The accounts of loyalty program members are targets for hackers, but there are steps hoteliers can take to make them more secure.
REPORT FROM THE U.S.—The hotel industry, in general, is a popular target for hackers looking to steal personally identifiable information about guests and staff. One area of potential vulnerability that’s being exploited is hotel brand loyalty programs.
Anything of value, including loyalty points and partner points, will be something hackers want because of the inherit value to them, said Patrick Dunphy, chief information officer at HTNG. Given how much travel has increased in the past 25 years and how many more hotels are offering them now, the long-term value of points is increasing, he said.
“Hospitality companies want to increase the flexibility of the points with hotels and airlines to get more value out of them with the more partners they have,” he said. “As long as the value of points keeps going up, they will always be a target.”
It’s unusual for malicious actors to use the loyalty points they steal from accounts as that would lead to them getting caught, Dunphy said. Instead, they transfer those loyalty points to gift cards through the loyalty program’s partners and other retail stores, he said.
“The more common vector is siphoning off the account, moving points to a third-party account and immediately transferring them to gift cards or electronics,” he said.
Multiple hotel brand companies declined to comment for this article.
Tackling the problem
A group of security leaders has been discussing loyalty program fraud for some time, which has produced some solutions, Dunphy said.
One approach is to develop a delay in how quickly members can redeem their points after they have transferred to another account, he said. If there’s a 24- or 36-hour waiting period, that usually gives someone enough time to notice this change after they receive an email notification about the transfer, he said.
“That doesn’t inhibit people from using points for their own purposes,” he said. “It does remove some of the risk for guests and the hospitality company.”
Analyzing users’ behavior is another way to raise red flags, Dunphy said. If a user typically logs in from the United States, a loyalty program should see a log-in from China and trigger an email alert to the account holder and ask for confirmation of the transfer through a separate channel, he said.
Once hospitality companies educate their guests through their contact preferences, they can start using two-factor authentication for user account access, he said. Members would need to access their account through a secondary form of ID through a text or email, he said.
“It’s usually by phone or text message,” he said. “It’s unusual for the attacker to have access to those.”
There are three main stakeholders when it comes to protecting loyalty program accounts: hoteliers, the vendors who sell the technology and the users, said Ted Harrington, executive partner at Independent Security Evaluators.
“When you think about where the weaknesses are and about the defense postures, it’s a different issue with each of these stakeholders,” he said.
There is a perception that security falls apart when users have bad passwords, which can lead to a defeatist attitude regarding security, he said. However, he added, when attackers are looking to access private information, they’re going to go where they can make the most return on their investment, which usually isn’t going after users one at a time.
“I can make a more significant return on investment if I can pop the application itself,” he said regarding hackers’ mindset.
That said, users’ password security is important, Harrington said. Hoteliers can remind loyalty program users to create unique passwords for everything. While that can create extra work for users, it means that should their account be compromised at some point, the hackers can’t use the same credentials across all their accounts, he said.
Harrington said hoteliers should be focused on the implementation and integration of multiple technologies, with primary interests in where weaknesses are, where the system is improperly deployed, whether the software is updated and patched properly and if there are overly permissive trusts between the property-management system and third-party systems that have cloud integration.
Hoteliers should understand and implement a threat model, and understand and implement a trust model, he said.
“They should request to see the security assessment reports from their vendors,” he said. “If vendors are not performing security assessments, that should be a requirement, but most are already doing that. Once they receive a report, that should not be in and of itself sufficient. Scrutinize the report and understand the methodology. Did they just do basic penetration testing and scanning, or did they apply a more manual white box approach?”
Vendors should approach defense by thinking like a sophisticated attacker, Harrington said. Many hospitality vendors are reliant on automatic scanning and basic penetration testing, but that’s not where the attackers will stop, he added.
“They don’t just run a scan, take the results and stop,” he said. “If they want to exploit the system, they will investigate further. They’ll invest time, money and manpower. As defenders, vendors must investigate their systems at least at the same level of scrutiny a sophisticated attacker would.”
Some vendors will supply tech that is secure out of the box, which means every security feature is turned on and it’s up to hoteliers to turn off features as they see fit, Harrington said. Most tech comes insecure out of the box, he said, so hoteliers must turn on the features as they deploy the tech.
“It’s important because a hotelier might buy technology that has a tremendous amount of security and benefits to it, but they might deploy it not realizing it’s not turned on,” he said.
When installing new tech, vendors and hoteliers need to take into consideration how it will interact with existing systems to make sure they perform as intended, he said.