mind splurging on quick upgrades in flights, hotel rooms, premium taxi and other services. They also use corporate credit cards that have high credit limits for transactions during their business travel. The hospitality industry, in turn, provides them customized loyalty programs in which they can earn and redeem reward points.
These factors attract cyber-criminals towards business travelers. Loyalty programs and reward points are certainly attractive, but users do not often attach much importance to the security aspects of the loyalty program accounts. They tend to use easy-to-remember passwords and reuse the same set of passwords everywhere. Passwords exposed elsewhere enables hackers to get into loyalty program accounts with ease.
Not just the business travelers, but also the IT divisions of some of the organizations in the hospitality industry adopt lax security measures when handling the customer data related to the loyalty programs. Storing and transmitting sensitive data in plain text, lack of internal access controls to the IT resources that handle customer data, and lack of effective monitoring of activities in the network are common in the IT divisions.
Combatting the Latest Cyber-Attacks:
Though hackers follow different techniques and attack vectors, they are mainly focused on stealing credentials. Password security lies at the root of various attacks.
We have been stressing time and time again the evils of password reuse. Business travelers should assign a unique password to each website and application. When there is news of a password expose or hack, they can just change the password for that site or app alone. However, this creates the problem of remembering all those unique passwords.
IT divisions of businesses that deal with customer data should meticulously review how they store, share, and use passwords of IT resources in their organizations. Password management is not merely about storing passwords. It actually covers a broad range of activities, including consolidating, securing, controlling, managing, and monitoring accounts.
We would reiterate the following best practices for IT divisions:
-
Password reuse is disastrous and should be strictly avoided.
-
IT resources and web applications should be assigned with strong, unique passwords.
-
Administrative passwords, which grant unlimited access privileges to the IT assets, should never be stored in plain text in volatile sources like post-its, spreadsheets, printouts, and text documents.
-
Users should get access only to the passwords of the specific resources that are necessary to perform their work.
-
When passwords are to be shared with others, the sharing mechanism should follow a proper workflow that includes 1) approval mechanism for password requests, 2) time-limited access, and 3) automatic reset after usage.
-
All passwords should be changed at periodic intervals. The organization’s IT policy should be enforced.
-
Access to sensitive accounts should be granted without revealing the underlying passwords. In other words, users should be able to access the resources without seeing the passwords in plain text.
-
All activities done by the users on highly sensitive resources should be video-recorded and monitored. Any suspicious activity should be terminated.
-
Comprehensive, tamper-proof audit records should be maintained on the “who, what, where and when” of access.
For individuals and business alike, manual approach to password management would be cumbersome. The best practices can be easily enforced in organizations with the help of enterprise privileged password managers like ManageEngine Password Manager Pro. Try Password Manager Pro now.