If not properly secured, the remote access software found in PoS systems is often an entry point for cybercriminals.
If not properly secured, the remote access software found in PoS systems is often an entry point for cybercriminals.

The recent revelation by the InterContinental Hotels Group that 1,200 of its locations had been victimized by malware placed on its front desk point-of-sale (PoS) systems should spur companies to ensure their equipment is locked down and monitored.

The first step to take might be the one IHG had begun instituting in some of its facilities just before this round of malware was implanted. The hotel chain said in a statement that before this incident took place it had started installing IHG's Secure Payment Solution, a point-to-point encryption service for PoS systems. Any of its hotels with this cybersecurity software installed was not impacted. However, IHG would not say which hotels were so equipped.

A.N. Ananth, CEO of EventTracker, said such a step is just one move any hospitality company should undertake.

“Hotels need multiple security technologies to prevent malicious attacks,” he said. "A managed firewall is essential, blocking dangerous traffic from coming onto the network and preventing sensitive data from being exfiltrated, or sent, to the hackers. File integrity monitoring, unified threat management, and SIEM should also be considered."

EventTracker is a SIEM supplier.

Hotels are particular targets for cybercriminals, said John Christly, Global CISO of Netsurion, as these give the bad actors a lot of bang for their buck.

“Hotels are generally more at risk for PoS breaches because payment card data is used throughout each hotel location – most have multiple PoS terminals. Plus card info is shared with the hotel through the booking process before the guest even arrives. All of this gives cybercriminals multiple opportunities and points of entry for the hacks,” he told SC Media.

Christly posited that most PoS break-ins take place through the terminal's remote access software. This is a soft target because many times this software is not installed with proper security in mind – leaving a PC or server open to attack.

“One of the main issues with any remote access product like this is that many use a password to protect the remote capabilities, and some vendors choose to use the same password for multiple sites instead of using a unique password for each site that the software is used at,” Christly said, adding that using just a password instead of two-factor authentication remains an issue.

Even if an independently owned franchise is hit, which happened with IHG, it does not mean the malware will be limited to just that facility, he added. Today, even franchises have direct access to the parent corporation's systems and any malware picked up locally can spread to regional, national or even international locations.

IHG has not released a post mortem on how this attack was implemented, but Christly's description may explain what took place in this case where the infection was widespread impacting properties in all 50 states and Puerto Rico. It includes the company's best known brands, including Holiday Inn, Intercontinental, Kimpton and Crowne Plaza.

IHG was first tipped off to the problem in December when KrebsonSecurity reported that breach reports were coming in for some of the company's hotels. IHG admitted in February that a few hotels were involved, but with the completion of its internal review last week IHG revealed that almost 1,200 of its 5,000 worldwide locations were hit.

IHG reported that the malware was running from September 29, 2016 until December 29, 2016, and the company added that actual confirmation that the malware was eradicated was not received until March 2017, so customers who visited until that time should check their cards for unauthorized charges.

EventTracker's Ananth concluded that it does not matter whether the local franchise handles security or it comes down from the top, but somebody has to be minding the shop.

“As Yoda would say, 'Matters not who does it, matters that it be done, and properly',” he said.