The pandemic-driven shift towards digital technologies coupled with the recovery of the hospitality industry has increased traffic to hospitality websites, opening up more avenues for hackers to launch malicious bots. As major hotel companies are no stranger to cyberattacks, work continues to keep attacks at bay.
According to a recent report by Cornell University and FreedomPay, hospitality, restaurant and retail executives’ perceptions of cybersecurity are not aligned with reality. As per the study, almost 31% companies have reported a data breach in their company’s history, of which 89% have been affected more than once in a year. The study also reveals that 35% of the surveyed industry leaders do not know what percentage of their company’s budget is spent on cybersecurity.
The right protection
Most people don’t realize the prevalence of bots in the hospitality industry, according to Sam Crowther, founder and CEO of Kasada, a bot mitigation platform that protects more than US$20 billion in ecommerce transactions, US$10 billion in gift and loyalty cards, and hundreds of millions of guest accounts. Bots are used by impersonating humans to steal credit cards, gift vouchers, and reward points.
Hotels have to ensure they are proactively protecting every endpoint on their website, mobile apps and APIs, so that their infrastructure and the customer journey are safeguarded. To this end, using the right online fraud protection and bot management solution is critical, said Benjamin Fabre, co-founder and chief technology officer of DataDome, a global cybersecurity company specialized in bot management.
“Hotel and travel sites are particularly prone to carding attacks during times of high traffic, like holidays. Hackers hope that the extra traffic will allow their bot attacks to go unnoticed,” Fabre said. “When hackers target loyalty coupons, discount codes, or gift cards, attacks are hard to notice, because affected customers don’t monitor coupons, codes, and gift cards as closely as they do their credit or debit cards.”
Rise over the past two years
According to DataDome’s research, bot attacks have increased 47% from the past year and cyberattacks targeting the travel industry have skyrocketed since the beginning of COVID-19. Login and checkout fraud have increased over the past two years, with the rise in digital check-ins and the prevalence and accessibility of sophisticated tools that are used to commit fraud.
“What’s particularly interesting is how the sophistication of the fraudsters have risen since the pandemic to successfully commit the same fraud techniques which have been used for years,” Crowther explained. “For example, we have seen a rise in the use of residential proxy networks, aged accounts, CAPTCHA bypasses, highly customized developer tools, and script recorders — all of which evade detection from traditional methods.”
Crowther added that there has been an uptick in fraudulent payments, carding and loyalty program abuse since the pandemic hit. “Over the past two months alone, Kasada has observed a quadrupling of automated account balance lookups as fraudsters look to steal online gift cards and loyalty rewards during the holidays,” he added.
Steve Blidner, founder and CEO of TTI Technologies, which owns the Scan2PMS software solution, said there has been an increase of chargebacks as a result of a previous guest challenging the bill with the credit card company. “We have heard from our customers or potential customers that the pandemic has caused a change in the type of customer they usually cater to. Consequently, they have seen more chargebacks and also destruction to rooms and theft,” he said.
Securing payments, check-in
While all hotels offer the most competent security measures, guests must also ensure that their credit cards remain secure.
“During the booking process, guests must use caution when making purchases on unfamiliar websites promoting exceptional deals on travel,” Crowther said. “As the old adage goes, if a deal looks too good to be true, it likely is. Virtual credit cards can be a good option if your credit card issuer provides such an option.”
While guests are mandated to present a valid ID during check in, they should never allow a hotel clerk walk away with the ID.
“Scanning an ID is as secure as the hotel’s property management system, but never let a clerk photocopy your ID since it can then be left on a desk or put in a file that is not secure. Credit cards should never be copied or scanned using only a PCI compliant reader,” Blidner said. “If a hotel has seen fake IDs, which is not very prevalent, then some scanners can also do authentication to check the ID for being a fake. These scanners can include ultra-violet and infrared technology to look for tampering and then compare against all known templates for even minor changes. Cost typically range from US$1,000 and up but a single chargeback could equal much more.”
While many hotels have adopted a Software-as-a-service (SaaS) to offer guests the convenience of contactless check in, it poses a supply chain risk to keep guests details confidential through third-party vendors. “It is important that hotel security professionals conduct a proper security assessment of their third-party suppliers to ensure that security practices either meet or exceed the expectations you have on your own in-house applications,” Blidner added.
Protecting APIs is the first priority for the hospitality and travel industry over the next 12 months as it will go a long way to protecting guests’ personal information, said DataDome’s Fabre. Hotels need to ensure their payment gateways use the Address Verification System (AVS) and Credit Verification Value (CVV).
“AVS checks if the billing address of a customer’s account matches the one on the card. CVV checks for the three or four-digit number on the back of the card. Both make card fraud significantly harder,” Fabre added. “Also, use HTTPS and a signed SSL/TLS certificate to authenticate, encrypt and decrypt data securely.”