The Travel weekly and Travolution Cyber Security Summit was hosted by Natwest and sponsored by Worldpay, Syntec/Cardeasy and law firm Hill Dickinson
Cybercrime is rife in travel and the sector is subject to “a lot of bad practices”, according to the head of the travel industry’s fraud-prevention body.
Barry Gooch, chairman of Prevention of Fraud in Travel (PRoFiT), said: “There are very big frauds going on in travel. You don’t get to hear about it. But we produce a monthly report of cyber breaches and fraud – it’s going on all the time.
“There are a lot of bad practices in the industry. Fraud and cybercrime are absolutely rife.”
Gooch told the Travel Weekly Cyber Crime Summit: “You are dealing with highly organised, well-financed crime. It is incumbent on everyone to take steps to protect their business. You could probably stop 70% of attacks.”
Helen Holmes, risk management product director at Worldpay, explained there is increased risk of cyber fraud in travel.
She said: “There is a tension between fraud protection and one-click, friction-free payments, [and] it is probably particularly pronounced in travel.”
“Travel is a particularly high-risk sector. It has higher average transaction values (ATVs), but low margins. It is highly competitive, and service is a key differentiator.”
Holmes noted: “Every payment counts. Every time someone clicks ‘pay’ it represents hundreds of pounds in investment.”
She added: “Data is key to fraud protection. For the least friction [in a transaction], don’t ask for anything [additional to confirm a user’s identity], but that will affect your fraud risk.
“Saving [users’] card details is definitely the way things are going, but account takeover [by fraudsters who have accessed the account details] is one of the highest risks travel has.”
Asked the scale of the problem, Holmes said: “I heard a specialist in the Dark Web say ‘There is more breached data out there than there are fraudsters to exploit it.”
The Dark Web is an encrypted network outside the realm of search engines such as Google.
Prevention of Fraud in Travel (PROFiT) recently launched a campaign to promote two initiatives to cut cybercrime in the sector, enabling businesses to sign up to two free programmes to slash phishing emails and spam.
Both are freely available through the non-profit Global Cyber Alliance (GCA).
One project involves DMARC or Domain-based Message Authentication Reporting and Conformance. This checks email comes from the claimed source through an ID check of the domain name, preventing unauthorised use of a firm’s name.
Organisations using DMARC receive about one quarter of the email threats of those which don’t. Yet only an estimated 31% of travel businesses use DMARC.
The second programme involves a Domain Name Server (DNS) email filter which removes malicious emails and quarantines those which are suspect, based on continuous updates from “multiple threat intelligence feeds”.
PROFiT chairman Barry Gooch said: “Spam and rogue emails are the biggest threat. Infected emails increased 6,000% in 2016. There has been a big spike in ransomware this year and 40% of spam contains ransomware. We can’t stop it all, but we can reduce it and improve resilience.”