Social engineering petrie dishes could easily be more secure
On occasion, I am struck with how unaware the management in some industries are of the number of risks they face in everyday situations. Take the hospitality industry. In between client meetings I sometimes look for a quiet, comfortable place to sit and do email or finish some work. Hotel lobbies are one of my favourites. I’m sure many business travellers would agree with me.
Within a 30 minute timeframe the other day in a hotel lobby, I made quick notes on every conversation the hotel staff around me were involved in while I was working. Given that I was sitting within earshot of the front desk, but 30 feet away, there were several revealing tidbits I was able to overhear.
Here are some of the types of information that was easily overheard from across the lobby:
The last names and room numbers of several guests checking in, and sometimes their company name or affiliation
- Customer preferences, such as which room number a named guest must always have when he/she visits (as discussed between staff members)
- Supplier issues and names of contacts within the supplier and the hotel for certain responsibilities
- The best and worst employees, as identified by staff and guests
- Screw-ups in bookings of groups between hotels
- Hotel facilities and their locations
I’m sure there are many other types of information I could have learned if I stayed longer.
While some of these things are not necessarily considered sensitive information, they make it easy for attackers to put together plausible scenarios that give them access to information and places they shouldn’t have. It struck me that the staff sometimes get so bored, they have nothing else to talk about except guest incidents and how they handled them. While it seems innocent enough, it is a fertile ground for social engineering, data gathering, identity theft.
What could be done? Two things I immediately thought of, but I’m sure there are more:
- Segregate the front desk from public seating or waiting areas with sound barriers that make conversations more private.
- Train the staff to keep their voices down when discussing business issues in the open areas, on the phone or near other guests
Let me know if you have any other ideas of ways to better manage this kind of risk in the hospitality industry.
mroonie on 11 May 2007 at 10:48 am #
This is something I’d never thought about. It’s definitely a good reminder of how security is necessary and can be implemented on many different levels. Here you have the hospital board discussing issues of compliance when identity theives could merely be lurking their halls and lobbies getting all the information they need. Even if a doctor or a nurse were to say something like “so-and-so in room #392 appears to be filthy rich!” That’s all it takes for an identity theif to begin the prowl.
engineering » Blog Archive » Social engineering petrie dishes could easily be more secure on 10 Jun 2007 at 4:38 pm #
[…] …more […]
engineering » Blog Archive » The development of reverse social engineering to perform a … on 17 Jun 2007 at 3:18 pm #
[…] On occasion, I am struck with how unaware the management in some industries are of the number of risks they face in everyday situations. Take the hospitality industry. In between client meetings I sometimes look for a quiet, … …more […]
engineering » Blog Archive » Slick social engineering: fake Windows re-activation on 18 Jun 2007 at 3:49 am #
[…] On occasion, I am struck with how unaware the management in some industries are of the number of risks they face in everyday situations. Take the hospitality industry. In between client meetings I sometimes look for a quiet, … …more […]
engineering » Blog Archive » WinFixer, SystemDoctor: Social Engineering at its worst' on 19 Jun 2007 at 3:00 pm #
[…] On occasion, I am struck with how unaware the management in some industries are of the number of risks they face in everyday situations. Take the hospitality industry. In between client meetings I sometimes look for a quiet, … …more […]