A few days after Kay Pedersen reserved a hotel room in Chiang Mai, Thailand, through Booking.com, she received an alarming email.
It was a warning from Booking.com in broken English that there had been “some malicious activities” in her account.
And then the trouble started. A few days later, her husband, Steven, noticed a new reservation at another hotel. And then another one. The couple reported the fraudulent activity immediately, and Booking.com cancelled all of their hotels, including the one in Chiang Mai.
“We immediately called Booking.com’s customer service requesting our original reservation be reinstated and these other odd ones, which we had not made, be canceled,” says Steven Petersen. “They were able to do so, but not at our original rate. The rate would now be more than twice as much.”
The Pedersens are not alone. A new hacking wave has hit travellers hard. A few weeks ago, criminals stole Booking.com passwords through its internal messaging system. Other popular targets include loyalty program accounts and other online travel agencies.
Why are travel accounts so prone to attacks?
“They hold susceptible information, such as passports, driver’s licenses, dates of birth, and travel dates,” explains Caroline McCaffery, CEO of ClearOPS, an AI-powered security program management platform.
You don’t have to be a victim. There are strategies you can use now to ensure you won’t lose your hard-earned frequent flier points or see your hotel reservation get cancelled. But there are also things you can avoid doing online that will keep your account safe. Ultimately, this isn’t your problem, but I will tell you whose it is in a second.
How to avoid hackers.
Here’s how to keep your online travel account safe.
Use two-factor authentication.
Two-factor authentication (2FA) requires a unique code and password to access your accounts. “Hackers can’t access this if they don’t have access to your device directly,” explains Zulfikar Ramzan, chief scientist at Aura, a digital safety company. He says if you’re using 2FA, using an authenticator app rather than text messages to receive 2FA codes is better since hackers can also steal messages from your phone number.
Enable login notifications.
That way, you’ll know if someone has accessed your account. “Actually, make sure you enable as many security settings as possible for the platforms you use,” says cybersecurity expert Amir Sachs, CEO of Blue Light IT.
Don’t repeat your password.
Never use a simple password, and never, ever use the same password for multiple accounts. “The best way to prevent any online account from getting hacked is to have a strong and unique password for each site,” says Kevin Dunn, a senior vice president at NCC Group, a global cyber security consulting company. (Services like Google Password Manager, LastPass and Dashlane can help.)
Practice safe Wi-Fi.
Keep an eye on your devices in public places such as airports, hotels, and restaurants to prevent theft and unauthorized access, advises Ted Miracco, CEO of Approov, a security company for mobile applications. Avoid connecting to public Wi-Fi networks, but use a Virtual Private Network (VPN) if you have to. Hackers can easily capture your personal information on a public network. “This is a growing threat and more common than most users realize,” he says.
Yes, you’re part of the problem.
Travellers are part of the problem. They use insecure passwords, don’t take security precautions, and log on to dangerous wireless networks. But travellers are inherently vulnerable, say experts.
“People who are traveling are inclined to share too much personal information,” says Bob Bacheler, managing director of Flying Angels, a medical transport service. “Oversharing personal information on social media or with unknown websites can lead to identity theft or targeted attacks.”
Another issue, which isn’t necessarily unique to travellers, is clicking on suspicious links. Many hacking cases I deal with as a consumer advocate started with phishing, a technique that solicits sensitive information by pretending to be a legitimate business.
“Consumers often fall prey to phishing scams related to travel bookings,” explains Albert Martinek, a customer cyber threat intelligence analyst at Horizon3.ai.
Nothing leads to a hacked account faster than sending personal information by clicking on a malicious link. (You can avoid the problem by always accessing the website- never follow the link.)
Watching otherwise intelligent people fall for these scams every day is remarkable. And by “every day,” I mean every day. That’s about how often I get complaints about a hacking problem. And nine times out of 10, they fell for a phishing scam.
Many hacking attempts end badly for the victim, with frequent flier miles lost forever or money withdrawn from travellers’ accounts.
But not the Pedersens’. I contacted Booking.com on behalf of the couple, and they promised to investigate. But even so, the Pedersens left for Thailand without knowing if they had to pay the higher hotel rate.
Booking.com said it investigated the incident and determined that Pedersen had fallen for a phishing scam directed at his Booking.com account. A representative said Booking.com had already secured his account and would refund the difference between the initial booking and the new rate.
Then, I got an email from Steven Pedersen.
“We arrived at the hotel yesterday, and, after much explanation showing copies of all the confirmations with their supervisor, a hotel representative finally understood the situation and reinstated our original rate,” he reports. “The process took several hours.”
Who’s responsible for this?
Don’t worry, you’re not responsible for this problem. The companies that didn’t protect you are at fault. And it’s up to them to fix it.
There’s a fix that would solve most of these hacking problems. It’s called Passkeys, and it’s a passwordless authentication system that uses biometric authentication like a fingerprint or face scan.
Some travel companies, including Kayak and Uber, have already adopted Passkeys. (Here’s a directory of companies that currently use Passkeys.)
Travel companies are hopelessly vulnerable, and this problem will almost certainly get worse before it gets better. Consider that online travel agencies often share personal data with three or four different parties when they fulfil a booking request. Not passwords, but certainly enough personal data that it could cause problems if the information were to fall into the wrong hands.
The travel industry’s computer systems were designed with one thing in mind: to increase profits. They move customer money quickly and efficiently but treat your data carelessly. Unless there are real consequences for playing fast and loose with your personal information, including your passwords, this problem will not go away.
It’s not your fault, but you must pay for it.
Elliott’s tips for avoiding a hack.
Here are a few more strategies for keeping your accounts from getting hacked.
Book directly with a reputable company.
Think twice if you don’t recognize the online travel site. Too many fly-by-night operations treat your personal data carelessly or, in some cases, steal it. And that’s especially true if the deal looks too good to be true. “Better yet, book directly with the travel company or airline,” says Bala Kumar, chief product officer at ID verification platform Jumio.
Be suspicious of urgent emails.
Many hacks happen through booking partners, which can have IT systems with lax security. The pattern is similar: Someone will gain access to a booking partner’s email system and send a message urgently warning you, often a day before your travel, that your booking is at risk of cancellation unless you send your credit card details again. “Obviously, the hackers are just trying to get your credit card information,” says Corey Nachreiner, chief security officer at WatchGuard Technologies, a network security company. Report the email to the company immediately.
Mind those foreign phone numbers.
If you’re setting up two-factor authentication, ensure you’ll have access to it after you get home. “We’ve heard several stories from international travellers who set up 2FA through a foreign number purchased during extended trips abroad, who then lose access to the account at the end of their trip when they deactivate the number,” says Joe Cronin, CEO of International Citizens Insurance.
Written by: Christopher Elliott
BIO:
Christopher Elliott is an author, consumer advocate, and journalist. He founded Elliott Advocacy, a nonprofit organization that helps solve consumer problems. He publishes Elliott Confidential, a travel newsletter, and the Elliott Report, a news site about customer service. If you need help with a consumer problem, you can reach him here or email him at chris@elliott.org.