Before flying from Rome to Philadelphia earlier this summer, I stopped in the hotel lobby to print my boarding pass. The hotel had one computer dedicated solely to this task. It was the only public computer available to guests. I could access only airline websites and input my name and confirmation number for the ticket. That was it.
I thought this was the hotel's way of trying to squeeze a few more Euros out of me -- but this setup may also stop fraud. It prevents someone from stealing whatever other information I could have typed into the computer, such as an email login and password.
In July, the U.S. Secret Service and Department of Homeland Security released an alert to the hospitality industry, warning it that business center computers had become a hacker target.
According to Kregs on Security, which posted the nonpublic advisory, the warning came from a task force in Texas that arrested individuals who allegedly targeted computers at hotel business centers in the Dallas/Forth Worth area.
This kind of fraud could be more than just about trying to steal a road tripper's credit card information, said Patrick Peterson, CEO of cybersecurity company Agari. If the hotel in question is near a major corporate headquarters -- where contractors, consultants and employees from other offices stay when visiting -- criminals could target them to steal and then sell company login information. Credit card theft thus becomes possible corporate espionage.
The hotels involved in this case haven't been revealed, but Peterson points out that they could be near the Dallas/Fort Worth-area headquarters for AT&T, Energy Transfer Equity, Southwest Airlines, Texas Instrument and Neiman Marcus.
"If you're in Russia, if you're in China, and you're about to bid on a multibillion-dollar oil field, knowing what your competing bidders know about that oil field is very valuable," he says. It's much easier to steal someone's login through an unsecured business center computer than to infiltrate a heavily protected company.
Travel Industry Security Lags -- and Hackers Know It
The travel industry lags in its security efforts, Peterson says. Agari's TrustIndex report found a 400 percent increase in the level of threat to the travel industry in the past quarter. Out of 14 companies that Agari studied, only three hit acceptable security marks.
A large part of that threat came from email phishing scams that would either install malware on the victim's computer or let criminals encrypt a hard drive and then demand a ransom to unlock that hard drive, Peterson says.
Attacking business center computers is a different kind of scam. "It's low-tech, and there are so many different ways it can be done," says Bill Hargenrader, cyber security solutions architect at Booz Allen Hamilton, a strategy and technology consulting firm. It's also cheap, he adds: "I can go online right now and, for $60, get a USB keylogger and put it into someone's computer and record all those keystrokes."