Every industry in the world is vulnerable to phishing and other cyber attacks, but retail and hospitality rank as some of the most high-value targets for hackers looking for personal identifiable information (PII) and payment card information (PCI). These two industries are often ranked among the top three most vulnerable industries, right behind financial institutions. That vulnerability became apparent earlier this month when the MGM Grand cyber attack shut down hundreds of casino games and disabled hotel room cards. The company reportedly lost between $4.2 million and $8.4 million in daily revenue during the attack.
Retail and hospitality (R&H) companies collect PII and PCI data through many customer interaction points – loyalty programs, reservation sites, stored purchase histories, or customer journey data. But the data itself may reside in places vulnerable to attack, like point-of-sale (POS) systems, call centers or shared workstations. In some cases these systems might be installed on legacy infrastructure, which often do not have updated security measures for authentication potentially leaving their customers’ security and personal data at high-risk for cyber attacks.
A robust phishing-resistant multi-factor authentication (MFA) solution is needed to protect this kind of data and securely access it. As industries that often work directly with consumers, R&H has the added challenge of making sure any MFA solution is user friendly and easy to understand. Consumers are often targets for stolen credentials scams through “social engineering” – a recent Verizon Data Breach Investigation Report found that 74% of breaches are caused by stolen credentials. A second factor-method for authentication – or better yet going completely passwordless – is crucial to avoid falling victim to another cyber attack. Usernames and passwords, and other legacy MFA like SMS, mobile authentication apps and one-time passcodes, will not offer enough security, nor do they enable good user experiences.
Hyatt Hotels and YubiKeys
Recently, Hyatt Hotels reached a security crossroads – legacy authentication systems weren’t meeting their needs. Art Chernobrov, Hyatt’s Director of Identity, Access and Endpoints had seen enough of the old authentication system. His massive hotel chain had 200,000 employees moving between 1,500 locations (and working remotely), and he had already moved away from traditional usernames and passwords. Employees were using a one-time password (OTP) sent over SMS that created an atmosphere of ‘MFA fatigue’ as there were numerous MFA prompts daily.
“I’ve seen the compromises in the industry, and other places, that come from fatigue, and MFA requests, that people just blindly accept. You don’t want to be that guy. You don’t want it to be on your watch.”
Art Chernobrov, Director of Identity, Access and Endpoints, Hyatt
YubiKeys offered a solution that worked well with Hyatt’s existing Microsoft authentications like Entra ID (formerly Azure ID) and SSO. With a hardware-bound, phishing-resistant security key, MFA fatigue was no longer an issue and the organization as a whole could embrace a passwordless future. Hyatt Hotels is leveraging YubiKeys and passwordless to reduce risks as well as to elevate guest experiences in their lobbies.
Covering the retail and hospitality cybersecurity bases
Deploying a new MFA solution should start with some due diligence and internal auditing. This is why it’s critical to follow proven guidance to ensure that you have all the information you need. In general, it’s good to start a rollout with your high-value users handling the most sensitive data. These employees are more motivated to follow directions and adopt a new system. Once MFA is road-tested with that group, expand use cases by rolling out to the rest of the workforce.
We recommend making a key applications inventory part of your internal audit. During that inventory, you might ask these questions for each application or authentication scenario.
- Who needs access?
- What authentication approach will you take?
- How do you currently manage access: IAM, IdP, PAM, SSO, or VPN?
- What is your workforce like: Remote, hybrid, on-premise, or multi-location
- What devices are they using: Owned, BYOD, desktop, laptop, smartphone, tablet, POS terminals, or inventory scanners?
Come say hello in Dallas at the RH-ISAC Summit
The 2023 RH-ISAC Cyber Intelligence Summit is coming to Dallas, Texas on October 2-4. Retail and hospitality cyber security experts and executives will be there to discuss the latest technologies that will protect this sector in 2024, and Yubico will also be attending. We offer a discount code for those that want to register here.
All RH-ISAC Core Members are already granted free admission to the event, but the discount code will be applicable for any non-RH-ISAC member. Please come by and see us at table 16 during the show!
——
Read our guide, “How to get started with phishing-resistant MFA to secure retail and hospitality” for more information on how YubiKeys can help your organization. Check out how Hyatt is leveraging YubiKeys in the case study here.
