An art exhibition of locks and keys wound in copper wire by artist Alice Anderson entitled ‘Memory Movement Memory Objects’. (Carl Court/Getty Images)
As cyberattacks and data breaches become an ever-more common side effect of life in the digital era, the role of social engineering and the historical prioritization of user experience over security in facilitating those attacks has become a huge focal area of the cybersecurity industry. Yet, it is not just the digital world that is vulnerable to social engineering – almost every process we undertake in our daily lives is being impacted by technological evolution that far too often places ease-of-use over security.
This past week I was in Mountain View attending a summit and stayed at a major chain hotel. The day before I was scheduled to leave, the travel organizer came walking up rather urgently and said I needed to check in with the hotel front desk immediately, as somehow they had checked me out and were ready to remove my luggage from the room and might issue the room to someone else. I met with the hotel manager who informed me that someone had checked out earlier that day around mid-morning and said they were checking out a day early and mistakenly gave my room number as theirs. The checkout clerk apparently said “I hope you had a good stay Mr. Leetaru,” but the person was preoccupied checking something on their phone and apparently did not hear or recognize that that was not their name.
Housekeeping was dispatched shortly thereafter to clean the room and discovered that my luggage and belongings were still in the room and notified management. The manager told me that since they were not at 100% occupancy they were able to keep the room for me, but that otherwise they would have boxed up all of my luggage and placed it in a bag in housekeeping and issued the room to someone else. I asked what would have happened if I was one of those people who put all of my luggage in the closet and don’t keep anything out in the room, and the manager acknowledged that housekeeping does not always fully check the closets and in such a case it could conceivably happen that someone else could check into the room and find my luggage in the closet and have access to all of my belongings.
In fact, three and a half years ago when I first moved to Washington I stayed at a major chain hotel for the first few days while waiting to move into my apartment. Just as happened to me this past week, the day before I was due to check out, someone gave the wrong room number to the front desk when checking out and the hotel listed my room as having checked out. That time, however, the hotel was fully booked and housekeeping took the entire contents of my room and placed it into a series of garbage bags, labeled them with the room number and deposited them in a storage room in the hotel. When I arrived back at the hotel that evening to find my room key no longer worked, the hotel discovered the problem and were able to find a room for me for that night, but when they went looking for my possessions, they could locate nothing other than a toothbrush. All of my clothes, papers, electronics and other possessions were gone forever, with the hotel noting that it bears no liability for guest property.
The fact that this week marked the second time that I’ve been accidentally checked out of a hotel because of a miscommunication fascinated me from a data standpoint, as this is a classic social engineering problem. If you think about it, hotels today gather an immense wealth of information about their guests. In fact, at one chain when I had dinner at the hotel restaurant the waiter asked if I wanted the same burger I had had at one of their other locations I had stayed at two months prior, which he said was displayed in their computer’s guest relations database. At another hotel chain there was a note on my bed that housekeeping had placed special neck support pillows in the room because I had once requested a firm pillow due to a neck injury.
Hotels collect all of this data, but today use it primarily to upsell products and to provide a more customized guest experience. Within this data is an immense amount of information that could be used to offer guests better security, but just like in the online world, the focus to date has been on using data to tailor user experience, rather than on improving user security.
When I spoke to the management of the Mountain View hotel and asked them why they don’t perform additional authentication steps when a guest checks out unexpectedly, the answer was that in a property with more than 400 rooms it is simply not tractable to enforce additional security steps, that errors are rare, that users would reject more cumbersome checkout processes and that the cost of those errors is relatively small, especially since hotels are not liable for losing or damaging guest property.
Those in the cybersecurity realm will instantly recognize these as all of the same arguments made as to why online websites can’t be made more secure – especially the desire not to subject users to cumbersome authentication processes. Additional authentication steps might also inadvertently introduce security risks. Imagine for a moment an automated checkout kiosk that asked for the room number being checked out and displayed the guest’s name to confirm that the room number had been entered properly. On the surface this sounds like a great two-step authentication process, yet by displaying the guest name for any room number entered, it also creates a grave privacy risk, where someone could observe a guest entering a particular room and then go down to the kiosk and begin the checkout process for that room, wait until the kiosk displays the guest’s name and then cancel. On the other hand, this is actually already the case, in that my own experience demonstrates that one can simply walk up to the front desk and say you are checking out of a particular room and walk away with a printed bill in hand that lists not only the person’s full name, but also potentially other useful identifying information.
In the ancient era of physical keys, authentication at checkout was easy – the receptionist simply looked at the room number listed on the keyring, making accidental misidentification rare. This raises the question of why hotels don’t ask guests to swipe their room keys on a scanner at checkout to confirm their room number. Asking a user to state their room number and confirming that number from the key swipe would all but eliminate the possibility of a guest offering up the wrong room number when checking out and requesting both pieces of information would prevent someone from finding a lost room key and maliciously checking a guest out. In fact, it was not that long ago that electronic room keys cost enough that hotels actually charged guests for not returning them at the end of a stay.
Imagine a hotel experience in which guests simply swiped their room key against a scanner at the front desk when checking out and a display in front of them showed them their name and bill summary, they click a button approving the charges and are instantly checked out and receive their printed or emailed bill. While some hotels leave a printout under the door on the morning a guest is to check out, having guests swipe their room key on the way out would add an extra measure of authentication and precisely notify the hotel when they have checked out.
Yet, at the end of the day, this begs the question of why hotels can’t bring to bear those massive reams of data they collect on their guests to improve security. If their database shows a guest currently eating breakfast in the hotel restaurant while simultaneously a different guest checking out mistakenly offers up the same room number, the computer should be able to put those two data points together to realize there is a problem. Similarly, a guest inquiring about late checkout the following morning whose room number is given in an early checkout request an hour later might warrant the receptionist performing additional verification on the departing guest’s room number. In short, amidst the oceans of data hotels gather about their guests are myriad ways of improving guest security without encumbering them in any way.
Putting this all together, perhaps the biggest lesson is that the prioritization of user experience over security that has plagued the online cybersecurity world is just as prevalent in the offline world, with just as severe consequences. However, perhaps the more important lesson is that hotels, like many organizations, are assembling vast dossiers on their guests over time for the purposes of marketing and guest comfort, but are missing tremendous opportunities to transparently improve guest security and eliminate key authentication loopholes. In the end, like the rest of the big data industry, hotels must eventually move beyond simply examining data towards employing it in a holistic way across their activities.