Transcript
Introduction to security in hospitality
Hi everyone. This week in Matt Talks, episode eleven, I wanted to talk about security. Security is not one of those topics that gets many people excited. Unfortunately, this is not the most exciting new AI feature. This is really about protecting your data in the hotel. And unfortunately, we are seeing an elevated amount of attacks happening against cloud systems where traditionally most, most legacy platform for seeing real elevated attacks, and you'd see these press releases with millions of accounts were stolen with lots of unencrypted credit card data.
It's much harder because a lot of the industry is moving into the cloud and seeing the benefits. So while the attacks are much smaller, we're seeing a larger volume of them because they are now psychologically tricking your employees to hand over their login credentials. And then through that, they're downloading data and through that, they're contacting your guests. So it's quite an advanced model, unlike what they used to do. So in this Matt Talks, what I wanted to talk through is, first of all, I wanted to go in detail on what phishing is and how is it being done today, what can you do about it, and then lastly, what are we doing about it as a company.
Chapter
What is phishing, and who does it impact?
So let's kick off with phishing.
Whenever you hit we're phishing, you probably think, oh, it's an email from a prince in a a faraway country saying you won some price money. But this has gone far beyond just the email campaign saying, you know, verify your account, click on this button, and then you log in and you've just passed over your your login credentials.
This is going really much further than those traditional campaigns, and these criminals are incredibly smart in tricking your employees psychologically.
So, who does it impact? First of all, we're seeing this across the industry, across property management systems, central reservation systems, CRM systems, anything that houses valuable guest information. And they're looking for email addresses, telephone numbers, and guest names, and reservation data.
So what will what they're trying to obtain is, enough data to contact your guest and say, hey, Mr. Smith. You have a reservation on the fifth of August at hotel ABC.
Unfortunately, your credit card failed. Click on this link to resubmit your credit card. And then that takes them to like a Google form or one of these web forms.
And then guests are submitting their very personal credit card credentials because it sounds pretty valid. Like you get an email and they know all of these things about your reservation at a hotel.
And unfortunately many, many, many guests are falling for this.
So this is happening across most industries, but we're seeing specifically elevated attacks in the last few months in hospitality.
And they're targeting hoteliers because they know we have all of this very personal data.
And people that are traveling are used to handing over their credit card credentials in different, sometimes unencrypted ways because of all the legacy systems that we've had for many, many years.
Chapter
How phishing works, with examples
So in the next slide, I'll talk about how they're getting in because that's a really important step so that you can protect yourselves against that. The cost of these attacks are serious because what they'll do is they'll log into your system, they'll download all of the guest data, and then they start contacting your guests directly and they start charging these credit cards of guests.
And obviously the guests are feeling the impact.
And while they can probably do chargebacks, they can ask their banks to refuse the charges.
There's this huge reputational damage that this is doing to your hotel because they are like, well, clearly I can't trust this hotel. I've given them my data. And then they, they gave away login credentials of their employees to these criminals, and they're they're now using my very personal data. So there's a reputational damage that we're fighting.
And the way that they're, getting access to the login credentials, the way that they're tricking your employees is constantly changing. And they are really, really good, and it's very hard to spot. So that's what I wanted to just show you.
So this is a, a way that they're currently targeting you. So what you see is that your employees are saying, hey. I'm looking for a Mews login. This takes them to the sponsored link, and let me just pause there. Sorry.
It what you see is this sponsored link that says app dot mews dot com. Google allows these these advertisers, which they call valid advertisers. We've contacted Google many times and we said, can you take them down? These are not valid advertisers. But because they are spending money on Google, Google wants to protect them.
It is absolutely crazy.
You see that everything looks exactly like Mews. But when what happens when you click on that link?
You see, you click on it, and it takes you to a different URL that looks almost the same. The whole page, they've copied the login page, and then it takes you to app dot mewaes dot com, slightly different URL. Most people don't have this and then they log in with their username, their credential, and even two factor authentication codes they're now copying across. So even with two factor authentication, you're not one hundred percent clear unless you're using the magic links.
And then that's how they log in to the system.
So the first step is for them to obtain the login credentials of your employee. They will log in with those credentials. They will create a new user. And then with that new user account, they will enable two factor authentication on that particular account. And then they start downloading guest files and guest data, because unfortunately one of your employees has fallen for their tricks on a public website like Google dot com, and then they start targeting your customers. So this is a multi step attack, but it all starts with your employees, unfortunately, handing over willingly their login credentials.
So, we're seeing also these web pages, hundreds of different URLs. So in this one, you see, for example, it says app dot r n e w s. It looks almost like an m, so you'd have to be really good at spotting this. So, one of the things we teach, is obviously then to make sure that they bookmark the URL to the login page directly on their computers so they don't have to Google. You should never have your employees Google login pages to online services that you have, any online services that you have, and never click on the sponsored link. The sponsored link is where the damage happens the most.
So it's also going beyond the email. Right? So, previously, you'd get an email and saying click on this button to provide your login credentials. We're now seeing voice phishing. So they might be calling your guests and saying, Mister Jones, you've got this reservation. Can you please verify? And the voice is really good, and they're using AI now to to to speak to your guests and to hand over these credentials.
SMS phishing, because they have their phone number from your guest, database.
And with an email, we've now trained our staff to recognize things that look dodgy. However, with SMS, you can't see. This is just an SMS that you're getting from a random number. They know all the reservation data, so guests are falling for this. And they're really spinning off multiple vectors in which that they're attacking, your guests and your team members.
Chapter
How to protect your teams and guests
So let's talk about how do we protect ourselves because this is a really important thing. So one, we have to teach our staff never to use booking engines for finding logins, for finding login pages.
Those login pages should be bookmarked at the top of your page for any of the services that you're currently using across your hotels.
Every time you Google, they should verify the URL. If they are insisting on using Google to find the login credentials, you have to teach your staff to verify the login URL, or to make sure that they never click on the sponsored links.
One vector to help protect to some degree is two factor authentication. So after you've logged in with your email address and your password, it will send a a code to you on an authenticator app or it might send you an email, and then you use that to check-in. So we've already switched our emails to magic links because then you actually don't log in on the page that you're at, but you're getting an email and you have to click on the link in the email to log in. This one bypasses the phishing attempts that we're currently seeing.
However, if you've got the code that you get on the authenticator app, often those codes are valid for ten, fifteen seconds. When you paste those into the fake website, there are they are those phishing criminals are sitting within a copy of your website and they're instantly copying those across. So they're still able to log in if you're not diligent. So two FA is is really good, and we've now enforced this across a hundred percent of our hotels.
They are still using it to to to gain access.
Always use a single login per person. Never share passwords across the hotels, and make sure that you use a password manager so that every service has a different login. So you should never have the same password for any same service, especially your mailbox because your email box is often set as the kind of master domain where all of your other services are sending login credentials to. So often when you're trying to log into a service and it says, I forgot my password, you just put in your email address and it sends you the email. So if the password on your email account is the same as the one on Mews, you've, you know, made it much easier, to to get, get attacked by these criminals.
Seven, is you need to require secure passwords. So it shouldn't be words that you remember or recognize because they can reformat those really easily. Use a password managers to give you these secure passwords.
Eight, you've gotta train your team. This is a training session that has to happen, regularly because they will forget they're not diligent. And if it isn't their data, they don't really mind that matter. If if their credentials are leaked, it what's the worst that can happen to them? But unfortunately, to you as a hotel operator, it could be severe and especially to the guests as well.
If you're seeing new vectors, if you're new seeing new types of attacks happening, make sure that you share those with our community, with your community, because we've got to teach each other. And then lastly, always, always be on the lookout. If you're on the Internet, if you're googling things, just don't trust everything blindly because, unfortunately, there are a huge amount of criminals out there that are trying to attack you.
If I'd say anything, I'd say take a screenshot of this page, log this print this out for your teams, have it on the reception desk so that they really remember this. Make sure that this is in the the the hiring manual so that when new people join, you always repeat these things because they are really, really critical.
So what
Chapter
What are we doing at Mews
are we doing at Mews? Because we're we're working around the clock to help protect your team members, your guests, and and their data.
So we are doing a number of device level authorizations. So the first one is, if we, when you log in, we are verifying that they're human. We've now added that tick box. If we recognize the device, so if I recognize that the computer that I'm currently on, I've logged in today, we will we'll say, hey.
This is safe. But if the moment you log in on a new device, you'll get an email from us saying, hey. A new login was logged from Amsterdam where I'm sitting today. Is that you?
So this will help identify that someone's logged in on your account. And if that looks suspicious in any way, then make sure that you ring the alarm and and and contact, your administrator at your hotel and make sure that you reset your accounts.
We're investing heavily into expert security engineers. They're working around the clock for months already to help introduce new ways to protect ourselves. We're educating all of our team members internally regularly. We're talking about this at our all hands meetings, making sure that whoever speaks to to customers, to you, we're educating.
And we're making sure that every line of code that we insert into the system thinks about security.
And most of our software engineers are completely trained on, security. We use companies to constantly evaluate all of the work that we're doing.
And I think the thing that I would recommend is that you think, okay, how often have we trained our team and how regularly should we do that? And making sure that you've set this training up for your team members.
If
Chapter
The final takeaway and be safe
you walk away with anything from this short video, it is to teach your teams to never Google. Always use bookmarks.
So never Google login pages.
Always use the bookmarks that are registered on the computer and make sure that every computer that your employees are, installing, they have all the bookmarks, logged on their desktop in some way to help them because that's where it all happens. We are in active conversations with Google. Unfortunately, they are not helpful, but we will continue the fight and making sure that we push them as hard as possible. But in the interim, please make sure that your team members never ever Google login pages.
And if if you ever have any concerns, make sure that you contact us. We have a twenty four seven support team on standby to help support you against any of these attacks. But this is relentless. It is happening for many months and it is escalating and make sure that you are protecting yourself and your different systems because this is happening across the industry, across different systems.
Thank you and stay safe.
