A few days after Kay Pedersen booked a hotel in Chiang Mai, Thailand, through Booking.com, she received a surprising email.
It was a warning in broken English from Booking.com that said there had been “some malicious activity” on her account.
And then the trouble began. A few days later, her husband Stephen noticed that he had a new reservation at another hotel. And one more thing. The couple immediately reported the fraud and Booking.com canceled all of their hotels, including one in Chiang Mai.
“We immediately called Booking.com's customer service and requested that the original reservation be restored and other strange reservations that we had not made canceled,” Steven Petersen said. Told. “They were able to do it, but not at our original rate. Now that rate will be more than double.”
check out Elliot Confidential, the newsletter the travel industry doesn't want you to read. Each issue is packed with the latest news, deep insights, and unique strategies to help you become a better traveler. But don't tell anyone!
The Pedersens are not alone. A new wave of hacks is hitting travelers hard. A few weeks ago, criminals reportedly stole his Booking.com password through an internal messaging system. Other common targets include loyalty program accounts and other online travel agencies.
Why are travel accounts vulnerable to attack?
“These contain highly sensitive information such as passports, driver's licenses, dates of birth, travel dates, etc.,” explains Caroline McCaffery, CEO of ClearOPS, an AI-powered security program management platform. Did.
You don't have to be a victim. To avoid losing your hard-earned mileage points or having your hotel reservation canceled, there are strategies you can use right now. However, there are some things you can avoid doing online to keep your account safe. But ultimately, this isn't your problem to solve, but whose problem it is, as we'll get to in a moment.
Hotel parking feeIt's out of control. Here's how to fight them.
What will happen to prices during spring break this year?Here's what travelers can expect:
How to avoid hackers
Here's how to keep your online travel account safe.
- Use two-factor authentication: Two-factor authentication (2FA) requires a special code along with your password to access your account. “Hackers can't access a device unless they have direct access to it,” explains Zulfikar Ramzan, principal scientist at digital safety company Aura. He said it's also possible for hackers to steal messages from your phone number, so if you're using 2FA, it's better to use an authenticator app rather than a text message to receive the 2FA code. .
- Enable login notifications: That way you'll know if someone accessed your account. “In practice, enable as many security settings as possible for the platforms you use,” says Amir Sachs, cybersecurity expert and CEO of Blue Light IT.
- don't repeat password: Never use simple passwords. Also, never use the same password for multiple accounts. “The best way to prevent your online accounts from being hacked is to have strong, unique passwords for each site,” said Kevin Dunn, senior vice president at his NCC Group, a global cybersecurity consulting firm. I am. (Services like Google Password Manager, LastPass, and Dashlane can help.)
- Practice safe Wi-Fi: When in public places like airports, hotels and restaurants, be careful with your devices to prevent theft and unauthorized access, advises Ted Miracco, CEO of mobile application security company Approov. Avoid connecting to public Wi-Fi networks. If you need to connect, use a virtual private network (VPN). Hackers can easily obtain personal information on public networks. “This is a growing threat and more common than most users realize,” he said.
- Yes, you are part of the problem.: It's clear that tourists are part of the problem. They use insecure passwords, take no security precautions, and log onto unsafe wireless networks. But experts say travelers are inherently vulnerable. “Travelers tend to share too much personal information,” said Bob Batchelor, managing director of medical transportation company Flying Angels. “Oversharing personal information on social media and unknown websites can lead to identity theft and targeted attacks.”
Another problem, not necessarily specific to travelers, is clicking on suspicious links. As a consumer advocate, many of the hacking incidents I cover begin with phishing, a technique used to pose as a legitimate company and request sensitive information.
“Consumers often fall prey to phishing scams related to travel bookings,” explains Albert Martinek, customer cyber threat intelligence analyst at Horizon3.ai.
Don't get me wrong. Nothing leads to your account being hacked faster than clicking on a malicious link and submitting your personal information. (You can always avoid the problem by going directly to the website. Until now Please follow the link. )
It's amazing to see intelligent people fall for these scams every day. When I say “every day,” I really mean it. every Day. That's about as often as I receive complaints about hacking issues. And 9 times out of 10, it's because you fell for a phishing scam.
Many hacking attempts end in dire consequences for the victim, such as frequent flyer miles being permanently lost or money being withdrawn from the traveler's account.
But not the Pedersens. I contacted Booking.com on behalf of the couple and they promised to look into it. But the Pedersens still left for Thailand, not knowing whether they would have to pay higher hotel rates.
Booking.com announced that after investigating the incident, it was determined that Mr. Pedersen was the victim of a phishing scam targeting his Booking.com account. A representative said Booking.com had already secured his account and would help him secure a hotel room at the original rate.
Then I got an email from Steven Pedersen.
“We arrived at the hotel yesterday and after much explanation, showing copies of all confirmations with the boss, the hotel representative finally understood the situation and refunded us the original rate. ” he reported. “This process took several hours.”
your plane may not be safeIf this happens: Check the following
dissatisfied travelerStart recording customer service calls. But will it work?
Who is responsible for this?
please do not worry. You are not responsible for this issue. It's the company's fault for not protecting you. And it's up to them to fix it.
There are fixes that resolve most of these hacking issues. This is called a passkey, and it is a passwordless authentication system that uses biometrics such as fingerprints or facial scans.
Some travel companies have already adopted passkeys, including Kayak and Uber. (Here is a directory of companies currently using Passkeys.)
Travel companies are desperately vulnerable and this problem will almost certainly get worse before it gets better. Consider that an online travel agent often shares personal data with three or four different parties when responding to a booking request. It's not a password, but it's certainly enough personal data that it can cause problems if the information falls into the wrong hands.
Computer systems in the travel industry were designed with one thing in mind: increase profits. They move customer funds quickly and efficiently, but data is generally handled carelessly. This problem will not go away unless there are real consequences to being quick with personal information, including passwords.
It's not your fault – but you intention have to pay for it.
What travelers should expect this year:Cheaper price, but are there any additional requirements?
I travel nonstop.Here are 12 places you must visit in 2024.
Elliott's tips for avoiding hacking
Here are some more strategies to prevent your account from being hacked.
- Book directly with a reputable company: If you don't recognize an online travel site, think twice. There are too many nighttime activities that carelessly handle personal data or in some cases simply steal it.and it is especially true if the deal looks too good to be true; “A better option is to book directly with a travel agent or airline,” said Bala Kumar, chief product officer at identity verification platform Jumio.
- Be suspicious of urgent emails: Many hacks occur through booking partners whose IT systems may have lax security. The pattern is similar. Someone accesses and uses your booking partner's email system to send you an urgent message, often the day before your trip, that your reservation may be canceled if you don't submit your credit card details. send. Also. “Obviously the hacker is just trying to get credit card information,” said Cory Nahaliner, chief security officer at network security firm WatchGuard Technologies. Please report the email to the company immediately.
- Be careful with foreign phone numbers: If you have two-factor authentication set up, make sure you can access it when you get home. “We have heard several stories from international travelers who set up 2FA using a foreign number they purchased during an extended trip abroad, and then deactivated the number at the end of the trip and lost access to their accounts. ” said CEO Joe Cronin. International Citizen Insurance.
Christopher Elliott is an author, consumer advocate, and journalist. He founded Elliott Advocacy, a nonprofit organization that helps solve consumer problems. He publishes Elliott Confidential, a travel newsletter, and Elliott Report, a customer service news site. If you need help with a consumer issue, you can contact him here or email chris@elliott.org.
