Magnetic stripe card readers were at one time the most innovative payment solution on the planet, but today they represent a danger to users and businesses. This has prompted card companies to turn to more reliable and secure chip-based technology, but the switch may present some operational challenges for the industry before it is complete. At a talk held recently at HX: The Hotel Experience in New York City, Marie Russo, SVP of account data compromise for MasterCard, told those in attendance that while the frequency of data breaches has dropped over the past two years and will continue to drop, data thieves will be looking harder than ever for low-hanging fruit.
"Data thieves will continue moving to the weakest link," she said. "There has been a large shift to e-commerce as chipped cards proliferate within the market. But magstripes still have retail activity, especially in the hotel, fast food and restaurant industries."
Russo's message is that hotels need to be on their toes. Anywhere a card is swiped and not dipped vendors have the possibility of running into security issues. Nearly 50 percent of all breaches occur in fast food and hotels, according to Russo, so hotels need to prioritize working with vendors that support chip-based technology.
"Why would you pick a hotel chain? There are a couple of reasons," Russo said. "Does anybody pay cash at a hotel? Unless it's a tiny motel, you are paying with your card. The way hotels tend to be configured, you can break into the main network, and from there you can reach a number of individual franchise locations, and you can do that around the world unless there are firewalls blocking you."
Because of this, if criminals can access some of your guest's information they can most likely access all of it. What's more, in August a security researcher was able to modify existing technology to create a device capable of duplicating hotel keycards and guestroom keys across a property, something that can only be done to cards using magstripe technology.
If malicious programs have been loaded onto a point-of-sale system, hackers will be able to lift the data off of a card during a single swipe. They can load that information into a file for later extraction, which often takes place outside of the U.S. Chip-based cards lack many of the vulnerabilities of magstripe cards because they change their internal information, the configuration of numbers that makes it your data, with every transaction. Because of this, chip-based cards are much more difficult to compromise.
"Unfortunately, if you're not accepting chip at this point you are definitely being sought after by hackers," Russo said. "It's their last area where they can turn cards into what we call 'white plastic' or counterfeit."
Defensive Strategy
One of the best ways to ensure hackers are unable to even attempt to compromise your systems is to have good data housekeeping. Russo said many third-party point-of-sale integrators use benign or ineffective passwords at installation with the expectation that they will eventually be changed by the hotel operator. The mistake comes when the operator fails to change their passwords, or changes them to a more ineffective password.
"Remote access is a great tool that allows operators or managers to access information across multiple properties at once remotely, and they are often on all the time," Russo said. "They are great for criminals because they are often configured the same way, so if they break into one they know how to do it over and over and over again."
Email phishing also remains an effective method of gathering guest information. Data thieves can impersonate hotel bills, or book a reservation with a hotel and send an email to the property with information that encourages operators to click a link, uploading malware and handing over control of the property to hackers.
Russo was quick to note that chipped cards are not a "silver bullet" solving all security problems. She related it to having a home security system, but if you also have a guard dog and several other layers of security.
"If your neighbor doesn't have a security system, they don't have a dog and everyone knows where they hide their house keys when they leave town, they will be a target before you will," Russo said. "If you have a chip, that's great, that's one thing you have to do, but you also have to be thinking about tokenization, encryption and all of those layers."