With vaccines now widely distributed, consumers are eager to travel and the demand for travel and lodging is at an all-time high. In fact, 93% of all Hilton rooms across the U.S. were occupied the last weekend of May, the number of European flights is trending upward again, and according to TripAdvisor’s 2021 Summer Travel Index, more than two-thirds of Americans (67%) are planning to travel this summer.
As such, many travel and hospitality organizations have recently added new or upgraded reservation apps, contactless payment processing systems and loyalty programs that are unfortunately now all exposed on public networks, increasing the likelihood of cyberattacks.
It’s crucial for these companies to protect against such attacks by protecting vulnerable endpoints.
Product and Pricing Pages
Consider all the information publicly available on product and price pages: prices, availability, limited-time offers, user reviews, ratings, flight numbers and so much more. This is a goldmine for price scrapers and one of the most damaging bot threats to airline, hotel and other travel companies. Hackers use scraped information for many nefarious purposes, from undercutting prices to mimicking special offers to copying or repurposing content.
These actions can drive traffic away from your website, possibly worsen your SEO rankings because of duplicate content, and worse, result in website performance issues.
The biggest threat at this endpoint is credential stuffing, an approach where hackers buy a list of stolen or compromised user credentials from the dark web and create bots that rapidly rotate through these credentials on company login pages. The hope is that customers are using the same password for many different websites (as they often do), allowing the cybercriminals a way in to breach the system.
These credential stuffing attacks can significantly slow down a company’s website’s performance and may even take it down altogether. Even worse, when a credential stuffing attack is successful, hackers gain access to customer accounts, also known as account takeover. Hackers steal the personal information from a customer’s account and then sell it or use it for other malicious purposes.
A travel company’s booking page is another vulnerable endpoint. The main threat here is inventory hoarding. Bots place large amounts of inventory -- like airplane seats and hotel rooms -- in a cart and hold it there. This not only skews your KPIs, it stops actual customers from booking a flight or a room because it might seem there aren’t enough seats or rooms.
Finally, there’s the checkout page. It’s where customers fill out their addresses, credit or debit card information, discount codes, reward card number, and more. The biggest threat here is carding, where hackers use stolen card data against one’s payment processes to identify valid card details or commit card fraud.
A carding attack fundamentally breaks the trust between the customer and the merchant. When the media picks up on a carding attack, for example, it can lead to permanent brand damage. In addition, the targeted companies end up paying chargebacks for successful carding attacks or responding to complaints when customers notice their gift cards or coupons have been used without their permission.
To safeguard your infrastructure and the customer experience, your travel site needs proper bot defense. But it needn’t be complex or expensive. To get maximum value from your bot protection solution, evaluate the following points:
- Detection quality. If possible, test your candidates simultaneously against real traffic to see what they block and what they let through.
- Ease of implementation. Ask potential vendors which integration options they provide, how extensive their documentation is, and what the onboarding process is like.
- Autonomy. Choose a bot management solution that will handle bot attacks without your intervention, but that still offers detailed, real-time analytics and KPIs.
- SOC. While your solution should block most attacks on autopilot, some situations may require a more hands-on approach. Ask providers how their bot SOC teams operate, and which services are included in your contract.
- Flexibility. Don’t want to submit a ticket just to whitelist an IP address or change a rule for a domain? Check that the solution leaves you sufficient control over your settings.
- Latency and scalability. There can’t be a tradeoff between business and security. To ensure zero impact on human visitors, choose a solution with a robust, auto-scaling infrastructure and plenty of PoPs.
As you prepare for this renewed surge in hospitality and travel, make sure you are proactively protecting every endpoint on your website, mobile apps and APIs, so that your infrastructure and the customer journey alike are safeguarded. After all, we all want our customers to have the best experience possible.
ABOUT THE AUTHOR
Benjamin is the CTO of DataDome, co-founded with Fabien Grenier in 2015. A serial entrepreneur, he has specialized, over the past 15 years, in scalable web infrastructure and AI-powered data stream processing, and SaaS technologies.
TrendyBuzz, his previous company, was acquired by Linkfluence in 2014. Their mission at the time was to index and process billions of online conversations and publications, in real-time, for brand reputation purposes.
Their expertise in the field gave Benjamin and Fabien the vision to foresee the rise of bot fraud and prompted them to provide global digital businesses with a solution to fight off fraudulent traffic.
DataDome is a leading bot protection vendor, based in New York, Paris, and Singapore. DataDome’s mission is to free the web from fraudulent traffic so that sensitive data remains safe and online platforms can perform at optimum speed. Based on AI, DataDome’s global cybersecurity solution protects the largest digital commerce businesses.