Tim Ayling, EMEA vice-president at cybersecurity company Imperva, urges the sector to remain vigilant during peaks
January is no ordinary period for travel industry businesses. Airlines, travel agencies, hotel companies and other players gear up for a peak in global holiday bookings, as sun-seeking consumers scour the internet for summer getaways. But threat actors will also be out in force – using malicious bots for customer account takeovers, card fraud, price and data scraping, and more.
The popularity of peak travel periods is increasing, with searches for ‘Travel Tuesday’ increasing more than fivefold between 2021-2023, highlighting the growing importance of seasonal deals in the industry. But to minimise the financial and reputational impact from cyber-criminals, it’s time for the travel industry to block bad bots.
A hard-hit sector
Bad bot traffic affects most sectors with a large digital presence. Research has suggested that internet traffic associated with these automated software applications now accounts for a third (32%) of the total. Yet some sectors are hit harder than others. In travel, over two-fifths (44.5%) of web traffic is assessed to come from malicious bots. The sector also has the largest share of advanced bad bot traffic (60.9%) other than law/government, entertainment and financial services. Bad bots fuel account takeovers, of which the travel sector accounts for one in 10 attacks across all industries – this is why it’s the third most-affected sector in terms of compromised accounts.
At the most advanced end, these malicious software applications are increasingly difficult to detect as they mimic human behaviour online. It’s a year-round problem, although the challenge facing IT teams in the travel sector is to weed out this malevolent traffic during busy periods like January without impacting the experience for legitimate users.
‘Brute-force attacks’
Airline companies are among the worst affected by bad bots. Data scraping by aggregators, competitors and online travel agencies (OTAs) is perhaps the most serious challenge. This is done to obtain prices and flight information without a pre-existing agreement. However, the surge in malicious traffic can damage important look-to-book ratios for airlines. This undermines efforts to gain the critical business insight needed to control costs, enhance efficiencies and better understand customers. It can also unintentionally drive up fees from partners, such as charges for API requests.
Another popular use for bad bots that impacts airlines relates to seat spinning – where the bots hold seats for several hours, or even up to a day, without making payment. This allows unauthorised OTAs and others to hold and resell these bookings without needing to make any upfront investment. If the seats aren’t sold, it can result in what appear to be fully booked flights departing with empty seats, damaging carriers’ bottom lines and reputation.
As mentioned, bad bots can also drive account takeovers and card fraud for airlines, travel agencies, hotel companies and others. Cyber-criminals use automated traffic to perform brute-force attacks on customer accounts. These may involve trying a large number of usernames in combination with commonly used or default passwords (known as password spraying). Or trying previously breached log-ins across large numbers of sites in the hope that some individuals reuse their usernames and passwords (known as credential stuffing).
In the travel sector, some 17% of account log-ins are bad bot-driven account takeover attempts. This is a far higher proportion than the average of 11% across all sectors. Once inside an account, a threat actor will look to steal loyalty points, make fraudulent purchases or sell account access to others on the dark web.
Measures worth adopting
To stop bad bots, travel sector IT and security teams will need to take a proactive, defence-in-depth approach. First, understand where the risk is most acute. Checkout forms and log-in pages are a magnet for bad bots, so deploy multi-factor authentication, CAPTCHAs, and continuous behavioural monitoring across these parts of the website and app. Advanced traffic analysis and real-time bot detection tools will also provide an early warning system.
Consider also deploying security measures to protect APIs, which can form a defence against bad bots looking to target web apps and the data they contain. Blocking outdated browser versions, proxy services and signs of automation – such as abnormal browsing behaviour – will also help.
Other tell-tale signs of bad bots include high bounce rates, low conversion rates, sudden unexplained surges in traffic, spikes in log-in failures and an unusually high number of requests targeting a specific URL.
The travel sector has just about recovered from several challenging years, but there’s no time for complacency. Bad bots can have a significant impact on the bottom line, brand reputation and customer trust. Don’t let them take you and your customers for a ride.