I’d like a room … no Passwords, please.
This year, if you attend any of the signature events that draw crowds made up of our hospitality technology-focused brethren such as the Hospitality Technology Expo in London, the International Hospitality Technology Forum in Lisbon or HITEC in Minneapolis, you’re sure to hear a considerable amount of talk about security and PCI-DSS compliance. This is, of course, nothing new. Whether it be the perennial favorite “PCI Boot Camp” (despite its somewhat ominously militaristic title) or perhaps “Securing Guest Information in a World with no Boundaries” (a title that suggests the possibility of a Never-Neverland that is both utopian and nihilistic), the speeches and panel discussions will likely provide attendees of their respective conferences with a status report of our community’s War Against the Data Breach. Many of the discussions will be supported by the latest facts and figures. For example, with the 2013 Data Breach Investigations Report (DBIR) due, as always, in March, we look forward to learning if we’ve been able to stem the damaging trends set in 2011 (i.e. 174 million compromised records). And with a report of as many as 855 incidents in 2011, we wonder if we will exceed that number to witness occurrences totaling in the thousands.
Year in and year out, research studies show us how breaches occur. This year, we don’t expect too many surprises; just as in the past, it’s likely that most breaches utilize some form of hacking. The DBIR 2012 indicated that hacking is “… linked to almost all compromised records. This makes sense, as these threat actions remain the favored tools of external agents, who, as described above, were behind most breaches. Many attacks continue to thwart or circumvent authentication by combining stolen or guessed credentials (to gain access) with backdoors (to retain access).” In 2011, hacking was involved in 89% of incidents. While sources at Trustwave have indicated that the Hospitality industry has marginally improved its ability to protect itself (now slightly less than 38% of all incidents), hackers continue to maneuver around firewalls. They “thwart or circumvent authentication” (you just gotta love how nefariously bad-ass that sounds!) by stealing or guessing our beloved passwords.
Verizon Business maintains that hackers are “scanning the Internet for easily guessable passwords.” Therefore, Verizon places a high premium on the appropriate management of administrative passwords. Actually, password management is at the very top of their list of security tips. Why? It’s because hacking is made simple because of the simplicity of our passwords.
Oh, and allow me a digression: Have you heard that Qizmodo released its list of the 25 Most Popular Passwords for 2012? It was compiled by SplashData who gathered the data from millions of stolen passwords posted online by hackers. In the top spot, unchanged from last year, was the password “password”. It was trailed in the #2 spot by the password “123456”, also maintaining its position from last year’s study. Curiously, the password “monkey” has maintained its spot at #6 for the second straight year. Apparently, hackers know how to shock the “monkey” too.
Fortunately, there is what might be good news for the Hospitality Industry. Tech-giant Google has declared war on passwords. They are imagining a way to access accounts (i.e. your Gmail account) and login to applications by simply tapping your computer with your ring finger. Google’s security team discusses this new authentication method in a research paper that will be coming out later this month in the engineering journal IEEE Security & Privacy Magazine. Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline multiple techniques for logging into applications. In other words, they’re experimenting with new ways to replace the password, including a Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a user in.
Consider, therefore, the hotel of the future. Allow yourself to dream of a magical place where the entire IT infrastructure protects our precious data during our stay. Certainly, the hotelier will have implemented the latest in firewall technology and undoubtedly they have trained their entire staff on the importance of privacy, security, and PCI compliance. Those are givens for anything less than that would be naïve and reckless. However, just imagine how soundly we’d all sleep (or web-surf) knowing that the PMS and POS administrators aren’t using “abc123” (#4 of Qizmodo’s Top 25 for 2012) or “letmein” (#7) as their passwords. They won’t be using those passwords because no one at the property will be using any passwords. That will be because in 2013 innovators declared war on passwords and won! Now there’s an advertising pitch waiting to happen: Vacation Paradise Package Awaits You!: Pristine Beaches, Uber-fast WiFi, and No Passwords.