Boarding Pass

By David Tykol
This item appears on page 2 of the April 2010 issue.

Dear Globetrotter:

Welcome to the 410th issue of your monthly overseas travel magazine.

Looking out for you, we’ve run across several warnings that I thought you should know about.

Trustwave (Chicago, IL; 312/873-7288, www.trustwave.com), a firm that works on behalf of the five major credit card brands, released a report on computer-security investigations they were hired to perform (through their SpiderLabs division) at various companies and organizations worldwide. Results were published Feb. 4 on DarkReading.com, an online security trade publication.

First I’ll state some of the findings and then I’ll translate the technicalities.

Of 218 data-breach investigations done in 24 countries in 2009, Trustwave found that 38% involved the hospitality industry, with 98% of the targeted data being payment card information. Of those attacks on computers, almost half occurred via remote-access applications, and 90% of those exploited default or weak passwords.

What that means is, in the 218 computer-hacking cases studied, hackers looking for, among other things, credit card and debit card numbers went after computers in hotels 38% of the time — far more than the 19% of incidents at financial services firms or the 14.2% for retailers or the 13% for dining places. (Filling out the total were business services, 5%; technology, 4%; manufacturing, 1.4%; education, 1.4%, and other, 4%.) (For the record, of the 218 cases studied, 18% were inconclusive, with no evidence of an attacker accessing sensitive data.)

Until last year, computers of businesses in the food-and-beverage industry had the highest percentage of attacks. The current targeting of hotels is largely being done by organized crime groups that specialize in hacking into computer systems. They utilize sophisticated software programs to gather credit card information and then use the stolen card numbers to make fraudulent purchases.

The hotel systems investigated included those of some large international chains as well as smaller, independent hotels. And in nearly half of the cases, the attackers exploited remote-access software. The following is one way it could have occurred.

Hotels sometimes employ outside IT (information technology) firms to keep their computer systems up and running. Sometimes the IT firms use installed software in order to repair or diagnose computer glitches from a remote location. The IT firms, however, are not hired to handle the hotels’ computer security and can be lax about it, leaving obvious or original passwords in place — essentially leaving cyber-criminals “unlocked back doors” that are easy to enter.

If the information on an establishment’s computer is not encrypted, it can be retrieved by these criminals. Some crime gangs use software that continually scans the Internet looking for particular “signatures” (snippets of code) unique to point-of-sale systems. Upon finding them, they either snatch and grab information or download “mal-ware” onto the computers to record all subsequent transactions.

Most disturbing — Trustwave found that some criminals had their programs running for 100 to 600 days before either being caught or shutting them down, themselves, to avoid being detected.

Also discomforting — it took an average of 156 days for the data breaches in the hotel networks to be discovered. Eighty percent of the time, it was the “external regulator bodies” (such as the credit card companies) that discovered the breaches, with the hotels noticing them only 9% of the time; public detection, 8%, and law enforcement, 3%.

From information we gathered, it seems that the data-breach attacks rarely occurred during the credit card transactions, in the brief periods when the cards were being swiped or the card numbers were being sent to the credit card companies. Those payment systems are heavily encrypted. What was targeted more often were the (unencrypted) reservation files which were simply storing the cardholder data of hotel guests until the payments of each were processed.

Okay, you don’t need to freak out about this. The chances of your being a data-breach victim are very, very low. Besides, credit card companies have a standing antifraud policy, so you can contest any fraudulent charges that show up.

But what can you do to avoid being a victim?

When making a room reservation using a credit card, you might inquire if the hotel changes its computer password frequently; their doing that would curtail an attack. You might inquire if your credit card number will be encrypted when stored or even if it will be stored not on the computer but written down somewhere instead.

Lastly, scrutinize your credit card statements closely, at least monthly, for any odd charges, even long after a trip. We now know that a hotel whose system is breached could have its credit card information stolen for anywhere from three months to almost a year and a half.

In other news — following attacks on foreign women tourists in Goa, India, the state government has recruited a special force of, initially, 60-plus ex-servicemen to patrol the popular beaches as wardens, supplementing the state police.

The global financial crisis has resulted in budget cuts, layoffs and reductions in salaries in many countries, which lately have been experiencing more worker strikes and slowdowns than usual.

Many of these strikes, which seem to be more frequent in Europe, have directly involved trains, airlines, subways, ferries and ports. Strikes have caused airlines to halt flights, airports to shut down and city dwellers to yearn for taxis.

Keep this in mind when planning your travels. Have contingency plans, and consider if trip delay/interruption insurance is right for you.

A total solar eclipse will occur this year on July 11, and one of the best places to watch it from (weather permitting) will be Rapa Nui (Easter Island), where it will last four minutes and 41 seconds.

More than 5,000 visitors are expected to want to view the eclipse from there, and that’s causing the government some concern, since the island has only 1,500 hotel beds and those have already been reserved. Cruise ships may provide some quarters.

In October last year, Chile’s Supreme Court ruled unconstitutional a policy of tracking tourists and migrants to Easter Island which had been instituted by the island’s indigenous population. Filling out the visitor cards is now voluntary but could help authorities determine how to reduce the impact of high tourist numbers on the island’s resources.

In February, the company Koito Industries, in Yokohama, Japan, admitted that, since the mid-1990s, it had falsified test results and made unauthorized design changes in the passenger seats for about 1,000 commercial airliners operated by 32 airlines. The company will fix about 150,000 passenger seats in, mainly, Boeing Company and Airbus SAS planes.

In some seats, the axle in a new design had failed a safety test. In others, the material covering the seats was not certified as adequately fire resistant.

While the repairs are being made throughout 2010, regulators are allowing airlines to continue operating planes with Koito seats, including Japan Air Lines with 184 affected planes and All Nippon with 141. Other airlines, including Continental Airlines and Singapore Airlines, are delaying deliveries of new planes until the seats are upgraded.

I reported in March 2009 that the retired luxury liner Queen Elizabeth 2 was to be turned into a hotel moored in Dubai.

Well, the current owner, Dubai World, is deep in debt and had hoped to use her as a floating hotel at the FIFA World Cup games in South Africa this June-July, but that deal fell through. There are rumors that the ship may be up for sale again soon. I hate to imagine her fate if she doesn’t find a new home.

Enough with the news! How about something warm and relaxing?

Judy Hippner of Chandler, Arizona, offers the following: “I have found that, frequently, in both US and international hotels, the bathtub stopper mechanism doesn’t work. So I bring a rubber sink stopper with me and always enjoy a full, hot tub at the end of the day.”

Can any of you top a bubble bath as a travel tip?

In the January issue, a subscriber asked readers to name any companies with tours overseas geared to active octogenarians and nonagenarians. We’ve had a number of readers writing in requesting those results but very few people actually recommending tour companies.

This tells me that there’s a huge market for this niche of travel. Are you listening, tour company owners?

Anyone with specific suggestions, write to Super Senior Travelers, c/o ITN, 2116 28th St., Sacramento, CA 95818, or e-mail editor@intltravelnews.com. (Read more on page 32.) We’ve got travelers with itchy feet looking for shoes to fit them in! — DT