Point-of-sale devices become point-of concern devices as cyber criminals target hotels. Read on to discover how cyber crime gangs are finding hotel point-of-sale systems more and more favorable to attack as IT Governance, Julia Dutton, outlines how the attacks are perpetrated, changes in the rules of compliance and what you need to do to comply with upcoming regulations.
The hospitality industry is a notoriously easy target for cyber criminals and attackers, who are lured by the lucrative rewards offered by taking advantage of point-of-sale (POS) systems, the high volume of transactions, hotel loyalty programmes and booking databases.
Statistics from the 2014 Data Breach Investigations Report showed that hospitality and leisure accounted for 11% of all breaches.
Point-of-sale devices are a common target for cyber criminals. According to the Report, 38% of POS hacking attacks involved stolen credentials, and 31% of confirmed data breaches over the last three years involved POS intrusion.
The attack pattern on POS devices can simplistically be described as follows: compromise the POS device, install malware to collect magnetic stripe data in process, retrieve data, and cash in.
Marriott data breach
Recently, POS devices were blamed for fraud on credit and debit cards that were used at Marriott hotels. Many of the same hotels were previously breached in 2013, when thousands of customers’ credit card and debit card information was stolen. The breach was attributed to malware that was installed on point-of-sale systems at restaurants and bars within the hotels.
Last month, numerous POS devices belonging to POS provider NEXTEP were hacked. NEXTEP provides POS devices to a host of cafeterias and restaurants in the US. Another incident last year involved Signature Systems admitting responsibility for the POS-related breach that affected 216 restaurants in the American Jimmy John’s restaurant chain.
There is ample room for an attack in a hotel via its hospitality management system (HMS), POS devices, Wi-Fi network, hotel network infrastructure or online booking system.
Hoteliers must be able to demonstrate PCI compliance across all IT systems that store, transmit or process credit card data. This generally includes POS and back-office systems. Failure to comply with PCI requirements can result in penalties or sanctions from members of the payment card industry.
The Verizon PCI DSS Compliance Report 2015 recommends that you make absolutely sure that all passwords used for remote access to POS systems are strong. “We often see factory defaults, the name of the POS vendor, a dictionary word and other weak credentials used. If a third party handles this, insist that a strong password is used, and verify it. And ensure that they don’t use the same credentials for multiple customers.”
Service providers to use unique credentials from July 2015
PCI DSS v3.1 introduces a new control, 8.5.1, which will be effective from 1 July 2015 and requires service providers to use unique credentials for each customer. “In the past many third parties that employed remote access to provide services, like POS systems or IT support, used the same credentials for multiple customers. This control will reduce the risk that the compromise of one company will lead to many organisations being breached.”
Physical security of POS devices essential
Electronic skimming devices continue to be used by criminals to steal credit and debit card information. Physical access can greatly reduce the effort required to compromise a system. “Without appropriate physical security, attackers (or rogue staff) can remove or copy information by tampering with POS devices, stealing paper receipts, or many other methods.”
Requirement 9 of the PCI DSS requires that organisations must protect POS devices against tampering and substitution.
A new requirement introduced by the PCI DSS relates to the physical security of payment terminals. Requirement 9.9 stipulates that devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution.
This control requires:
- An up-to-date inventory of all devices, including details like serial numbers.
- Periodic surface inspections of all devices, and checks to ensure they were not substituted.
- Training to ensure that all staff are able to identify a suspicious card reader and know the proper procedure to follow in such cases