auditing archives: the case of the overly helpful front desk clerk
DESCRIPTION
Font desk clerks are friendly…sometimes to a fault, but friendly doesn’t necessarily equal secure. A front desk clerk that helps you print off your afternoon boarding pass on the same computer that was just used to run your credit card violates a serious security protocol.TRANSCRIPT
Auditing Archives SeriesThe Case of the Overly Helpful Front Desk Clerk
Business background
Popular vacation resort built a mountain retreat to lodge guests taking extended holidays.
Business background
Employed front desk clerks and a concierge who accepted payments, facilitated check ins, and helped customers find information online.
How hackers got inA front desk clerk used her computer to process a customer’s credit card, then helped him find a top-rated restaurant for his anniversary dinner.
Unbeknownst to her, she clicked on a malicious link that had been added to a legitimate restaurant page by a hacker.
What is a malicious link?The goal is to get users to willingly click on a link that automatically downloads harmful malware onto their system, or redirects to a spoofed website.
Malicious links can be found in phishing emails but also on regular, legitimate websites.
How hackers got inThe link automatically downloaded keylogger malware to the clerk’s front desk computer.
The malware recorded every keyboard click and any card swipe taken by a USB connected mag stripe reader.
The infected computer’s malware began secretly scraping payment card data whenever it was swiped.
What the business did wrong
Using an unencrypted USB magnetic stripe reader is an insecure practice.
What’s wrong with a USB card swipe device?
Most hotel property management systems read credit cards by attaching a USB card reader to the computer.
In most cases this device emulates a normal keyboard and transfers the card swipe data using clear text. Attackers can easily access and read information in clear text.
Encrypt-at-swipe readers are a potential solution to make card data unusable to cybercriminals.
What the business did wrong
Accepting credit cards on the same machine used to browse the Internet is an insecure practice.
Segmentation and employee training could have solved this very common hotel problem.
What is segmentation?Segmentation is the act of compartmentalizing network areas that contain sensitive information (like customer credit cards) from those that don’t.
Segmentation is a very secure practice because it’s impossible for sensitive data to leak outside of its allotted area.
What they should have done
The resort should have dedicated one front desk computer to browse the Internet on the guest network with no access to the POS system.
The other machines used for taking credit cards should have no or very limited access to the Internet.
SecurityMetricsWe Protect Business
ServicesPCI, HIPAA, & data security solutions for businesses of all sizes
QualificationsGlobal provider of ASV, QSA, PFI, PA QSA, P2PE services
ExperienceAssisted over 1 million organizations with compliance needs