SecurityMetrics, profile picture
Uploaded bySecurityMetrics
PPTX, PDF1,303 views

Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

A popular vacation resort suffered a data breach when a front desk clerk clicked on a malicious link while assisting a customer, resulting in the download of keylogger malware that captured credit card information. The business made critical mistakes by using an unencrypted USB card reader and accepting credit card payments on the same machine used for internet browsing. Implementing network segmentation and proper employee training could have prevented the breach and secured sensitive information.

Embed presentation

Download to read offline
Auditing Archives Series The Case of the Overly Helpful Front Desk Clerk
Business background Popular vacation resort built a mountain retreat to lodge guests taking extended holidays.
Business background Employed front desk clerks and a concierge who accepted payments, facilitated check ins, and helped customers find information online.
How hackers got in A front desk clerk used her computer to process a customer’s credit card, then helped him find a top-rated restaurant for his anniversary dinner. Unbeknownst to her, she clicked on a malicious link that had been added to a legitimate restaurant page by a hacker.
What is a malicious link? The goal is to get users to willingly click on a link that automatically downloads harmful malware onto their system, or redirects to a spoofed website. Malicious links can be found in phishing emails but also on regular, legitimate websites.
How hackers got in The link automatically downloaded keylogger malware to the clerk’s front desk computer. The malware recorded every keyboard click and any card swipe taken by a USB connected mag stripe reader. The infected computer’s malware began secretly scraping payment card data whenever it was swiped.
What the business did wrong Using an unencrypted USB magnetic stripe reader is an insecure practice.
What’s wrong with a USB card swipe device? Most hotel property management systems read credit cards by attaching a USB card reader to the computer. In most cases this device emulates a normal keyboard and transfers the card swipe data using clear text. Attackers can easily access and read information in clear text. Encrypt-at-swipe readers are a potential solution to make card data unusable to cybercriminals.
What the business did wrong Accepting credit cards on the same machine used to browse the Internet is an insecure practice. Segmentation and employee training could have solved this very common hotel problem.
What is segmentation? Segmentation is the act of compartmentalizing network areas that contain sensitive information (like customer credit cards) from those that don’t. Segmentation is a very secure practice because it’s impossible for sensitive data to leak outside of its allotted area.
What they should have done The resort should have dedicated one front desk computer to browse the Internet on the guest network with no access to the POS system. The other machines used for taking credit cards should have no or very limited access to the Internet.
SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs

More Related Content

PPTX
PPT on Phishing
byPankaj Yadav
 
PPTX
Phishing Attacks - Are You Ready to Respond?
bySplunk
 
PPTX
Phishing
bySagar Rai
 
PPT
Intro phishing
bySayali Dayama
 
PPT
Phishing attacks ppt
byAryan Ragu
 
PPT
Internet Banking Attacks (Karel Miko)
byDCIT, a.s.
 
PPT
Phishing
byHK Khemnani
 
PPT
E-Banking Web Security
byDragos Lungu
 
PPT on Phishing
byPankaj Yadav
 
Phishing Attacks - Are You Ready to Respond?
bySplunk
 
Phishing
bySagar Rai
 
Intro phishing
bySayali Dayama
 
Phishing attacks ppt
byAryan Ragu
 
Internet Banking Attacks (Karel Miko)
byDCIT, a.s.
 
Phishing
byHK Khemnani
 
E-Banking Web Security
byDragos Lungu
 

What's hot

PPTX
Ssp fraud risk vulnerablity in ebanking
bysathyananda prabhu
 
PPTX
Attack chaining for web exploitation
byn|u - The Open Security Community
 
PPTX
Digital certificate
byKomal Agarwal
 
PPTX
Phishing--The Entire Story of a Dark World
byAvishek Datta
 
PPTX
What is Phishing and How can you Avoid it?
byQuick Heal Technologies Ltd.
 
PDF
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
byCTM360
 
PPTX
Phishing
bySyeda Javeria
 
PPT
Phishing detection & protection scheme
byMussavir Shaikh
 
PDF
Phishing
bydefquon
 
PPTX
Detection of phishing websites
bym srikanth
 
PDF
Phishing Attacks: A Challenge Ahead
byeLearning Papers
 
PPT
Introduction to phishing
byRaviteja Chowdary Adusumalli
 
PPTX
Phishing technology
byharpinderkaur123
 
PPTX
Panama Papers Leak and Precautions Law firms should take
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PDF
The Immune System of Internet
byMohit Kanwar
 
PPTX
Newbytes NullHyd
byn|u - The Open Security Community
 
PDF
Detecting phishing websites using associative classification (2)
byAlexander Decker
 
PPTX
E commerce
byHumayun Khalid Qureshi
 
PPT
Strategies to handle Phishing attacks
bySreejith.D. Menon
 
PDF
Avoiding Two-factor Authentication? You're Not Alone
byPortalGuard
 
Ssp fraud risk vulnerablity in ebanking
bysathyananda prabhu
 
Attack chaining for web exploitation
byn|u - The Open Security Community
 
Digital certificate
byKomal Agarwal
 
Phishing--The Entire Story of a Dark World
byAvishek Datta
 
What is Phishing and How can you Avoid it?
byQuick Heal Technologies Ltd.
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
byCTM360
 
Phishing
bySyeda Javeria
 
Phishing detection & protection scheme
byMussavir Shaikh
 
Phishing
bydefquon
 
Detection of phishing websites
bym srikanth
 
Phishing Attacks: A Challenge Ahead
byeLearning Papers
 
Introduction to phishing
byRaviteja Chowdary Adusumalli
 
Phishing technology
byharpinderkaur123
 
Panama Papers Leak and Precautions Law firms should take
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
The Immune System of Internet
byMohit Kanwar
 
Newbytes NullHyd
byn|u - The Open Security Community
 
Detecting phishing websites using associative classification (2)
byAlexander Decker
 
E commerce
byHumayun Khalid Qureshi
 
Strategies to handle Phishing attacks
bySreejith.D. Menon
 
Avoiding Two-factor Authentication? You're Not Alone
byPortalGuard
 

Similar to Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

PPTX
Hacking Point of Sale
byTripwire
 
PPTX
WKU PCI DSS Training
byBrent Haselhoff
 
PDF
Cyber fraud in banks
byNetwork Intelligence India
 
PDF
The Target Breach – Follow The Money
byResilient Systems
 
PDF
Managing Front Office Operations With Answer Sheet (EI) 9th Edition Kasavana ...
byzaimajtaleto
 
PPTX
File Sharing Use Cases in Financial Services
byBlackBerry
 
DOCX
Understanding the POS Malware
byvijay1926
 
DOCX
Boss, I Think SomeoneStole Our CustomerData Brett Flayton, C.docx
byAASTHA76
 
PPT
Mcwt presentation 1
byBarbara Goushaw
 
PDF
How to Keep Hackers Out of Your Organisation
byIBM Danmark
 
PPT
PCI Compliance Seminar
bydlinehan2
 
PPTX
Trends in electronic crimes and its impact on businesses like yours
byMotherGuardians
 
PPTX
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
byConnXus
 
PDF
What To Do If Compromised - Fraud Control and Investigations Procedures
by- Mark - Fullbright
 
PDF
PCI Solna EDB 101020 FortConsult
byJolin Löf
 
PDF
Credit card frauds in hospitality
byVishal Sharma
 
PDF
Credit card frauds in hospitality
byVishal Sharma
 
PDF
How to Knock Out Threats from Crypto-Style Viruses
byCarbonite
 
DOCX
DAY 1 Morning 1. Introductions 2. Confirm project .docx
bysimonithomas47935
 
ODP
Critical Controls Might Have Prevented the Target Breach
by2nd Sight Lab
 
Hacking Point of Sale
byTripwire
 
WKU PCI DSS Training
byBrent Haselhoff
 
Cyber fraud in banks
byNetwork Intelligence India
 
The Target Breach – Follow The Money
byResilient Systems
 
Managing Front Office Operations With Answer Sheet (EI) 9th Edition Kasavana ...
byzaimajtaleto
 
File Sharing Use Cases in Financial Services
byBlackBerry
 
Understanding the POS Malware
byvijay1926
 
Boss, I Think SomeoneStole Our CustomerData Brett Flayton, C.docx
byAASTHA76
 
Mcwt presentation 1
byBarbara Goushaw
 
How to Keep Hackers Out of Your Organisation
byIBM Danmark
 
PCI Compliance Seminar
bydlinehan2
 
Trends in electronic crimes and its impact on businesses like yours
byMotherGuardians
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
byConnXus
 
What To Do If Compromised - Fraud Control and Investigations Procedures
by- Mark - Fullbright
 
PCI Solna EDB 101020 FortConsult
byJolin Löf
 
Credit card frauds in hospitality
byVishal Sharma
 
Credit card frauds in hospitality
byVishal Sharma
 
How to Knock Out Threats from Crypto-Style Viruses
byCarbonite
 
DAY 1 Morning 1. Introductions 2. Confirm project .docx
bysimonithomas47935
 
Critical Controls Might Have Prevented the Target Breach
by2nd Sight Lab
 

More from SecurityMetrics

PPTX
Auditing Archives: The Case of the Evil Java Script
bySecurityMetrics
 
PPTX
The Case of the Suspiciously Flawless Investigation
bySecurityMetrics
 
PDF
Securing Your Remote Access Desktop Connection
bySecurityMetrics
 
PDF
Window of Compromise
bySecurityMetrics
 
PPTX
Understanding the New PCI DSS Scoping Supplement
bySecurityMetrics
 
PDF
How to Prepare for a PCI DSS Audit
bySecurityMetrics
 
PDF
Medical Data Encryption 101
bySecurityMetrics
 
PDF
How to Secure Your Medical Devices
bySecurityMetrics
 
PDF
Don't Let Phishing Emails Hook Your Empolyees
bySecurityMetrics
 
PPTX
Auditing Archives: The Case of the File Sharing Franchisee
bySecurityMetrics
 
PPTX
The Case of the Mistaken Malware
bySecurityMetrics
 
PDF
How to Effectively Manage a Data Breach
bySecurityMetrics
 
PPTX
The Case of the Stockpiled Credit Cards
bySecurityMetrics
 
PDF
5 Steps to Manage a Data Breach
bySecurityMetrics
 
PDF
What's Causing You to Store Unencrypted Payment Cards?
bySecurityMetrics
 
PPTX
Hipaa Reality Check
bySecurityMetrics
 
PDF
HIPAA PHI Protection: Where is Your PHI Stored?
bySecurityMetrics
 
PDF
5 Documents to Prepare for a HIPAA Audit
bySecurityMetrics
 
PPTX
What Does the End of Windows XP Mean For Businesses?
bySecurityMetrics
 
PDF
The 5 Step HIPAA Risk Analysis
bySecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
bySecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
bySecurityMetrics
 
Securing Your Remote Access Desktop Connection
bySecurityMetrics
 
Window of Compromise
bySecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
bySecurityMetrics
 
How to Prepare for a PCI DSS Audit
bySecurityMetrics
 
Medical Data Encryption 101
bySecurityMetrics
 
How to Secure Your Medical Devices
bySecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
bySecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
bySecurityMetrics
 
The Case of the Mistaken Malware
bySecurityMetrics
 
How to Effectively Manage a Data Breach
bySecurityMetrics
 
The Case of the Stockpiled Credit Cards
bySecurityMetrics
 
5 Steps to Manage a Data Breach
bySecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
bySecurityMetrics
 
Hipaa Reality Check
bySecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
bySecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
bySecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
bySecurityMetrics
 
The 5 Step HIPAA Risk Analysis
bySecurityMetrics
 

Recently uploaded

PDF
How Unlock Buy Verified Cash App Accounts?
byWei Huang
 
PDF
Top 1 0 Websites to Buy Verified Transfer Remitly Accounts ....pdf
byBusiness
 
PPTX
Finding Product-Market Fit in the Age of AI
byJeffrey Bussgang
 
DOCX
Buy Verified PayPal Accounts for Secure Online Use docx
bymugdhobiswas17
 
PDF
Trusted Place to Buying Verified PayPal Accounts in Los Angeles.pdf
byBuyVerifiedCashAppAc898153
 
PDF
A Comprehensive Guide to Buy Verified PayPal Accounts in the US.pdf
byPremium Phone Verified Account Providers
 
PDF
_Top 7 Tips for Buying Verified PayPal Accounts.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
PDF
enterprise software is not dead and here is why
bywangbin26
 
DOCX
How To Buy LinkedIn Accounts – 100% PVA, Aged & Bulk..docx
byhttps://pvaallit.com/product/buy-old-gmail-accounts/
 
PDF
Buy Proton Mail Accounts _ Secure Email Accounts In 2026.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
DOCX
Buy Old Gmail Accounts USA – Instant Delivery Bulk Gmail.docx
byDigital Marketind and Business By PVAisBack.Com
 
PPTX
PDYN Investor Presentation - January 2026.pptx
byPalladyne AI
 
PDF
Best 9 Sites to Buy Hotmail Accounts (Aged & PVA).pdf
byhttps://pvaallit.com/product/buy-google-5-star-reviews/
 
PDF
RFI Responses for Govt Contracting Tips.
byiQuasar LLC
 
DOCX
Podcast Promotion Schedule for Turntable News
byslpalakovich
 
PPTX
REVIEWER-3rd-quarter-exam-mathematics.pptx
bydominicdaltoncaling2
 
PPTX
Exterior Front Entry Door Design Trends, 2025–2026
bydoornmore
 
PDF
OIL CHECK 500 Portable - Air Quality Monitoring System
byCS Instruments
 
PDF
Camil Institutional Presentation_Dez25.pdf
byCAMILRI
 
PDF
Camil Institutional Presentation_Jan26.pdf
byCAMILRI
 
How Unlock Buy Verified Cash App Accounts?
byWei Huang
 
Top 1 0 Websites to Buy Verified Transfer Remitly Accounts ....pdf
byBusiness
 
Finding Product-Market Fit in the Age of AI
byJeffrey Bussgang
 
Buy Verified PayPal Accounts for Secure Online Use docx
bymugdhobiswas17
 
Trusted Place to Buying Verified PayPal Accounts in Los Angeles.pdf
byBuyVerifiedCashAppAc898153
 
A Comprehensive Guide to Buy Verified PayPal Accounts in the US.pdf
byPremium Phone Verified Account Providers
 
_Top 7 Tips for Buying Verified PayPal Accounts.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
enterprise software is not dead and here is why
bywangbin26
 
How To Buy LinkedIn Accounts – 100% PVA, Aged & Bulk..docx
byhttps://pvaallit.com/product/buy-old-gmail-accounts/
 
Buy Proton Mail Accounts _ Secure Email Accounts In 2026.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
Buy Old Gmail Accounts USA – Instant Delivery Bulk Gmail.docx
byDigital Marketind and Business By PVAisBack.Com
 
PDYN Investor Presentation - January 2026.pptx
byPalladyne AI
 
Best 9 Sites to Buy Hotmail Accounts (Aged & PVA).pdf
byhttps://pvaallit.com/product/buy-google-5-star-reviews/
 
RFI Responses for Govt Contracting Tips.
byiQuasar LLC
 
Podcast Promotion Schedule for Turntable News
byslpalakovich
 
REVIEWER-3rd-quarter-exam-mathematics.pptx
bydominicdaltoncaling2
 
Exterior Front Entry Door Design Trends, 2025–2026
bydoornmore
 
OIL CHECK 500 Portable - Air Quality Monitoring System
byCS Instruments
 
Camil Institutional Presentation_Dez25.pdf
byCAMILRI
 
Camil Institutional Presentation_Jan26.pdf
byCAMILRI
 

Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

  • 1.
    Auditing Archives Series TheCase of the Overly Helpful Front Desk Clerk
  • 2.
    Business background Popular vacationresort built a mountain retreat to lodge guests taking extended holidays.
  • 3.
    Business background Employed frontdesk clerks and a concierge who accepted payments, facilitated check ins, and helped customers find information online.
  • 4.
    How hackers gotin A front desk clerk used her computer to process a customer’s credit card, then helped him find a top-rated restaurant for his anniversary dinner. Unbeknownst to her, she clicked on a malicious link that had been added to a legitimate restaurant page by a hacker.
  • 5.
    What is amalicious link? The goal is to get users to willingly click on a link that automatically downloads harmful malware onto their system, or redirects to a spoofed website. Malicious links can be found in phishing emails but also on regular, legitimate websites.
  • 6.
    How hackers gotin The link automatically downloaded keylogger malware to the clerk’s front desk computer. The malware recorded every keyboard click and any card swipe taken by a USB connected mag stripe reader. The infected computer’s malware began secretly scraping payment card data whenever it was swiped.
  • 7.
    What the businessdid wrong Using an unencrypted USB magnetic stripe reader is an insecure practice.
  • 8.
    What’s wrong witha USB card swipe device? Most hotel property management systems read credit cards by attaching a USB card reader to the computer. In most cases this device emulates a normal keyboard and transfers the card swipe data using clear text. Attackers can easily access and read information in clear text. Encrypt-at-swipe readers are a potential solution to make card data unusable to cybercriminals.
  • 9.
    What the businessdid wrong Accepting credit cards on the same machine used to browse the Internet is an insecure practice. Segmentation and employee training could have solved this very common hotel problem.
  • 10.
    What is segmentation? Segmentationis the act of compartmentalizing network areas that contain sensitive information (like customer credit cards) from those that don’t. Segmentation is a very secure practice because it’s impossible for sensitive data to leak outside of its allotted area.
  • 11.
    What they shouldhave done The resort should have dedicated one front desk computer to browse the Internet on the guest network with no access to the POS system. The other machines used for taking credit cards should have no or very limited access to the Internet.
  • 12.
    SecurityMetrics We Protect Business Services PCI,HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs