In response to Brian Krebs’ blog which details a powerful flaw in the Hilton Hotels site that lets anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number. Here to comment on this blog is Kevin Westin, senior security analyst with Tripwire.
Ken Westin, senior security analyst, Tripwire (www.tripwire.com):
“We have seen a number of loyalty programs hit by hackers from hotel point programs to air miles. These are a popular target of hackers because although these points are a currency in their own right, they are not secured the same way as cash or credit card data. PCI DSS for example does not apply to these systems, even though these points can be exchanged for goods and services. By not putting the same level of due care in securing these loyalty programs, airlines and hotels risk hurting their brand and losing the loyalty of dedicated customers. The loss of points is one factor, but there are also security and privacy implications of having access to customers’ travel history, particularly for high profile executives and politicians.”
Tripwire, Inc., a global provider of risk-based security and compliance management solutions, today announced Tripwire® Enterprise™ version 8.3 featuring a new, stand-alone Policy Manager™. Tripwire Policy Manager provides the detailed visibility into system configurations critical to minimizing security risks and ensuring compliance.