How Mobile Apps and Cyber Security Affect Your Operation
By Marc Stephen Shuster, Partner, Berger Singerman
Co-authored by Andrew Hinkes, Partner, Berger Singerman
Cyber threats have seized the spotlight in 2016. From enterprise data breaches costing millions, to the emergence of fraud and hacking as an on-demand service, to the politically-inspired interception and disclosure of the US Presidential campaign's emails and, some have alleged, the hack of the election itself, cybercrime emerged from the realm of cyberpunk fiction and established its place as a mainstream social, economic, and political force in 2016. The rise of hacking has been driven by three factors: the pervasive use of network driven technology, the use of aggregated electronic data by companies, and the fluid resale market for stolen personal, financial, and healthcare information.
As the hacks of Trump, Starwood, Hilton, Mandarin, and Hyatt clearly demonstrate, the hospitality industry is near the top of hacker's lists. Why? Hotels aggregate and share valuable data about their customers. Beyond payment information common to all e-commerce, hotels aggregate data about their guests that may include medical (guest food and environmental allergies, alcohol consumption, use of gym and spa facilities, requests for medical assistance), reputational (damage to rooms, grant of guest access to others), logistics (arrival and departure time, on-site transportation bookings) and information regarding third parties (through potentially access to guest social media and email systems accessed on guest devices through hotel wifi). For hotels that pride themselves on service, privacy, and discretion, the loss of consumer trust caused by a data breach or a hack of guest information can shatter the brand's reputation and impact the bottom line.
However, as long as consumers demand increasing convenience and access, hospitality retailers and service providers will continue to innovate. The recent trend in the hospitality industry is toward increasingly sophisticated mobile applications, leveraging the power of the ubiquitous mobile device. Unlike other data-centric business sectors, however, hospitality traditionally has not invested heavily in IT, which may result in continued reliance upon neglected and vulnerable systems. Efforts to secure user-facing devices (like computer kiosks, in-hotel wifi networks, and company web sites) are no longer sufficient, as data repositories are shared and accessed by vendors on a variety of access devices and platforms. Hackers have adapted and now focus their attacks on less secure, non-PC devices like routers, networked photocopiers, and IoT-enabled or automated utility devices, and then leverage that access to reach otherwise secured devices that store consumer data and financial information from within the network. Even well defended networks remain vulnerable to social networking, or the theft of access credentials from trusted partners, including vendors. Thus, cyber security, once viewed as a cost center for IT departments to manage, has emerged as a primary business imperative, critical to maintain customer trust and avoid regulatory criticism, and significant legal exposure.
Potentially compounding these risks is the emerging demand for mobile applications and streamlining of the guest experience through guest-directed automation. Increasingly, mobile applications are used by hotels as the keystone for the customer experience. Mobile app driven or kiosk mediated check-in and check-out are becoming commonplace. Some mobile applications allow smart devices (using Bluetooth or NFC communication protocols) to function as door keys, granting (and limiting) access to guest rooms or designated hotel amenities. Those mobile apps may also allow the guest to customize their hotel room environment (by controlling room temperature, lighting and, in some cases, pre-ordering bonus amenities). Hotels, eager to monetize these new platforms, have begun to exploit the marketing potential of these applications, suggesting local vendors and activities to guests based upon activity profile, demographic information, and geolocation data collected and provided by the application using location-specific beacons.
While mobile applications may enable an unprecedented guest experience and create efficiencies and cost savings for the hotel, these applications invite serious security concerns. Mobile application development varies significantly from that of traditional software; apps are intentionally easier to develop which has encouraged less experienced developers to quickly bring to market offerings which may not have been as extensively tested as traditional software. Some developers, perhaps lacking a security background, may rely on unsecured or untested code libraries, or simply lack appropriate experience and knowledge to create apps with security in mind. Although most major companies invest heavily in their consumer outreach, many well-known brands have published and widely distributed mobile applications with major security vulnerabilities.
For every system to be remotely automated by a mobile app, data must be shared between the user of that mobile device and the controlling network. That means that there is an open path of communication established between the user's device and the hotel's network, and a potential gateway for a hacker to access your company's data about its guests.
Mobile Increases Convenience and Vulnerability
While consumers may clamor for mobile applications to enrich their hotel experience, hoteliers should approach with caution. Mobile apps and the constantly changing set of network entry points created by the variety of users (and the variety of new device platforms and operating systems they operate) may create new and novel vulnerabilities within reservation and point of sale systems.
Mobile devices are not always designed with security in mind, and mobile security relies, in part, on user awareness, and upon gatekeepers who distribute mobile applications to keep malicious content from widespread distribution. Users who download a new application may not be aware that the app captures a broad set of information, or that the application has caused other applications to behave strangely, all of which may be a sign of a malware infested app. Users may attempt to customize, or "jailbreak" their devices, which requires those users to compromise their device's native security features (and sometimes, their warranties!) to get different features out of the devices.
Mobile device manufactures can take active steps minimize the malware in their software ecosystems. While Apple tightly controls its application distribution environment, non-iOS devices may download apps from third party app stores without guarantees of security, or of quality verification, which may result in poorly designed or intentionally malicious apps making their way onto user's phones.
Apps, due to poor design, or the use of outdated or buggy code, may introduce vulnerabilities by transmitting data in an unencrypted or insufficiently encrypted state, or by gathering more information than needed from the user's device, or by failing to encrypt internally maintained information. A "leaky app," as the Harvard Business Review calls it, may function properly and not be deployed for nefarious purpose, but include high risk security flaws that endanger the data collected and transmitted to them to others. Hypothetically an app that gathers information, does not encrypt its transmissions of access credentials or personal data, and uses simple passwords could easily be hacked, manipulated and used to penetrate the mobile device, and through that mobile device, invade the server which your hotel's app uses to remotely book guest stays.
Relationships Introduce Vulnerability
Increasingly, value conscious guests book though third party booking providers including travel aggregators, and use their apps that allow travelers to book travel, hotel, and rental cars together. These web sites and apps, which themselves are attractive targets, are permitted access to hotel reservation systems and create additional potential intrusion vectors. A hacker may target the third party booking site and obtain customer information- insurance, driver's license, passport numbers- which are otherwise not typically held by hotels, in addition to the hotel's data. There must therefore be tighter control across a hotel and its network of partners. Without that, the new value added partner can instead be new vulnerability.
With attacks seemingly coming from all angles, and innovation and partnerships leading to increased risk, how can hospitality innovators defend themselves while continuing improve the guest experience?
1. Map Your Treasure
Understand where your business stores customer data, who has permission to access to that data, and where and how that data is shared with business partners and vendors, and then shore up these relationships both on technical and contractual bases. Contracts with partners who share access to data maintained or aggregated by your hospitality business should include specific terms discussing mutual cyber security, including: (a) minimum standards and practices, (b) sharing identified security incidents and response strategies, and (c) permitting periodic compliance audits as a condition of the continuing agreement. From a technical perspective, all technical system interfaces (i.e. API's) used should be disclosed and documented, with disclosure to both parties of the technical system security implemented over each side of the system interface.
After your critical systems and all data links to those systems are secured, continue your audit to other systems that are connected to those data depositories without additional password requirements, and then finally, audit other devices which may be thought to be low priority (for instance, networked photocopiers) to ensure that practical protections are in place, such as changes to factory default passwords, and appropriate security patches to system operating systems and firmware.
2. Mobility and the Money
The point of mobile apps, besides for enhanced user functionality, is to ease the purchase of products and services from your hospitality business. Thus, a direct link to your hotel's point of sale system is necessary. Point of Sale systems are still the most attractive, easiest, and most frequently -targeted systems by hackers because they are the most direct path to valuable and easy to monetize credit card information. Point of sale systems are also frequently vulnerable because they are typically created and maintained by external vendors and built on older operating systems, which may not always be timely patched and updated. Configuration errors, like a failure to modify publically available factory standard passwords on these systems practically invite intruders. These systems may be connected to multiple different organization systems within the hotel (front desk, restaurant, bar, convenience store), which complicates security and access credential management, and extends the reach of a hacker. Layering on mobile applications increases the potential vulnerability of these systems. Programmers controlling user input into existing hospitality point of sale systems should ensure that all communications are encrypted, and use the most updated and thoroughly tested APIs.
3. Be Patient, the Hackers Are
System threats and vulnerabilities are persistent and intruders may quietly reside on your network but may not show themselves for months. To mitigate the potential damage caused by undetected threats, hospitality providers and their partners should collaborate on intrusion detection, security management and threat intelligence services. Monitoring email and/or messaging systems is critical, as email is the primary means of malware transmission. However, with mobile applications interacting with a multitude of newly automated systems, extra vigilance is necessary, as new and novel threats from these emerging platforms may be developed at any time.
Training, diligence, testing, and sharing information about cybersecurity with partners is critical to network security in any venture. Mobile device users should be encouraged to report bugs or aberrant behavior detected in mobile apps. App issuers should consider hiring "white hat" hackers to try to hack or break the mobile app before it is released to customers. Although an elegant mobile application can simplify and enhance the guest experience, a buggy, leaky, or corrupted app that causes data loss can scare away customers and attract costly negative publicity. Smart planning, testing, and education can make sure your mobile app lets the right ones, and only the right ones, into your network.
This article was co-authored by Andrew Hinkes. Mr. Hinkes is a partner in the law firm of Berger Singerman's Ft. Lauderdale office. He represents leading companies and entrepreneurs in state and federal commercial litigation matters. Mr. Hinkes concentrates his practice on contract litigation, representation of court-appointed fiduciaries, business torts, trade secrets litigation, and electronic discovery issues. He also advises clients regarding document retention issues, electronic privacy issues, web site terms of service and privacy policies. Mr. Hinkes is also frequently published and cited for his work on IT and technology-related issues, including virtual currencies, smart contracts, distributed ledger-based technologies, computer data security/breaches, and technology regulation. Mr. Hinkes received his J.D., cum laude, University of Miami School of Law and his A.B., cum laude with Eliot Honors, Washington University in St. Louis
Marc Stephen Shuster is a partner in the Miami office of Berger Singerman, Florida’s business law firm. Mr. Shuster is a business attorney with extensive experience in commercial real estate transactions, both healthy and distressed, and corporate M&A deal work, with an emphasis on the hotel and hospitality industry. He advises both traditional hospitality conglomerates and Internet advertising sites serving the industry. Mr. Shuster he has served as counsel to a Florida-based emergency management/services conglomerate in negotiating for disaster relief work throughout the Caribbean. Mr. Shuster speaks and writes on novel issues affecting the hotel and hospitality space, serves on various community boards, and has been recognized with numerous awards and accolades. Mr. Shuster can be contacted at 305-982-4080 or email@example.com Extended Bio...
HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.