Hack attack
Cyber criminals have their sights set on your data – and hotel and airline systems are particularly at risk. Jenny Southan asks how we can protect ourselves
He’s a regular cybersecurity engineer by day but a vigilante hacker by night. “Her password was simple, Dylan2791. Favourite artist and the year in which she was born, backwards,” Elliot says in the opening episode of US TV series Mr Robot. “His was the easiest to hack, password was 123456, then ‘seven’ spelled out.”
Your password isn’t as simple as that, is it? In January, password management company SplashData trawled two million leaked logins from last year to find out which were used by the most people. Top of the list? “123456.” In second place, “password”. In 11th place was “welcome”. Some people are just asking for trouble…
None of my passwords have been as weak as these, but after watching Mr Robot I changed all of them. You might want to do the same, because your online security is under threat. PwC’s 2016 Global Economic Crime Survey, which questioned 6,337 respondents in 115 countries, revealed that cybercrime was the second-most reported economic crime, affecting 32 per cent of organisations. To make matters worse, only 37 per cent have a cyber incidence response plan – they are simply not prepared for an attack.
STRANGER DANGER
As business travellers, we often handle sensitive information but also risk exposure in many more ways than the average person, and a strong password won’t necessarily be enough to protect against incursions.
Jacob Ginsberg, senior director of email encryption company Echoworx, says: “It’s likely that your home address, destination, length of time you’ll be away and preference for chicken or beef is all being passed back and forth online. Criminals are always looking for an open window and if an airline sends your flight confirmation details unencrypted, potentially sensitive information will be out in the open.”
Ben Paul, airlines and airport industry leader for PwC, agrees. “Airlines fundamentally are responsible for passenger information, passport information, a record of movement and a lot of other data that is being used to join up the customer journey. This is very useful information for external parties.” He adds: “Traditionally, airlines have had a very strong safety culture but what they probably aren’t prepared for is malicious cyber activity.”
Unfortunately, while there are steps we should be taking to bolster our defences (see panel overleaf), airlines and hotels are an increasingly attractive target for hackers. “The travel industry is probably one of the worst out there for securing data,” says Bharat Mistry, cybersecurity consultant for software company Trend Micro.
ATTACK THE CASTLE
Over the past year or so, a number of airlines and hotel chains have experienced cyber breaches. Last March, hackers accessed tens of thousands of British Airways Executive Club accounts – the airline said no personal information had been viewed or stolen but the accounts were temporarily frozen pending an investigation.
In July, Mandarin Oriental went public about a malware attack on credit card systems at hotels including Boston, Geneva and Las Vegas. It said: “We believe this hacker may have used malware to acquire the names and credit card numbers of [guests].”
United and travel tech company Sabre (which stores the records of more than a billion travellers a year) were said to have been hacked last summer, with rumours circulating that China was responsible. A widely cited report from Bloomberg warned: “A foreign government could use the data to build profiles of US officials and contractors, establishing information that could be used to blackmail them into providing intelligence.”
The problems have continued. In October, it was announced that
the payment systems supporting the Trump Hotel Collection were infiltrated by malware that extracted account numbers, card expiration dates and security codes in real time between May 2014 and June 2015 – a period of more than a year, unnoticed.
In November, Starwood said point-of-sales systems at more than 50 of its hotels had been infected, exposing customers’ card data to criminals. In December, both Hyatt and Hilton experienced breaches to their payment systems, the latter over a period of 17 weeks.
At around the same time, a Financial Times report cited Tom Kellermann, chief cybersecurity officer for Trend Micro, as saying: “Customers should be very concerned because, in general, the industry has insufficiently invested in cybersecurity.” He said one virus, MalumPoS, is able to scrape data from “95 per cent of the point-of-sales systems on the planet”. Kellermann also said “only Marriott had taken cybersecurity seriously” and urged it to “conduct due diligence on the matter as part of its acquisition of Starwood”.
In 2012, the US government filed a lawsuit against Wyndham Hotel Group when 600,000 of its guest accounts were penetrated by Russian hackers via its data centre in Arizona. It was a breach that led to US$10.6 million of fraudulent credit card payments. The Federal Trade Commission said that the company failed to take proper security measures even after it became aware of the hack (it was attacked three separate times between 2008 and 2010).
Last year, the case was settled but Wyndham will have to submit to oversight for the next two decades. Patrick Dunphy, manager, workshops and IT for Hotel Technology Next Generation, says: “There is significant reputational risk when a global hotel chain is the subject of a cyber attack. It can take years to build a brand’s reputation, but a single event can destroy it.”
COUNTER TACTICS
Battling the upsurge in cybercrime, the cybersecurity market is expected to grow from US$75 billion in 2015 to US$170 billion by 2020 – with a million job openings up for grabs this year. Hacks have been happening in the travel industry for some time but the scale and ingenuity of them has grown.
Trend Micro’s Mistry says travel companies are at risk because of vulnerable IT infrastructure but also because of the rich personal data they store – including loyalty scheme points and miles, which can be spent, just as any other currency. He says: “The information is used for fraud or sold in underground forums. Credit card information will probably sell for a few dollars but if you have more personal data then that could be used to create fake passports, for example, which are more valuable.”
Mistry also flags up the problem of “malvertisements” that are starting to show up on travel sites such as Expedia. He explains that before you know it, clicking on the fake advert will download malicious code to your device. “This will establish a point of presence for the hacker, like gaining access to the front door of a house. The next part downloads specific tools and utilities to harvest your data.” The scary thing is, you might not even know it has happened. “Attacks are designed to be covert,” he says.
John Wilson, field chief technology officer of email security company Agari, says business travellers “need to be particularly aware of opening emails on smartphones from suspicious sources as it is often easier to be fooled when less sender data is displayed and it is easy to click on links by mistake”.
Echoworx’s Ginsberg says protecting your data should be standard practice: “Companies are always exposed to risk, both internal and external, and that is why encrypting emails and sensitive information such as financial records, customer data and discreet travel plans should be top of mind.”
Using a virtual credit card is a good way to protect your financial
data. Jon West, managing director for hotel booking portal HRS in the UK and Ireland, has seen a steady rise in their use over the past 18 months as they become more widely accepted by hotels. He says: “They significantly reduce the risk of cybercrime by giving a single-use number to be used only by the hotel merchant. This means that no payment details need to be entered into the system at the time of booking, and the amount allocated to the virtual credit card is capped.”
FLIGHT FEARS
Ginni Rometty, chief executive of IBM, recently said that cybercrime “may be the greatest threat to every company in the world”, and that costs could quadruple to US$2 trillion by 2019. Who’s responsible? Anyone from company insiders to nation states; terrorists, hacktivists and organised crime syndicates.
Steve Morgan, founder and CEO of Cybersecurity Ventures, says: “Our entire society is computer-controlled and internetconnected, including auto, air, rail, and all forms of travel.” Consider the recent Nissan Leaf case, in which the climate control in its electric cars could be hacked through its smartphone app. In a worst-case scenario, malicious cyber actors and hostile nation states could target air traffic control systems. “Hackers have been warning that passenger jets are vulnerable to cyber attacks for a long time,” he says.
Last April, Chris Roberts, One World Labs founder and chief technology officer, tweeted that he could hack an aircraft through its in-flight entertainment/wifi and deploy the oxygen masks: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)” United consequently banned him from flying, and a subsequent report claimed he told FBI investigators that he had previously hacked into an aircraft’s systems, altered the code and issued a “climb” command to one of the engines.
While “good guy” Roberts was deliberately showing up security flaws, the concern about in-flight wifi remains real. Last year, the US Government Accountability Office said: “A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard
information system through their infected machines.” Airlines and aircraft manufacturers insist systems are kept separate and this couldn’t happen, but critics say it might not be foolproof.
An April 2015 article in Wired explained: “A hacker would have to first bypass a firewall that separates the wifi system from the avionics system. But firewalls are not impenetrable, particularly if they are misconfigured. A better design is to air-gap critical systems from non-critical ones – that is, physically separate the networks so that a hacker on the plane can’t bridge from one to the other, nor can a remote hacker pass malware through the internet connection to the plane’s avionics system.”
Mistry says: “If you look at organisations like ISIS, I can guarantee you they have already tried to hack an aircraft’s wifi network to get on to the instrumentation. There is no need to get into the cockpit; a jihadist could just sit there on an eighthour flight constantly having a go.”
Even if you can put that out of your mind, Mistry warns that by simply logging on to an airline’s wifi network, you could open yourself up to the risk of hacking. He says cyber criminals are using tools such as legitimate wireless auditing platform Wifi Pineapple to “sniff” for travellers’ data through rogue hotspots.
The same applies to hotels. Dunphy says: “Hotel wifi is public so criminals can ‘spoof’ or otherwise cheat hotel customers into connecting their devices to a network that looks like the hotel’s, and then steal information sent over an infrastructure that they control.”
Morgan says we shouldn’t give in, however. “You can make an argument that wifi shouldn’t be in a lot of places but we don’t want to let the hackers win. We need better security and, fortunately, the cyber industry is making a lot of innovations.”
But he cautions: “There’s a dogfight for cyber talent and I’m not sure hospitality has the calling card to recruit top cyber people. Hotels and are prim and proper. Airlines put most of their people in uniforms. But a lot of the top cybersecurity people are young, with ripped jeans and sneakers.” It’s these people who, behind the scenes, are keeping us safe. Now, go and watch Mr Robot.