The US Secret Service and the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) have strongly advised the hospitality industry firms requiring them to enhance security for their public computers.
It appears that hotel business centres had been invaded by keyloggers. A band of crooks had been arrested because of their compromising computers in hotel business centers in Texas by using stolen credit cards. They would use them to register as guest hotels and afterwards use the computers provided. By simply logging into their Gmail accounts they could afterwards execute malicious “key logging software,” according to the statement letter.
“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts. The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers,” the advisory states.
As the letter on Monday states, “large” amounts of information have already been swiped, so these are far from representing sheer safety measures. The outlaws reportedly didn’t even bother to worry about bringing their malware with them on a USB stick or CD. Instead they allegedly stored it in the iCloud, and simply downloaded it onto the hotel’s computers.
Among the advice given by the NCCIC, hospitality companies are recommended to at least try to limit guest accounts to non-administrator accounts, so that attackers can’t download and install malware with such ease.
Nevertheless this is a prevention measure and nothing more. Just like another advice from the report that brings forward to always assume the following principle: if a computer does not belong to you, this means it is not secure. Therefore no financial operations are to be operated from such a device, nothing that could compromise their private and financial information, along with their account credentials.
As security computer guru Brian Krebs notes, the only secure thing to do with a computer that doesn’t belong to you is to use it for things you would easily show to any stranger. Krebs is the author of a daily blog, KrebsOnSecurity.com, on computer security and cybercrime. From 1995 to 2009, he worked for The Washington Post and and wrote on tech policy, privacy and computer security. During this period he also succeeded in interviewing the famous hacker 0x80.