A growing emphasis by computer hackers on stealing payment card data from hotels and resorts and their increasingly sophisticated malicious software and attack methods are two highlights in a new report from security consulting and technology firm Trustwave Holdings Inc.
Trustwave’s Global Security Report 2010 summarizes findings from the Chicago-based firm’s investigations of 200-plus data breaches last year as well as 1,800 penetration tests of clients’ computer systems to find vulnerabilities. It’s the third such annual report Trustwave has done, and the number of data breaches has gone up every year, according to Nicholas J. Percoco, senior vice president of SpiderLabs, Trustwave’s investigative and research division. Hackers went after payment card data in 98% of the cases SpiderLabs investigated.
Restaurants for some time had been the most frequent targets of hackers looking for card data—data often stored on the older point-of-sale software systems common in many restaurants—but Trustwave’s new report shows that attackers are shifting toward the hospitality industry. Hotels and resorts accounted for 38% of the breaches that SpiderLabs investigated last year. This new focus on the hospitality industry is part of a movement by computer criminals away from opportunistic or random attacks and toward more targeted ones. “Hackers learned about a specific attack method and created cookie-cutter attacks.” Percoco tells Digital Transactions News.
A common feature of most hotel/resort data breaches was the use by hackers of so-called remote-access application attacks. Such attacks exploit Internet-facing channels created by information-technology staffs or outside IT specialists in order to service their hotels’ computer systems, whose software typically intermingles payment card and related business data. Many such systems are lightly defended from outside attack. “The majority have very weak passwords,” Percoco says. In fact, some had no passwords at all while others had default passwords or common, easily guessed ones.
Hackers use remote-access application attacks against not just hotels but other businesses too, and the method is their most popular way of breaking into computer systems. Other frequently used attack methods include third-party connectivity, which can compromise dispersed data networks connected by a physical telecommunications line, and SQL injection, which uses code to exploit vulnerabilities in the database layers of software applications.
After gaining access to a computer system, hackers still have to actually capture the information they want and get it out. Harvesting such data is getting more sophisticated as security standards, including the Payment Application Data-Security Standard, or PA-DSS, take hold and reduce insecure data-storage practices, according to the report