Saturday, October 21, 2017
Reports of a second security breach at Hyatt Hotels and orchestrated attacks against Wi-Fi networks highlight the need for enhanced protections, security analysts say. Security consultant and author Brian Krebs of KrebsonSecurity, reported Oct. 17, 2017, that hackers infiltrated Hyatt's payment systems between March 18, 2017 and July 2, 2017. An earlier breach in 2015 had compromised 250 Hyatt properties in 50 countries, including 5 U.S. locations, he noted.
"Organized crime groups (most notably the Carbanak gang) have been targeting customer service and reservations specialists at various hospitality chains with tailored social engineering attacks that involve well-aged fake companies and custom malware," Krebs stated.
Lisa Baergen, Marketing Director at NuData Security Inc, noted that the travel and leisure industry, like so many consumer-facing sectors, has repeatedly proven to be extremely vulnerable to breaches. "This latest concerning breach is just one more reason why companies such as Hyatt must adopt more advanced security and authentication measures based on trusted identity, and consumers must diligently, routinely check their credit files for suspicious credit applications and consider freezing their credit profiles," she said.
Drawing attention to another area of concern, the Krack exploit revealed that cybercriminals are exploiting vulnerabilities in WPA2 security by inserting a decryption key into secure Wi-Fi networks to steal banking credentials and finance data, analysts stated, urging banks, merchants and other organizations to keep router patches and settings up to date and implement multilayered security solutions to protect customers and gain their loyalty and trust.
"The best way to do this is through broad adoption of multilayered solutions including behavioral biometric authentication," Baergen said. "This approach means that users are authenticated based on their online behaviors, which makes them tremendously resistant to impersonation – so the usability of the data behind the authentication process is nulled, and the organizations and institutions adopting this approach won't be defrauded."
Chad Horton, Senior Director of Penetration Testing at SecurityMetrics, said Wi-Fi-enabled, connected devices routinely broadcast their network IDs while looking for a connection, making it easy for criminals to spoof an individual's home, office or coffee shop network. "Always take note of the SSID and name of the wireless network," he said. "Man-in-the-middle attacks fool your computer into connecting to a rogue network. Always look for the SSL lock, because many attacks will prevent your browser from connecting through SSL."
Horton said device manufacturers and mobile network operators can also do more to protect connected devices and workstations. "Android can be a treacherous ecosystem for consumers to navigate, because the OS is controlled by your cellphone provider and you're at their mercy for software updates," he noted. "You may not be able to get the latest upgrade. When people call their mobile carriers about a patch, they frequently hear, 'we'll get to it.' The next Android updates are due out Nov. 6, 2017, almost a month behind schedule. iOS devices and Nexus phones that are supported by Google, generally receive better updates and support."
Dr. Steven Murdoch, Innovation Security Architect at VASCO Data Security and Principal Research Fellow at University College London, stated that manufacturers often do not fix vulnerabilities in older products, particularly those that aren't being actively promoted. "It is likely that the vulnerability will persist for years, through to end-of-life and up to disposal, in products such as Android smartphones and [Wi-Fi] routers," he said. "This unfortunate situation has led to calls for hardware manufacturers to prominently state how long they will continue to supply security updates for products they sell."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.