Hotels urged to tighten business centre security

The US Secret Service and the Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) agency are urging the hospitality industry to improve security of hotel business centre PCs following the arrest of a group of ‘keyloggers.’

NCIC officials said a Dallas-based gang used stolen credit cards to check-in as guests of hotels and then used the properties’ business centres to insert keylogging malware on public PCs.

“The keylogger malware captured the keys struck by other hotel guests that used the business centre computers, subsequently sending the information via email to the malicious actors’ email accounts,” the agency’s advisory said.

The suspects obtained personal and financial information from other guests including log-in details for bank accounts, personal webmail accounts, and other sensitive data.

The NCIC acknowledged it was not an elaborate, high-tech scheme.

“The attacks were not sophisticated, requiring little technical skill, but were able to utilize a low-cost, high impact strategy to access a physical system to steal sensitive data,” the NCIC report said.

The NCCIC recommends hospitality companies limit guest accounts to non-administrator accounts, in order to block the downloading of malware.

However, a leading cyber security expert believes the only way to combat information theft is for hotel guests to never expose personal data through a public computer.

“The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer, and the trouble is that there is no easy way for the average guest to know for sure,” said Brian Krebs of krebsonsecurity.com.

“I routinely advise people not to use public computers for anything more than browsing the web.”