By Peter Burgess, PCI-QSA, CISSP, CISM (Ret), CIPT
US based travel industry company Sabre Hospitality Solutions, which provides SaaS (Software as a Service) to more than 36,000 properties, has alerted hotels that a hacker has apparently breached its SynXis Central Reservations application SynXis Enterprise Platform and may have stolen payment card data and customer personal details. The SaaS system is designed to provide rate and inventory management capabilities for hotels.
Sabre is based in Southlake, Texas, and provides technology used by the global travel industry, including hundreds of airlines and thousands of hotels. The company also operates a travel marketplace that processes more than US$120 billion of global travel spending each year across 160 countries.
Sabre’s potential payment card and PII (Personally Identifiable Information) breach warning to hotels is just the latest in a long line of hospitality sector breach reports, the vast majority of which trace to malware installed on point-of-sale terminals and the controllers and servers used to manage them.
References to PII are significant in terms of privacy legislation, such as the upcoming EU GDPR Regulations, as PII is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another can be considered PII and can include include an individual’s first and last name, street address, email address, telephone number and National Insurance/Social Security Number, or any other information that might be collected and used to identify that individual.
A Sabre spokesperson advised that the company is investigating an incident involving unauthorized access to payment information contained in a subset of hotel reservations processed through the Central Reservation system, and has engaged a third party to assist with the digital forensic investigation.
It has not been revealed when the breach may have started, its duration, or how many locations and/or payment cards may have been affected and Sabre customers have been informed of the investigation and will be kept advised. The breach has been contained and there is no evidence of continued unauthorised activity,
Other recent incidents
Sabre’s potential payment card and PII breach warning to hotels is just the latest in a long line of hospitality sector breach reports.
Some other hospitality companies affected recently include HEI Hotels and Resorts, Hilton, Hyatt, Omni Hotels and Resorts, Starwood Hotels and Resorts and Trump Hotels.
Most recently, Intercontinental Hotels Group warned customers that malware had infected POS devices at 1,200 of its locations – including Crowne Plaza, Intercontinental, Kimpton and Holiday Inn properties – beginning in September 2016.
The point of attack used in the majority of these incidents, traces back to malware installed on point-of-sale terminals and the controllers and servers used to manage them.
Third-party POS vendors are also under attack. In August 2016, Oracle warned that an attacker planted malware in a support portal for servicing and maintaining its MICROS POS systems, one of the mostly widely used POS systems in the world, with 330,000 customers in 180 countries.
Other, smaller POS vendors have also been targeted, including Cin7, ECRS, NavyZebra, PAR Technology and Uniwell. Those attacks were discovered by Alex Holden, CISO for Hold Security, which tracks the underground trade in stolen data.
Preparation, Detection, Response
Verizon’s recently released 2017 Data Breach Investigation Report indicates that the POS breach problems in the hospitality sector – comprising both hotels and restaurants – is compounded by too many organisations’ poor preparation, detection and response capabilities.
The PCI DSS (Payment Card Industry Data Security Standard) contains a comprehensive number of general information security and payment card-specific controls, and clearly addresses these issues by requiring that organisations not only address awareness of PED (Pin Entry Device) tampering, but maintain vulnerability management programmes and incident response programmes, which are tested on a regular basis.
Businesses must also understand their dependency on third-party service providers, monitor their PCI DSS compliance and make sure that any remote access they have into the business’ systems is properly secured. It is important for businesses to consider and plan for potential security incidents and breaches affecting their third parties, such as Sabre or Oracle, to minimise any impact on the business and their customers. PCI DSS compliance would mitigate POS related attacks, and the following advice has been provided in earlier alerts, but bears repeating.
Detective and Preventative steps businesses can take
The cybercriminal attack on POS systems involves identifying possible targets, infiltrating the POS systems, gathering cardholder data and extracting for subsequent sale on the dark web. As multiple stages are involved in a successful attack, businesses have multiple opportunities to block or disrupt these attacks:
- Check whether POS systems have already been infected by known malware – ensure that anti-virus programmes and definitions are up to date and run regular scans to identify and clean up existing infections by known malware types.
- Check POS systems for unauthorised and unnecessary software and services – business POS systems should only be running the software, services and protocols needed for their legitimate operations. Disable or remove any software, services and protocols that are not required – to limit possible attack vectors.
- Check the inbound and outbound network traffic allowed by the business’ Internet facing firewall – make sure the only traffic allowed into or out of the business’s network (and to/from POS systems) is that which is necessary for business operations. Make sure that the firewall denies (blocks) any network traffic, inbound to and outbound from the network, that is not specifically needed. This will help in the event of a malware infection, as the malware will not be able to contact its server or send it any card data.
- Only allow remote access to the business network and POS systems when it is needed – close down, disable or remove all remote access software and remote access services that are not needed. If the business does need to allow remote access to the internal network or systems, make sure this access is only enabled only for the specific time period it is needed and is disabled when it is not in use.
- Implement multi-factor authentication for all remote access methods; do not rely only on usernames and passwords. If remote access to the business network and POS systems by employees or third party service providers is necessary, make sure multi-factor authentication is required as this will ensure that attackers won’t be able to exploit weak or generic passwords to gain access.
- Migrate to a POS solution that supports end to end encryption: strong encryption of the card data from the point of capture by an EMV card reading device. This will help to ensure that there isn’t any plain text card data in the POS system memory to be captured by the cybercriminal.
Businesses should note that the PCI DSS includes requirements that directly address the weaknesses and methods of attack employed by cybercriminals targeting POS applications. Implementation of the PCI DSS requirements included in the SAQ C, the self-assessment questionnaire applicable to merchants with payment application systems connected to the Internet, would go a long way to reducing a business’ exposure to this new POS malware risk.
A sample of applicable requirements in the SAQ C include:
- Requirement 1.2.1, 1.3.4: Restrict inbound and outbound network traffic to that which is necessary and deny all other traffic. All outbound network traffic must be specifically authorised.
- Requirement 2.1: Change all vendor supplied defaults and remove or disable all unnecessary default accounts.
- Requirement 2.2.2, 2.2.5: Ensure only necessary services, protocols and daemons are enabled. Disable all unnecessary functionality.
- Requirement 2.3: Make sure all non-console administrative access use strong encryption.
- Requirement 5.1, 5.2: Make sure anti-virus software capable of detecting all known types of malicious software is deployed. Make sure it is set to update automatically and to regularly run scans of the systems.
- Requirement 8.1.1: Make sure all users use a unique user ID to log on to systems
- Requirement 8.1.5: Enable accounts used for remote access to the business, by third parties such as vendors and third party support providers, only when they are needed and disable those accounts when they are not in use. Monitor these remote access accounts when they are in use.
- Requirement 8.1.6, 8.1.7: Lock out user IDs after no more than six access attempts. To thwart brute force attacks, set a minimum lockout duration or lockout the account until it is re-enabled by an administrator.
- Requirement 8.2.3, 8.2.4: Make sure systems are set up to require strong alphanumeric passwords of at least seven characters and to force password changes every 90 days.
- Requirement 8.3.2: All users, administrators and all third parties must be strongly authenticated using multi-factor authentication for all remote access that originates from outside the business’ network (i.e. from home, from a remote office or from the third party’s own office).
- Requirement 8.5: Do not permit the use of generic user IDs or shared accounts and passwords.
- Requirement 9.1: Use appropriate physical entry controls to systems storing, processing or transmitting cardholder data.
- Requirement 9.9: Protect devices that capture payment card data against tampering and substitution.
- Requirement 9.9.2: Periodically inspect device surfaces to detect tampering, such as the addition of card skimmers, and verify serial numbers to detect substitution.
- Requirement 9.9.3: Train personnel at Point of Sale devices to be aware of attempted tampering or replacement of devices.
- Requirement 11.2.2: Use an Approved Scanning Vendor to undertake quarterly external vulnerability scans to identify open ports, known weaknesses and system vulnerabilities. Address the vulnerabilities found to obtain a passing scan result.
- Requirement 11.5: Implement a change detection mechanism to monitor systems for unauthorised changes as these may indicate that systems have been compromised or infected by malicious software.
- Requirement 12.10: Create, maintain and periodically test an incident response plan to be activated in the event of a breach of cardholder data.