On a business center computer, a keylogger stuck into the back of a machine can go undetected for months -- and that's assuming the person who finds it knows it shouldn't be there.
Another attack method: Installing software directly onto the machine, using general-purpose Trojan malware such as Zeus, which will "sit around and look for user names and passwords for people browsing online," Hargenrader says. The Trojan will also look to steal credentials, banking login, credit card information and company logins.
In the Dallas/Forth Worth case, the suspects allegedly used stolen credit cards to register as hotel guests, then logged on to install keylogging software onto those machines.
Security Cameras, Touchscreens Can Help Hotels Prevent Data Fraud
Hotels have a few options on how to prevent this kind of theft.
One low-tech but effective tactic is installing video surveillance, says Chris Poulin, IBM security strategist. "Cameras can be a pretty good deterrent." Just knowing that they're being recorded can stop hackers from trying to insert a USB keylogger -- not to mention identify perpetrators if they still try.
Hotels can also swap out standard screens with touchscreens and activate Windows 7 Touch features that come with the device, says Hargenrader. If there are no keys, there are no keystrokes to record.
Going a step further, hotels could replace PCs with tablets, says Poulin, especially as the demand for doing much more than printing boarding passes declines as travelers bring their own devices.
Hotels could also arrange for their computers to set up virtual desktop for every visitor, requiring a login to get into the system. "They get a fresh copy of a known operating system and operating system. When they logoff, it wipes everything out," Poulin says.
More immediately, though, Hargenrader says hotels should remind visitors that lobby and business center computers are public and that they shouldn't put their information at risk.
Another option: They can do what my hotel in Rome did and limit what kind of information customers can enter into the system. "When you put your boarding pass information in, you put in the flight locator code. It's limited information that's not personally identifiable but still gives you access," said Hargenrader. If malware captured that information, it would give criminals nothing in return.
Sign up for CIO Asia eNewsletters.