If there is one thing the InterContinental Hotels breach highlighted, it’s that stealing credit card information has become a much easier feat than it used to be in the past.
Hackers appear to have gained access to the hotels’ network by using malware to enter their front desk Point-of-Sale (POS) terminals, where customers paid for their stay. In the past, stealing credit card verification codes used to be pretty complicated, but today, it can be done in a matter of seconds.
Hackers likely used a spear-phishing email scam to enter the hotels’ computer network. After having installed the malware, the hackers gained access to the hotels’ servers, and were able to get all credit and debit card information from customers using the hotels’ front desk payment terminals, as the information was being transported through a server after a customer swipes their card at an affected POS.
This way, they managed to get all the info on a card’s magnetic strip, including the verification codes.
Alternatively, attackers could have also used an SQL injection attack which is also a common tactics for infiltrating a private organization’s network.
The Internet of Things is making it possible for POS terminals to be connected to all sorts of applications and devices, which helps improve customer experience and allows businesses to conduct their operations faster and more efficiently. But, that is also what is making these systems more vulnerable to hacking attacks. It’s exactly this connectivity that leaves POS softwares prone to spear-phishing or SQL injection attacks.
Another major security issue is that most POS terminals run on Windows XP or Linux, operating systems that are quite old and don’t have the proper cyber-security capabilities for preventing sophisticated data breaches.
IHG could have detected the intrusion sooner if they had been monitoring their network continuously in search for indicators of an infection. There are various types of infection indicators, including file, system, network, and interface indicators, which if identified on time, can help organizations quickly prevent an infection from spreading across the network.
To better protect customers against credit card frauds, hotels could use biometric billing systems, which require a customer to authorize every transaction by leaving a fingerprint, confirming their true identity. Also, there are biometric and facial recognition systems that are a very effective tool for making sure the person checking in or out of a hotel is not a criminal using stolen personal and credit card information.