When we wish someone well before they leave on a journey, we are generally referring to their physical safety while in transit. But, increasingly, there’s another consideration – their online security. Over the past year, compromises of payment card data from Point-of-Sale (POS) systems, network intrusions against third-party suppliers, and cyber espionage campaigns against visitors using hotel Wi-Fi networks have plagued the travel and hospitality industries.
Financially-motivated actors seeking to compromise payment card details use malware to extract this data from POS systems or devices as well as physical skimming devices. Based on the 20 POS malware variants that have been documented and numerous reports of breaches, the travel and hospitality industries have been under siege.
Some high-profile intrusions in the last year demonstrate a trend of third-party supplier attacks in which financially motivated actors impact multiple companies by compromising their supplier to access sensitive or valuable data. Threat actors have also targeted hotel Wi-Fi networks in an information gathering and cyber espionage campaign against travellers to Europe and the Middle East. They choose to target these networks because they are deemed less secure and can be leveraged to perform additional actions, such as stealing credentials and moving laterally within networks.
So what can you do to mitigate risk? While the Europay, MasterCard and Visa (EMV) chip technology has made physical card fraud more difficult, online card spending is on the rise. Consider using 3D Secure as an additional layer of security. To prevent lateral movement once inside the network, restricting workstation-to-workstation communication by using host-based firewall rules is also encouraged. Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity. With the help of Google Alerts or open source web crawlers, monitor for mentions of your company on cardable websites, suppliers’ names and for credential dumps relevant to your accounts. Routinely train employees about the risks of spam and spearphishing and how to avoid becoming a victim.
- The writer is CEO, Digital Shadows
