Auditing Archives Series
The Case of the Overly Helpful
Front Desk Clerk
Business background
Popular vacation resort
built a mountain retreat to
lodge guests taking
extended holidays.
Business background
Employed front desk clerks and
a concierge who accepted
payments, facilitated check ins,
and helped cu...
How hackers got in
A front desk clerk used her
computer to process a customer’s
credit card, then helped him find a
top-ra...
What is a malicious link?
The goal is to get users to willingly
click on a link that automatically
downloads harmful malwa...
How hackers got in
The link automatically downloaded
keylogger malware to the clerk’s front desk
computer.
The malware rec...
What the business did wrong
Using an unencrypted USB
magnetic stripe reader is an
insecure practice.
What’s wrong with a USB card
swipe device?
Most hotel property management systems read credit cards by
attaching a USB car...
What the business did wrong
Accepting credit cards on the
same machine used to
browse the Internet is an
insecure practice...
What is segmentation?
Segmentation is the act of
compartmentalizing network areas that
contain sensitive information (like...
What they should have done
The resort should have dedicated
one front desk computer to browse
the Internet on the guest ne...
SecurityMetrics
We Protect Business
Services
PCI, HIPAA, & data
security solutions for
businesses of all sizes
Qualificati...
Upcoming SlideShare
Loading in...5
×

Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

200

Published on

Font desk clerks are friendly…sometimes to a fault, but friendly doesn’t necessarily equal secure. A front desk clerk that helps you print off your afternoon boarding pass on the same computer that was just used to run your credit card violates a serious security protocol.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
200
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

  1. 1. Auditing Archives Series The Case of the Overly Helpful Front Desk Clerk
  2. 2. Business background Popular vacation resort built a mountain retreat to lodge guests taking extended holidays.
  3. 3. Business background Employed front desk clerks and a concierge who accepted payments, facilitated check ins, and helped customers find information online.
  4. 4. How hackers got in A front desk clerk used her computer to process a customer’s credit card, then helped him find a top-rated restaurant for his anniversary dinner. Unbeknownst to her, she clicked on a malicious link that had been added to a legitimate restaurant page by a hacker.
  5. 5. What is a malicious link? The goal is to get users to willingly click on a link that automatically downloads harmful malware onto their system, or redirects to a spoofed website. Malicious links can be found in phishing emails but also on regular, legitimate websites.
  6. 6. How hackers got in The link automatically downloaded keylogger malware to the clerk’s front desk computer. The malware recorded every keyboard click and any card swipe taken by a USB connected mag stripe reader. The infected computer’s malware began secretly scraping payment card data whenever it was swiped.
  7. 7. What the business did wrong Using an unencrypted USB magnetic stripe reader is an insecure practice.
  8. 8. What’s wrong with a USB card swipe device? Most hotel property management systems read credit cards by attaching a USB card reader to the computer. In most cases this device emulates a normal keyboard and transfers the card swipe data using clear text. Attackers can easily access and read information in clear text. Encrypt-at-swipe readers are a potential solution to make card data unusable to cybercriminals.
  9. 9. What the business did wrong Accepting credit cards on the same machine used to browse the Internet is an insecure practice. Segmentation and employee training could have solved this very common hotel problem.
  10. 10. What is segmentation? Segmentation is the act of compartmentalizing network areas that contain sensitive information (like customer credit cards) from those that don’t. Segmentation is a very secure practice because it’s impossible for sensitive data to leak outside of its allotted area.
  11. 11. What they should have done The resort should have dedicated one front desk computer to browse the Internet on the guest network with no access to the POS system. The other machines used for taking credit cards should have no or very limited access to the Internet.
  12. 12. SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×