BANGKOK, 4 May 2018: A growing weight of evidence suggests travellers could be perilously exposed to hackers when they use poplar travel related booking sites.
Unsafe password practices leave users’ accounts open to hackers according to the latest research by Dashlane, while news released in the UK media and by the Association of British Travel Agents say accommodation booking fraud is on the increase.
Security risks are high for avid travel bookers who use popular travel booking sites and believe they are password protected.
Dashlane, a trusted digital security company, announced the results of its first Travel Website Password Power Rankings, Wednesday, and it paints a sorry picture of password security on most travel booking sites.
The rankings examined password and account security on 55 of the world’s most popular travel-related sites and found that 89% of sites leave their users’ accounts “perilously exposed to hackers due to unsafe password practices.”
Dashlane researchers tested each website on five critical password and account security criteria. A site received a point for each criterion it met, for a maximum score of 5/5. Any score below 4/5 was considered failing and not meeting the minimum threshold for good password security.
Only 11% (6 of 55) passed with a score of 4/5 or better, and only one travel-related website received a perfect 5/5 score; Airbnb.
Unlike Airbnb, other household names, American Airlines and Carnival Cruise Lines failed, receiving a score of 1/5. The websites even allowed Dashlane researchers to set up accounts with alphanumeric passwords “12345” and “password.” (Full list of the ratings at the end of this report.)
But password protection and online security is only one of the hazards.
OTAs are at considerable financial risk too from fraudsters armed with stolen credit cards.
According to ENett’s ‘It Pays to Know Report’ a fraudster will list a fake hotel on a booking site and then use stolen credit cards to make bookings via the OTA’s website. The OTA will eventually receive chargebacks for the bookings using stolen cards, but it will have already made a payment to the fake hotel. By this point, the fraudster will have withdrawn all the funds paid by the OTA leaving the OTA with a financial loss.
ENett also claims there are examples of hotels collaborating with fraudsters. The hotel raises the online rate by a big margin, fraudsters book the rate using stolen cards and they split the winnings, leaving the OTA with a hefty chargeback bill.
In Europe chalet rental frauds that focus on ski resorts are a major problem. The BBC and the UK Daily Mail reported, last month, bogus chalet resorts had scammed thousands of pounds from hapless British holiday makers.
Fraudsters create bogus websites for fake ski resort chalets in Europe, or insert the chalet profile on a popular travel website, in order to skim off holiday rental deposits. They may even include airfares and transfers in the bogus offers to increase the overall value. They ask for a deposit usually through a direct bank transfer or a payment to a person’s bank account and the heist is done and dusted. On average the chalet fraudster absconded with UKP 2,000 for every successful scam or an estimated total of UKP 250,000 in 2017.
The Association of British Travel Agents reported, in mid April, that fraudsters stole UKP 6.7 million from 4,700 unsuspecting holidaymakers and other travellers in 2017.
ABTA, City of London Police and Get Safe Online are joining forces to warn the public about the dangers posed by holiday booking fraud.
The latest report, compiled by the City of London Police’s National Fraud Intelligence Bureau, revealed the scale of reported crime, and exposed common tactics used by fraudsters.
The average amount lost per person was over UKP1,500, an increase of 25% year on year.
These individual losses are substantial, but this form of fraud also has other severe effects with almost half (2,245) of victims saying that it had a significant impact on their health or financial well-being.
The most common types of fraud relate to the sale of airline tickets (47%) and accommodation booking (38%).
Where destinations were identified by victims, 54% said they had been intending to travel to Africa and 24% to Asia.
The City of London Police, ABTA and Get Safe Online have published advice on how to avoid becoming a victim of holiday booking fraud. Here are the top tips relevant worldwide:
Stay safe online: Check the web address is legitimate and has not been altered by slight changes to a domain name – such as going from .co.uk to .org
Do your research: Don’t just rely on one review – do a thorough online search to check the company’s credentials. If a company is defrauding people there is a good chance that consumers will post details of their experiences, and warnings about the company.
Look for the logo: Check whether the company is a member of a recognised trade body. Unfortunately in Asia, travel trade associations are not up to speed on warning consumers or acting as a hotline. Their membership lists are often outdated.
Pay safe: Wherever possible, pay by credit card and be wary about paying directly into a private individual’s bank account.
Check documentation: You should study terms and conditions and be very wary of any companies that don’t provide any at all. When booking through a Holiday Club, or Timeshare, get the contract thoroughly vetted by a solicitor before signing up.
Use your instincts: If something sounds too good to be true, it probably is.
Dashlane’s Travel Website Password Power 2018 Rankings
5/5 Score (Best)
Airbnb
4/5 Score
Hawaiian Airlines
Hilton
Marriott
Royal Caribbean
United Airlines
3/5 Score
Alamo
Alaska Airlines
Avis
Best Western
Booking.com
Budget
Delta Airlines
Enterprise
Frontier Airlines
Hertz
Hostelbookers
Hyatt
KAYAK
Momondo
National
Priceline
Skyscanner
Southwest Airlines
Spirit Airlines
Travelzoo
2/5 Score
Couchsurfing
Disney Cruise Line
Expedia
Holland America
HomeAway/VRBO
Hostelworld
Hotels.com
JetBlue
Orbitz
Sheraton
Sun Country
Thrifty
Travelocity
1/5 Score
Accor Hotels
Agoda
Air Canada
Allegiant Air
American Airlines
Carnival Cruise Line
Choice Hotels
CruiseCritic
Hostelz
Hotwire
Intercontinental Hotel Group
Skiplagged
Student Universe
TripAdvisor
Trivago
0/5 Score
Norwegian Cruise Line
Critical Security Lapses
Travel sites failed to protect user data across a number of factors.
2FA Failings: A staggering 96% travel sites tested do not provide 2FA (two-factor authentication). The security benefits of enabling 2FA are well documented. In fact, Dashlane recommends enabling 2FA on all sensitive accounts.
Additionally, Dashlane found that 81% of travel sites did not even provide users with a password strength assessment tools during the account creation process.
Poor Security Practices: When compared to results of Dashlane’s 2017 rankings of leading consumer websites, and the more recent 2018 rankings comparing the cryptocurrency exchanges, travel sites performed especially poorly.
In the consumer rankings, which examined sites such as Apple, Facebook, and PayPal, only 36% received a failing score.
That is in extremely stark contrast to the 89% of sites that failed Dashlane’s 2018 travel examination.
The travel website category with the worst average score belongs to the cruise industry (1.67/5), closely followed by booking websites (2/5).
On the other end of the spectrum, rental car websites as a group scored the best on average (2.86/5), but across all categories the scores were poor.
“Big names in the travel industry often come under fire for their physical treatment of customers, receiving public blowback on social media for flight delays, egregious treatment of passengers, or even foodborne illnesses,” continued Schalit.
“In many cases the result is a close examination of business practices and positive shift. The travel industry should treat their cybersecurity failings in much the same fashion, and make the necessary changes, such as adding 2FA, in order to protect customers’ digital privacy.”
Travel Security Best Practices
For travels near and far, these are a few easy actions that everyone should take to improve their own online security:
Use a unique password for every online account;
Generate passwords that exceed the minimum of 8 characters;
Create passwords with a mix of case-sensitive letters, numbers, and special symbols;
Avoid using passwords that contain common phrases, slang, places, or names;
Use a password manager to help generate, store, and manage your passwords;
Under no circumstances should you use an unsecured WiFi connection (e.g. public WiFi) while travelling.
About Dashlane
Dashlane, one of the world’s most trusted digital security companies, takes the pain out of passwords with its password manager and secure digital wallet app. Dashlane allows users to securely manage passwords, credit cards, IDs, and other important information via advanced encryption and local storage.
