Not too long ago, magnetic stripe card readers were a praiseworthy innovation, but now it brings danger to users and businesses with theft. The risk in using this technology has prompted card companies to move on to more reliable and secure chip-based technology, but the switch can take some time and presents operational challenges for the industry before it is complete. Marie Russo of account data compromise for MasterCard, at a talk at The Hotel Experience in New York City told the attendees that the frequency of data breaches has dropped over the past two years and will continue to do so, however data thieves will be targeting harder the still vulnerable.
“Data thieves will continue moving to the weakest link,” she said. “There has been a large shift to e-commerce as chipped cards proliferate within the market. But magstripes still have retail activity, especially in the hotel, fast food and restaurant industries.”
The article explains:
Russo's message is that hotels need to be on their toes. Anywhere a card is swiped and not dipped vendors have the possibility of running into security issues. Nearly 50 percent of all breaches occur in fast food and hotels, according to Russo, so hotels need to prioritise working with vendors that support chip-based technology.
"Why would you pick a hotel chain? There are a couple of reasons," Russo said. "Does anybody pay cash at a hotel? Unless it's a tiny motel, you are paying with your card. The way hotels tend to be configured, you can break into the main network, and from there you can reach a number of individual franchise locations, and you can do that around the world unless there are firewalls blocking you."
So criminals can not only access some of your guest’s information, they can very likely access all of it. In August, a security researcher was able to modify existing technology to create a device that can duplicate hotel keycards and guestroom keys across a property, something that can only be done to cards using magstripe technology.
Once malicious programs have been loaded onto a point-of-sale system, hackers will be able to easily lift the data off of a card during a single swipe. Then they can load that information into a folder for later extraction from overseas. Chip-based cards are much more secure and lack the many vulnerabilities of magstripe cards because they change their internal information, the configuration of numbers that makes it your data, with every transaction. Because of this, chip-based cards are much more difficult to hack.
"Unfortunately, if you're not accepting chip at this point you are definitely being sought after by hackers," Russo said. "It's their last area where they can turn cards into what we call 'white plastic' or counterfeit."
One of the best defences against data theft is to have good data housekeeping. Russo elaborates that many third-party point-of-sale integrators use ineffective passwords at the time of installation expecting the password will be changed by the hotel operator. This is a great opportune scenario for thieves as operators may fail to change their passwords, or change them to a weaker password.
"Remote access is a great tool that allows operators or managers to access information across multiple properties at once remotely, and they are often on all the time," Russo said. "They are great for criminals because they are often configured the same way, so if they break into one they know how to do it over and over and over again."
Email phishing also remains a threat to hoteliers. Data thieves can impersonate hotel bills, or book a reservation with a hotel and send an email to the property with information that draws the operator to click a link, hence uploading malware and handing over control of the property to hackers.
Russo pointed out that chipped cards are not the only thing to solve security problems, but that there needs to be several other layers of security points in check.
"If your neighbour doesn't have a security system, they don't have a dog and everyone knows where they hide their house keys when they leave town, they will be a target before you will," Russo said. "If you have a chip, that's great, that's one thing you have to do, but you also have to be thinking about tokenisation, encryption and all of those layers."
To read the source article, click here.