Hackers are coming for your travel accounts: Here's how to protect yourself
A few days after Kay Pedersen reserved a hotel room in Chiang Mai, Thailand, through Booking.com, she received an alarming email.
It was a warning from Booking.com in broken English that there had been "some malicious activities" in her account.
And then the trouble started. A few days later, her husband, Steven, noticed a new reservation at another hotel. And then another one. The couple reported the fraudulent activity immediately and Booking.com canceled all of their hotels, including the one in Chiang Mai.
"We immediately called Booking.com’s customer service requesting our original reservation be reinstated and these other odd ones, which we had not made, be canceled," Steven Pedersen said. "They were able to do so, but not at our original rate. The rate would now be more than twice as much."
Check out Elliott Confidential, the newsletter the travel industry doesn't want you to read. Each issue is filled with breaking news, deep insights, and exclusive strategies for becoming a better traveler. But don't tell anyone!
The Pedersens are not alone. A new hacking wave has hit travelers hard. A few weeks ago, criminals reportedly stole Booking.com passwords through its internal messaging system. Other popular targets include loyalty program accounts and other online travel agencies.
Why are travel accounts so prone to attacks?
"They hold very sensitive information, such as passports, driver’s licenses, dates of birth and travel dates," said Caroline McCaffery, CEO of ClearOPS, an AI-powered security program management platform.
You don't have to be a victim. There are strategies you can use now to ensure you won't lose your hard-earned frequent flier points or see your hotel reservation get canceled. But there are also things you can avoid doing online that will keep your account safe. Ultimately, though, this isn't your problem to solve, but I will tell you whose it is in a second.
Hotel parking fees are out of control. Here's how to fight them.
What are prices like this Spring break? Here's what travelers can expect.
How to avoid hackers
Here's how to keep your online travel account safe.
Use two-factor authentication: Two-factor authentication (2FA) requires a special code, along with your password, to gain access to your accounts. "Hackers can't access this if they don’t have access to your device directly," said Zulfikar Ramzan, chief scientist at Aura, a digital safety company. He said that if you're using 2FA, it's better to use an authenticator app rather than text messages for receiving 2FA codes, because hackers can also steal messages from your phone number.
Enable login notifications: That way, you'll know if someone has accessed your account. "Actually, make sure you enable as many security settings as possible for the platforms you use," said cybersecurity expert Amir Sachs, CEO of Blue Light IT.
Don't repeat your password: Never use a simple password, and never use the same password for multiple accounts. "The best way to prevent any online account from getting hacked is to have a strong and unique password for each site," said Kevin Dunn, a senior vice president at NCC Group, a global cybersecurity consulting company. (Services like Google Password Manager, LastPass and Dashlane can help.)
Practice safe Wi-Fi: Keep an eye on your devices in public places such as airports, hotels, and restaurants to prevent theft and unauthorized access, advised Ted Miracco, CEO of Approov, a security company for mobile applications. Avoid connecting to public Wi-Fi networks, but if you have to, use a Virtual Private Network (VPN). Hackers can easily capture your personal information on a public network. "This is a growing threat and more common than most users realize,” he said.
Yes, you're part of the problem: Obviously, travelers are part of the problem. They use insecure passwords, don't take security precautions, and log on to dangerous wireless networks. But travelers are inherently vulnerable, experts say. "People who are traveling are inclined to share too much personal information," said Bob Bacheler, managing director of Flying Angels, a medical transport service. "Oversharing personal information on social media or with unknown websites can lead to identity theft or targeted attacks."
Another issue, which isn't necessarily unique to travelers, is clicking on suspicious links. Many of the hacking cases I deal with as a consumer advocate started with phishing, a technique that solicits sensitive information by pretending to be a legitimate business.
"Consumers often fall prey to phishing scams related to travel bookings," said Albert Martinek, a customer cyberthreat intelligence analyst at Horizon3.ai.
Make no mistake: Nothing leads to a hacked account faster than sending personal information by clicking on a malicious link. (You can avoid the problem by always accessing the website directly – never, ever follow the link.)
It's remarkable to watch otherwise intelligent people falling for these scams every day. And by "every day," I really mean every day. That's about how often I get complaints about a hacking problem. And 9 times out of 10, it's because they fell for a phishing scam.
Many hacking attempts end badly for the victim, with frequent flier miles lost forever or money withdrawn from travelers' accounts.
But not the Pedersens'. I contacted Booking.com on behalf of the couple, and it promised to investigate. But even so, the Pedersens left for Thailand without knowing whether they had to pay the higher hotel rate.
Booking.com said it investigated the incident and determined that Pedersen had fallen for a phishing scam directed at his Booking.com account. A representative said Booking.com had already secured his account and would refund the difference between the initial booking and the new rate.
Then I got an email from Steven Pedersen.
"We arrived at the hotel yesterday, and, after much explanation showing copies of all the confirmations with their supervisor, a hotel representative finally understood the situation and reinstated our original rate," he reported. "The process took several hours."
Your plane might be unsafe if this happens: Here's what to look for
Frustrated travelers start recording customer service phone calls. But does it work?
Who's responsible for this?
Don't worry: You're not responsible for this problem. The companies that didn't protect you are at fault. And it's up to them to fix it.
There's a fix that would solve most of these hacking problems. It's called Passkeys, and it's a passwordless authentication system that uses biometric authentication like a fingerprint or face scan.
Some travel companies have already adopted Passkeys, including Kayak and Uber. (Here's a directory of companies that currently use Passkeys.)
Travel companies are hopelessly vulnerable, and this problem will almost certainly get worse before it gets better. Consider that online travel agencies often share personal data with three or four different parties when they fulfill a booking request. Not passwords, but certainly enough personal data that it could cause problems if the information were to fall into the wrong hands.
The travel industry's computer systems were designed with one thing in mind: to increase profits. They move customer's money quickly and efficiently but generally treat your data carelessly. Unless there are real consequences for playing fast and loose with your personal information, including your passwords, this problem will not go away.
It's not your fault – but you will have to pay for it.
What travelers should expect this year: Better prices but additional requirements?
I travel nonstop. Here are 12 places you absolutely have to see in 2024.
Elliott's tips for avoiding a hack
Here are a few more strategies for keeping your accounts from getting hacked.
Book directly with a reputable company: Think twice if you don't recognize the travel site. There are just too many fly-by-night operations that either treat your personal data carelessly or, in some cases, just steal it. And that's especially true if the deal looks too good to be true. "Better yet, book directly with the travel company or airline," said Bala Kumar, chief product officer at ID verification platform Jumio.
Be suspicious of urgent emails: Many hacks happen through booking partners, which can have IT systems with lax security. The pattern is similar: Someone will gain access to the email system of a booking partner and use it to send a message urgently warning you, often a day before your travel, that your booking is at risk of cancellation unless you send your credit card details again. "Obviously, the hackers are just trying to get your credit card information," said Corey Nachreiner, chief security officer at WatchGuard Technologies, a network security company. Report the email to the company immediately.
Mind those foreign phone numbers: If you're setting up two-factor authentication, make sure you'll have access to it after you get home. "We've heard several stories from international travelers who set up 2FA through a foreign number purchased during extended trips abroad, who then lose access to the account at the end of their trip when they deactivate the number," said Joe Cronin, CEO of International Citizens Insurance.
Christopher Elliott is an author, consumer advocate, and journalist. He founded Elliott Advocacy, a nonprofit organization that helps solve consumer problems. He publishes Elliott Confidential, a travel newsletter, and the Elliott Report, a news site about customer service. If you need help with a consumer problem, you can reach him here or email him at chris@elliott.org.
This article originally appeared on USA TODAY: Protect your travel, loyalty accounts: Hackers are on the move