Picture if you will a popular restaurant on a busy night…couples, families, and gatherings of friends all milling around the lobby, outside the doors, and on the sidewalks awaiting their turn to get a table and a meal. An unsuspecting couple walks up to the hostess and is told the wait is an hour or perhaps more. While they look about and try to decide if it’s worth the wait, the see a sign, or perhaps someone comes up to them who is well dressed and hands them a business card for the latest promotion…No reservation? instead of call ahead seating or waiting who knows how long for the next available table, use our online list to cut your wait time in half! Use our guest network for ½ off an appetizer while you wait!
The card has the name of the wireless network, and the URL for the reservation system. Now consider, what are the odds at least a dozen people would pull out their smart phones, get on the allegedly restaurant owned wireless network, and visit the reservation site? And when asked to secure their reservation, how many would not think twice about filling in their credit card number? You may scoff, but in a world where people still think foreign bankers will transfer them funds from dead ex-pats who happened to leave no heir, you know that scheme will land some attacker a handful of credit cards along with other PII every time they try it. They need an inkjet printer, a Wi-Fi access point, and a server that offers DHCP, DNS, and web server capabilities. Heck, you can get all of that with a Rasberry Pi setup run off of batteries, and fit it in your pocket, or tucked inside a potted plant.
As more and more restaurants start to go online themselves, or join popular services like OpenTable or Booking.com customers will become more and more familiar with online booking systems. And while those services are immensely popular, well-maintained, and with a good security record, not every restaurant uses them but more and more consumers are getting comfortable with the idea of making a reservation or getting on the waitlist online. Those who are not technical enough to know better, and even those who should but are in a hurry or not paying attention, might fall victim to a spoofed hotspot or a fraudulent website.
We can’t expect restaurants to police their surrounding areas and investigate every Wi-Fi network that crops up, especially when an attacker can use a legitimate SSID and a stronger signal. We can’t verify every possible reservation system that crops up and keep a list for consumers to refer to before booking. But we can raise awareness. We can educate our users, our families, and our friends about how to conduct transactions online securely. It’s easy to recognize whether or not a website is using encryption (the padlock and HTTPS,) and more importantly, when you should not trust that encryption (the scary pop-up dialog box that warns you to run away!) What’s perhaps harder is to make sure they understand the difference between an open and a secure Wi-Fi network, and how much PII is too much PII to share with a service you are not very familiar with.
As more and more services come online and they want to store more and more information about consumers, including names, addresses (so we can send you local specials,) birth dates (so we can send you a coupon for a free appetizer!) and credit card numbers (to make it easy to make repeat online purchases) then there is an ever increasing treasure trove of information that is an exceptionally appealing target for hackers.
When major financial institutions are being hacked seems to be a regular occurrence. When government agencies charged with security can’t keep from leaking hundreds of thousands of taxpayers’ records, or the data on background investigations for millions of federal contractors, do we really think that restaurant chains are not going to fall victim to an APT, or an inside job, or perhaps even just an oops that spills a few hundred thousand credit card numbers out the door? Anytime a credit card is entered online, increased risk is booking a trip to visit you, so when you are booking a table at that trendy new restaurant that just opened, consider what data is being requested, and whether or not the information they are requiring is really reasonable for what you could do with a simple phone call.
OpenTable wants a name and an email address, and while they do send you emails, they certainly don’t expect you to enter a credit card number to book a reservation. The same holds true for booking.com. When those two services are successful without needing a credit card, why does any other service need it? Exactly!
Vigilance is key. If you must use a credit card, be sure you use one that offers a ‘no liability’ commitment for fraudulent charges, and my recommendation is to stay away from using debit cards or other credit cards that are tied to your bank account. Sure, you may be able to get the money back, eventually, but I am more comfortable keeping a complete separation between online transactions and my bank accounts. Keep your hospitality experiences hospitable, and don’t make it easy for attackers to take advantage of you!