Hospitality security is complicated. There are many touch points of vulnerability: the Point-of-Sale at an on-site F&B outlet, guest bookings through third-party systems, the Central Reservation System, the guest-facing app for digital check-in…
No matter where a hotelier turns, there is valuable data vulnerable to attack.
A recent study highlighted just how widespread these vulnerabilities are. The most striking statistic was that illicit hackers are behind at least 44% of login attempts to hospitality brands. For some in the hotel industry, the share of attack-driven login attempts is as high as 89%.
These logins were the result of hackers attempting to login using a set of the 2.3 billion credentials reported stolen across 51 breaches in 2017.
The potential losses are massive and ongoing.
Travel has been relatively unscathed when it comes to data breaches. In 2016, there were none. But in 2017, there were two.
Here are some of the many eye-opening statistics from the report, reminding us all that effective and dynamic security is a required core competency in today’s digital world.
$6 billion of value stolen -- from a 3% success rate
The data shows that hackers are successful about 3% of the time. Even with that low success rate, they’re able to steal $6 billion in value from e-commerce businesses.
For the hotel and airline industries, the costs are $700 million each year. This is an unwelcome sign that hospitality remains vulnerable to hacking.
To put that in perspective, $700 million is the more than twice the market capitalization of Red Lion Hotels!
With the value of stolen loyalty points remaining strong on the black market -- and the fact that stolen points aren't as headline-grabbing as other forms of breaches -- hospitality brands are lucrative targets. There’s a very real cost to security fraud in hospitality. For smaller brands, poorly- protected data could be a devastating death blow.
Credential stuffing is the enemy
One of the largest vulnerabilities is when hackers deploy stolen credentials to gain access to higher value sites with those same credentials. This is called “credential stuffing.” It’s a brute force attack that can be easily automated. The machine just keeps trying all potential permutations until one succeeds.
These illegitimate log-in attempts tax technical resources and require constant monitoring through intelligent tools and staff oversight.
While not as widespread as other industries, hotels are impacted by this issue.
Web forums and social networks are the richest source of credentials for hackers. Often, users are in a hurry when signing up for the sites and don't use the most secure passwords. Or, since users don't see the sites as important, they simply reuse passwords from other sites.
Usually, hackers are looking to hijack loyalty points from user accounts. Many consumers don't consider the inherent value of their loyalty points, as they're not always seen as equivalent to cash.
Users either have the same password across multiple websites, or don't use secure enough passwords.
This password re-use is how credential stuffing causes massive losses each year across industries. The hackers hop from industry to industry, testing each new batch of credentials to see what they can gain access to. With each new data spill, the cycle renews itself.
The true costs of credential stuffing
It's a challenge to put a dollar figure to something so nebulous. Thankfully, the company behind the report Shape Security, made an effort to calculate these costs.
With loyalty points assigned a value of 1 cent per point, credential stuffing costs over $1 million dollars a day. And that’s without including any potential brand damage from a guest dealing with a hacked account! Or any bad public relations related to a data breach.
Given the broad range of redemption value, this cost increases exponentially depending on the sophistication of the hackers. If they're smart, the redemptions will be worth far more than one cent per point!
Hackers won’t usually use these points for hotel stays. They will use the points for merchandise and then have those items shipped to a PO Box. Someone even use random people on Craigslist to pick up items bought with stolen cards in store!
This is a real issue for points-based systems, says Quartz:
“Criminals sell them to specialist brokers who purchase award points from hotels and airlines. After the miles are transferred to the broker’s account, the cyber thief is usually paid via PayPal.
The mileage brokers then sell the points to online travel agencies, which they use to sell discounted tickets for business class and first class airfares. Some discounted online deals really are too good to be true.”
Is your hotel’s digital technology facilitating fraud?
Those who look to manipulate the system always find new ways for fraud. Like airlines, hotels are relatively insulated from fraudulent guests stays because guests have to check in with identification at the front desk.
But with new digital check-in tools, some stays don’t even require a visit to the front desk. A hacker that wants to circumvent the challenge of using stolen points to book a stay could select hotel brand that has this type of technology enabled.
The report explains further:
"With the introduction of digital check-in, attackers can now takeover the account, book the room under the victim’s name, check in online, and use their mobile app as their digital room key, all without having to interact with any hotel staff or present identification."
Without proper notifications, a user maybe completely unaware that their points are being used to book an actual stay. Most users aren't checking accounts regularly, and unsolicited brand emails often sit unopened.
This leads to an opportunity for fraud, Shape says:
"Many hotel apps do not send email notifications when actions like digital check-in are taken, reducing the risk for the fraudster. At most, the fraudster may need to change notification settings after taking over a victim’s account, so that the true account owner is not alerted of activity."
Education as a stop-gap
Hospitality brands should consider educating consumers about these issues. Like most things, it's cheaper to educate upfront then to clean up the mess afterwards.
This education should expand to the internal operation as well. Understanding and fighting for user security is an ongoing effort. The reality is that one breach is too many. Travel brands often have far more valuable information for hackers, such as Passenger Name Records and credit cards on file. This data must be kept safe if traveler trust is to be preserved. Trust is hard to earn -- but so easy to lose.
Download the full report. To keep up with the latest, join our Working Groups, which focus on addressing challenges (such as security) through four important areas: mobile, content, payments, and hotel analytics.