Font desk clerks are friendly…sometimes to a fault, but friendly doesn’t necessarily equal secure. A front desk clerk that helps you print off your afternoon boarding pass on the same computer that was just used to run your credit card violates a serious security protocol.

1. Auditing Archives Series
The Case of the Overly Helpful
Front Desk Clerk

2. Business background
Popular vacation resort
built a mountain retreat to
lodge guests taking
extended holidays.

3. Business background
Employed front desk clerks and
a concierge who accepted
payments, facilitated check ins,
and helped customers find
information online.

4. How hackers got in
A front desk clerk used her
computer to process a customer’s
credit card, then helped him find a
top-rated restaurant for his
anniversary dinner.
Unbeknownst to her, she clicked
on a malicious link that had been
added to a legitimate restaurant
page by a hacker.

5. What is a malicious link?
The goal is to get users to willingly
click on a link that automatically
downloads harmful malware onto
their system, or redirects to a
spoofed website.
Malicious links can be found in
phishing emails but also on
regular, legitimate websites.

6. How hackers got in
The link automatically downloaded
keylogger malware to the clerk’s front desk
computer.
The malware recorded every keyboard click
and any card swipe taken by a USB
connected mag stripe reader.
The infected computer’s malware began
secretly scraping payment card data
whenever it was swiped.

7. What the business did wrong
Using an unencrypted USB
magnetic stripe reader is an
insecure practice.

8. What’s wrong with a USB card
swipe device?
Most hotel property management systems read credit cards by
attaching a USB card reader to the computer.
In most cases this device emulates a normal keyboard and
transfers the card swipe data using clear text. Attackers can easily
access and read information in clear text.
Encrypt-at-swipe readers are a potential solution to make card
data unusable to cybercriminals.

9. What the business did wrong
Accepting credit cards on the
same machine used to
browse the Internet is an
insecure practice.
Segmentation and employee
training could have solved this
very common hotel problem.

10. What is segmentation?
Segmentation is the act of
compartmentalizing network areas that
contain sensitive information (like
customer credit cards) from those that
don’t.
Segmentation is a very secure practice
because it’s impossible for sensitive
data to leak outside of its allotted area.

11. What they should have done
The resort should have dedicated
one front desk computer to browse
the Internet on the guest network
with no access to the POS system.
The other machines used for
taking credit cards should have no
or very limited access to the
Internet.

12. SecurityMetrics
We Protect Business
Services
PCI, HIPAA, & data
security solutions for
businesses of all sizes
Qualifications
Global provider of
ASV, QSA, PFI, PA
QSA, P2PE services
Experience
Assisted over 1 million
organizations with
compliance needs