Hackers are coming for travelers. Here’s how to protect yourself.
Hackers by Aren Elliott
A few days after Kay Pedersen reserved a hotel room in Chiang Mai, Thailand, through Booking.com, she received an alarming email. It was a warning from Booking.com in broken English that there had been “some malicious activities” in her account. Yes, hackers are coming even when you use reputable sites.
And then the trouble started. A few days later, her husband, Steven, noticed a new reservation at another hotel. And then another one. The couple reported the fraudulent activity immediately and Booking.com canceled all of their hotels, including the one in Chiang Mai.
“We immediately called Booking.com’s customer service requesting our original reservation be reinstated and these other odd ones, which we had not made, be canceled,” says Steven Pedersen. “They were able to do so, but not at our original rate. The rate would now be more than twice as much.”
The Pedersens are not alone. A new hacking wave has hit travelers hard. A few weeks ago, criminals reportedly stole Booking.com passwords through its internal messaging system. Other popular targets include loyalty program accounts and other online travel agencies.
Why are travel accounts so prone to attacks?
“They hold very sensitive information, such as passports, driver’s licenses, dates of birth, and travel dates,” explains Caroline McCaffery, CEO of ClearOPS, an AI-powered security program management platform.
You don’t have to be a victim. There are strategies you can use now to ensure you won’t lose your hard-earned frequent flier points or see your hotel reservation get canceled. But there are also things you can avoid doing online that will keep your account safe. Ultimately, though, this isn’t your problem to solve, but I will tell you whose it is in a second.
How to avoid hackers
The bottom line is hackers are coming. Here’s how to keep your online travel account safe.
Use two-factor authentication
Two-factor authentication (2FA) requires a special code, along with your password, to gain access to your accounts. “Hackers can’t access this if they don’t have access to your device directly,” explains Zulfikar Ramzan, chief scientist at Aura, a digital safety company. He says if you’re using 2FA, it’s better to use an authenticator app rather than text messages for receiving 2FA codes, since hackers can also steal messages from your phone number.
Enable login notifications
That way, you’ll know if someone has accessed your account. “Actually, make sure you enable as many security settings as possible for the platforms you use,” says cybersecurity expert Amir Sachs, CEO of Blue Light IT.
Don’t repeat your password
Never use a simple password, and never, ever use the same password for multiple accounts. “The best way to prevent any online account from getting hacked is to have a strong and unique password for each site,” says Kevin Dunn, a senior vice president at NCC Group, a global cyber security consulting company. (Services like Google Password Manager, LastPass and Dashlane can help.)
Practice safe Wi-Fi
Keep an eye on your devices in public places such as airports, hotels, and restaurants to prevent theft and unauthorized access, advises Ted Miracco, CEO, Approov, a security company for mobile applications. Avoid connecting to public Wi-Fi networks, but if you have to, use a Virtual Private Network (VPN). Hackers can easily capture your personal information on a public network. “This is a growing threat and more common than most users realize,” he says.
Yes, you’re part of the problem
Obviously, travelers are part of the problem. They use insecure passwords, don’t take security precautions, and log on to dangerous wireless networks. But travelers are inherently vulnerable, say experts.
“People who are traveling are inclined to share too much personal information,” says Bob Bacheler, managing director of Flying Angels, a medical transport service. “Oversharing personal information on social media or with unknown websites can lead to identity theft or targeted attacks.”
Another issue, which isn’t necessarily unique to travelers, is clicking on suspicious links. Many of the hacking cases I deal with as a consumer advocate started with phishing, a technique that solicits sensitive information by pretending to be a legitimate business.
“Consumers often fall prey to phishing scams related to travel bookings,” explains Albert Martinek, a customer cyber threat intelligence analyst at Horizon3.ai.
Make no mistake, nothing leads to a hacked account faster than sending personal information by clicking on a malicious link. (You can avoid the problem by always accessing the website directly — never, ever follow the link.)
It’s remarkable to watch otherwise intelligent people falling for these scams every day. And by “every day,” I really mean every day. That’s about how often I get complaints about a hacking problem. And 9 times out of 10, it’s because they fell for a phishing scam.
Many hacking attempts end badly for the victim, with frequent flier miles lost forever or money withdrawn from travelers’ accounts.
But not the Pedersens’. I contacted Booking.com on behalf of the couple, and it promised to investigate. But even so, the Pedersens left for Thailand without knowing if they had to pay the higher hotel rate.
Booking.com said it investigated the incident and determined that Pedersen had fallen for a phishing scam directed at his Booking.com account. A representative said Booking.com had already secured his account and would refund the difference between the initial booking and the new rate.
Then, I got an email from Steven Pedersen.
“We arrived at the hotel yesterday, and, after much explanation showing copies of all the confirmations with their supervisor, a hotel representative finally understood the situation and reinstated our original rate,” he reports. “The process took several hours.”
Editor’s note: Travelers United has one of the best cybersecurity programs on the web. Protection includes VPN, a password manager, and a secure Swiss server. It provides the basics that every travelers needs.
Who’s responsible for this?
Don’t worry, you’re not responsible for this problem. The companies that didn’t protect you are at fault. And it’s up to them to fix it.
There’s a fix that would solve most of these hacking problems. It’s called Passkeys, and it’s a passwordless authentication system that uses biometric authentication like a fingerprint or face scan.
Some travel companies have already adopted Passkeys, including Kayak and Uber. (Here’s a directory of companies that currently use Passkeys.)
Travel companies are hopelessly vulnerable, and this problem will almost certainly get worse before it gets better. Consider that online travel agencies often share personal data with three or four different parties when they fulfill a booking request. Not passwords, but certainly enough personal data that it could cause problems if the information were to fall into the wrong hands.
The travel industry’s computer systems were designed with one thing in mind: to increase profits. They move customers’ money quickly and efficiently but generally treat your data carelessly. Unless there are real consequences for playing fast and loose with your personal information, including your passwords, this problem will not go away.
It’s not your fault — but you will have to pay for it.
Elliott’s tips for avoiding a hack
Here are a few more strategies for keeping your accounts from getting hacked.
Book directly with a reputable company
Think twice if you don’t recognize the online travel site. There are just too many fly-by-night operations that either treat your personal data carelessly or, in some cases, just steal it. And that’s especially true if the deal looks too good to be true. “Better yet, book directly with the travel company or airline,” says Bala Kumar, chief product officer at ID verification platform Jumio.
Be suspicious of urgent emails
Many hacks happen through booking partners, which can have IT systems with lax security. The pattern is similar: Someone will gain access to the email system of a booking partner and use it to send a message urgently warning you, often a day before your travel, that your booking is at risk of cancellation unless you send your credit card details again. “Obviously, the hackers are just trying to get your credit card information,” says Corey Nachreiner, chief security officer at WatchGuard Technologies, a network security company. Report the email to the company immediately.
Mind those foreign phone numbers
If you’re setting up two-factor authentication, make sure you’ll have access to it after you get home. “We’ve heard several stories from international travelers who set up 2FA through a foreign number purchased during extended trips abroad, who then lose access to the account at the end of their trip when they deactivate the number,” says Joe Cronin, CEO of International Citizens Insurance.
Editor’s note: Travelers United has one of the best cybersecurity programs on the web. Protection includes VPN, a password manager, and a secure Swiss server. It provides the basics that every traveler needs.
READ ALSO:
Carrier surcharges are an increasingly bad joke — and worth a look by Congress
10 cruise mistakes that can cost you dearly
Christopher Elliott is an author, consumer advocate, and journalist. He founded Elliott Advocacy, a nonprofit organization that helps solve consumer problems. He publishes Elliott Confidential, a travel newsletter, and the Elliott Report, a news site about customer service. If you need help with a consumer problem, you can reach him here or email him at [email protected].
