Secret Service Warns Against Keylogging Malware At Hotel Business Centers

Here’s one that should be added to the earlier list of possible hotel scams. The U.S. Secret Service has sent out a warning to hotel operators, asking them to check shared computers in their business centers for malware that can log keystrokes and steal sensitive information from users.

Cybersecurity expert Brian Krebs reports that an industry-only advisory sent out by the Secret Service and Dept. of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) on July 10 states that authorities in Texas recently arrested suspects caught monkeying with business center computers in the Dallas/Fort Worth area.

The suspects would access hotels’ business centers — by using bogus credit cards to book rooms, of course — and then install keylogging malware that “captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” according to the NCCIC warning. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The government’s advice to hotels is well-intentioned, but as Krebs points out, most of it won’t stop this kind of attack.

Limiting users’ access so they can not install or uninstall programs is a good idea in general for shared computers, but much of today’s malware doesn’t need admin-level access.

Likewise, wiping a computer clean after each session will probably get rid of the malware, but Krebs says malware-installing jerks (our words, not his) can often get around this if they are allowed to insert CDs or USB-based Flash drives. Taking away access to discs or USB drives would render many business center computers useless.

“The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer,” writes Krebs, who recommends not using public computers for anything other than browsing the web.

Meanwhile, over in the Wall Street Journal, writer Christopher Mims is sharing his Twitter password with the world, making the case that two-factor authentication (in which the user must, in addition to a password, enter a unique passcode sent to their wireless device) is the end of having to worry about having multiple passwords for every possible site and service you log into.

Which is a good thing, as Ars Technica reports that a new study found hackable flaws in multiple popular password-managing programs, meaning someone could breach one of those services and have immediate access to a huge number of passwords.