Skip navigation

Duo Security is now a part of Cisco

About Cisco

Industry News

Preferred Hotel Guest Programs: Keyless Entry & Security

The New York Times recently reported on smartphone hotel key apps that will replace key cards at a few Starwood Hotels this week after initial testing at hotels in New York and California. Hyatt Hotels and Resorts also started testing smartphone hotel keys this September.

Rolling out the feature to loyalty program members in the U.S. is the plan for Hilton Worldwide in 2016. Guests will be able to access their rooms by swiping their phone across a keyless pad located on their door, reports ComputerWorld.com. The Hilton HHonors mobile app lets guests reserve rooms and access them, as well as get access to other areas of the hotel, like fitness centers and elevators.

Meanwhile, Starwood’s app, SPG Keyless, is bluetooth-enabled and offers push notifications on the day of their room availability. The app requires a one-time registration process. They plan to deploy by early 2015 in 150 hotels across the world as part of their preferred guest program.

Sounds like a nice perk to a hotel membership program, but of course, potential security questions arise with any mobile application that can be accessed via login with either a password or pin/member number.

According to the 2014 Verizon Data Breach Investigation Report (DBIR), the top industries affected by point-of-sale intrusions include the accommodation and food service sectors. The accommodations industry ranks fourth when it comes to the number of security incidents with confirmed data loss, coming in after finance, public and retail.

Brian Krebs recently reports that Hilton’s Honor app, which manages accrued loyalty points whenever members book hotels with the company, has been a target of criminals seeking to steal free rewards. He reported that criminals are using the login option of member numbers paired with 4-digit PINs to break into accounts, steal points, and sometimes use credit cards associated with the accounts to buy even more points.

A brute-force attack uses automated PIN/password guessing tools to find a combination of numbers that work on any number of accounts. And, according to MathPlanet.com (surely a credible source for the algebraically-challenged), there’s only 10,000 possible combinations for 4 digits, making it feasible for an attacker to guess your PIN.

Several HHonors members are reporting breaches of high-point accounts (hundreds of thousands) in this FlyerTalk.com forum thread, Hilton HHonors Website Security - Accounts hacked Oct 2014. Some complain that they should be able to create more longer, more robust passwords (greater than 4 digits), while another recommends using two-factor authentication to protect their accounts.

Krebs also supports offering customers the ability to use two-factor authentication to protect their accounts, citing Security Keys (U2F devices). Some mobile apps let you protect multiple third-party accounts using a single two-factor app.

Some report that account hacks have been happening for months, with discussions starting in mid-April, and victims chiming in from Australia to England to Orlando, Florida. While the HHonors app gives you two options to log in, they don’t give you the option to turn of either option, meaning your account may still be vulnerable even if you craft a strong password. Hilton recently added a captcha to reduce the success of brute-force attacks, but there’s more that can be done for authentication security.

Stealing and redeeming rewards points remotely is one way hackers are using access to their accounts, but it’s possible keyless entry could also be easily exploited if they can gain access to member accounts. And since the NYTimes.com is reporting that hotel brands are building the mobile key apps from existing mobile apps and loyalty programs, it would appear that mobile keys are also at risk.