Via:USA Today

Are you more vulnerable to credit card theft if you stay in a hotel?

No need to get paranoid, but it is a valid question, since online security firm Trustwave Spiderlabs consider hotels hackers' No. 1 target. It's also a timely question since Wyndham Hotels just yesterday announced that hackers stole customer credit card information by breaching its networks. It's Wyndham's third breach in 12 months.

To understand the problem better, I recently talked with online security expert Nicholas Percoco, who works as a security auditor and data breach investigator for the security firm Trustwave SpiderLabs. The firm investigates breaches for companies and figures out how they happen.

"This is a new trend. Prior to late 2008, we did not really see any investigations around hotels - maybe a handful," Percoco told me during our conversation. "But it was not something significant enough to call it a trend."

In the firm's recent study of 218 breach investigations across 24 countries last year, Trustwave found that hotels accounted for about 70 of them - making them hackers' favorite hackers, even over the financial services companies. 

His theory is that sometime in late 2008, a fairly sophisticated group hacked into a single hotel and they identified it as an easy system to extract information, Percoco told me. 

"The group doing this crime happened upon hotels and said this is easy," he said. "They figured that (individual) hotels are smaller in general and don't have dedicated IT staff. What they learned from that one attack they (repeated) as many times as possible over the course of 2009." 

Percoco wouldn't identify hotel clients, but he did suggest that some chains are being more proactive than others in trying to thwart hackers.

"Your larger hotel chains have started to take action," he said.

"Now where the larger risk probably lies - once the brand names lock up their systems - is with the independent hotels," Percoco said. "Many don't have the resources and don't have centralized staff to help them out."

So, why have hotels become such a favored target among hackers?

Hotels - with stretched staff and computer systems that vary by individual hotel - aren't always watching their network carefully, he said. That makes it relatively easy for hackers to gain access into one computer, and then use it as a doorway into a chain's central system. 

The cybercriminals have also had success staying undetected for months at a time once they hack into a hotel's system, Percoco said. The average breach last year wasn't discovered for an average of 156 days. 

"They were looking at people's data for five months on average, and no one knew about it," he said.

Hackers eventually get discovered - after they've stolen data

In a small percentage of cases, hotels discover a problem when their system crashes.

"As humorous as it sounds, we've had a number of cases where staff report that a mouse is moving around by itself and they weren't controlling it," Percoco said. "It turned out that somebody was on that system that shouldn't be."

The majority of cases, however, are detected by credit card companies - after hackers succeeded in stealing hotel guests names, credit card numbers and other sensitive data, he said.  The credit card companies - whether American Express, Visa or MasterCard - then start investigating once they receive a group of calls reporting fraudulent charges.

"Imagine if 500 people called their credit card companies," Percoco said. The credit card company then examines records to find patterns, and discover the individuals had all stayed in Hotel XYZ, he said.

Cybercriminals still targeting hotels this year

So are hackers moving on to another industry yet? No, according to Percoco.

"There has been a report that there's another batch of these that perhaps we'll be investigating in the next couple of weeks," he told me.

Will hotel guests be able to tell if their data has been compromised? Not usually, Percoco said, although he did have an alarming story of his own to tell...Last October, Percoco checked into a hotel and within two hours of handing over his credit card at the front desk for a swipe, he became a victim of identity theft.

"Later that evening, I got a call from the card issuer saying that they'd noticed some potentially fraudulent use and that I should call them," he said. "Turned out that someone went on a shopping spree and racked up close to $2,000 in random locations all over the place."

Cybercriminals have the ability to copy stolen credit card data onto a magnetic strip to create a phony, physical credit card and buy items with it in stores - all within a couple of hours, he said. Ultimately, his card issuer cancelled the card and issued him a new one, so he was inconvenienced but not out any money, he said.

Still, some hotel guests find the trend disturbing.

One of the most-recommended comments written on my previous post about hotel hackers came from Hotel Check-In reader Anonymous, who wrote:

"Hotels and airlines as well as every other business should be held accountable for failing to provide adequate security for their customers."

By the way, I asked Percoco for tips on how to avoid getting scammed, but he said there's little you can do. Your best bet? Monitor your credit card statements each month to check for fraudulent charges, he said.