As Tui, the UK’s market leader in travel, predicted the busiest booking day of the year on ‘Sunshine Saturday’ tomorrow firms were alerted to a darker side to the sales rush.
Travel companies have been warned to make sure they don’t become victims of cybercrime and do what they can to protect their customers from falling victim.
Alan Levine, Wombat Security Technologies’ cyber security advisor, says all travel firms should prepare for being targeted by criminals online.
And he said firms have a duty to do what they can to prevent it. “In any online relationship, you can never rely solely on the digital connection,” he said.
“Prompt consumers that are using your travel services to phone up if they ever feel that something isn’t right. It is your organisation’s duty to take the right steps to secure your website.”
Below Levine set out the sort of cyberattacks travel firms should be on the lookout for as the tills are ringing and the book now buttons are being pressed.
• If an attacker can compromise a website’s privileged credentials, then the website can likely be compromised too. Criminals expect that website admin accounts are not carefully secured, and often they are right. Travel companies should be protecting privileged access by requiring complex passwords or multi-factor authentication for all administrator access.
• If an attacker can identify vulnerabilities in the software that a website is made with, then the website can be used for unintended actions. A common website attack is called a “SQL injection”, and these attacks rely on websites that have been coded poorly in order to work. Once an SQL injection attack is in place, an attacker can use a website as a window into the databases and applications that sit behind the website. You can protect against this with a full, annual software code review – this is necessary for any public website, especially one that transacts or facilitates online purchases.
• If an attacker knows of a software flaw – new flaws are published on the dark web all the time – then an attacker can exploit those flaws to take control of a website. Maintaining current updates is a must for all software, but especially for public websites that transact money.
Levine set out what firms should do to protect their consumers by paying special attention to compromised websites (stolen or hacked websites), redirects, clones, and advertisements posted in their name:
• A careful review of a website may identify signs that an attacker has compromised it. Look for spelling or formatting errors, input fields that don’t actually accept input, and URLs that should be HTTPS but display only HTTP.
• Online criminals specialise in ‘man-in-the-middle’ attacks, where they intercede in the relationship between one online entity and another. This can mean that criminals are able to redirect transactional details to a third party managed by the criminal whilst a holiday is being purchased. Consumers should be prompted to visually inspect each URL to ensure that no redirection has taken place.
• Regularly search the internet for company names and key words associated with your brand. Attackers are adept at copying an online page and then republishing it for their own purpose, with only a minor change in the URL. Also, review your domain registrations. Often, attackers will register a very similar domain, and then immediately publish the cloned website hoping to lure and victimise unsuspecting visitors. When searching, also look out for fake advertisements using your brand.
Wombat Security Technologies are a cyber security training and awareness company that helps teach the likes of RBS and Veolia about cyber-safety.