When it comes to online travel deals of dubious provenance, if it seems too good to be true, it probably is. Here's what else you need to know to protect yourself from opportunistic hackers and digital swindlers when taking — or even just booking — a trip.
Think the real world is a dangerous place for travelers? Try visiting the virtual one, a place filled with shady travel offers and criminals who want to steal your personal information.
It’s the time of year when people start planning their summer vacations, and with everyone watching the bottom line, the temptation to save a few dollars by booking online is strong. That might include searching the underside of the internet for a bargain.
A recent survey by the British security company Comparitech should make you consider carefully where you buy. According to the research, there is a vibrant market for frequent-flyer miles on the “dark web,” a hidden part of the internet that requires special software to access. On one site, Comparitech found that you can buy 100,000 points for as little as $884.
“The type of sites most commonly associated with the dark web are marketplaces where illicit goods such as narcotics, firearms and stolen credit-card numbers are bought and sold,” says the report’s author, Paul Bischoff. “The darkest corners are used to hire hit men, engage in human trafficking and exchange child pornography.”
Most Read Life Stories
- Sunday Best: Emily Blunt, Iman are among the fashion winners from 2021 Met Gala
- Rant & Rave: Reader gives a lesson on the etiquette of waiting in line at Dick’s
- For a Jewish-style deli with 'big, ridiculous sandwiches' and great Ethiopian and Colombian eats, explore this Seattle neighborhood
- How the body of a hiker who disappeared two years ago was found in the North Cascades
- What gravel riding is and why you might want to try this new cycling activity
Bischoff says that if you get caught with stolen airline miles or selling your own miles, the airline can wipe out your account and leave you with nothing.
“Airlines can even cancel your bookings if they’ve found you’ve broken the terms of service,” he says.
A study by Seon, a security-consulting company, found any number of travel products available on the dark web. They included airline tickets, car rentals and, on one forum, tours sold at a 30 percent discount. On another forum, customers were “impressed with this seller’s ability to deliver flights bought with stolen credit cards,” the study notes. “With over 200 sales, they had only five-star reviews.”
The dark web is just one place travelers should avoid. Others include unsecured websites and wireless hot spots designed to collect personal information. Bottom line: Online security can be as important as physical safety for travelers.
You don’t have to visit the dark web to get into trouble. Jonathan Weber, a software developer from East Stroudsburg, Pennsylvania, recently found an airline ticket on a Russian carrier called Transaero through a website that specializes in airline-ticket price errors. Fare errors are both risky and ethically problematic. Sometimes airlines honor them; sometimes they don’t. In Weber’s case, the airline went out of business during his trip.
“Luckily, Aeroflot picked up their remaining flights and got us home,” he says. “But it was a hell of a surprise at the airport.”
Even when visiting a legitimate travel site, you might not be entirely safe. Consider the data breach Marriott disclosed last year, in which hackers accessed its reservation systems over four years and exposed private information of up to 500 million customers. Experts say it’s not a question of if but when the next data breach will happen.
How do you know if a company is taking security seriously? One way is to look for a little padlock icon next to the website address on any page where you type in sensitive information, including credit-card numbers.
That’s missing from a lot of travel sites. At least that’s the finding of Sectigo, a web security company. It recently studied major airline, hotel, travel comparison, car-rental and train websites and rated them on how effectively they were secured. It flagged the sites for Firefly, SkyWest and Ritz Carlton for triggering “not secure” warnings and numerous others for lesser security issues.
“Many major travel brands fail to provide assurance of their sites’ security and identity,” says Tim Callan, a senior fellow at Sectigo.
But the most common danger to travelers may be the network of wireless hot spots — set up in public places such as airports, convention centers and hotels — that are designed to steal personal information.
“Malicious actors can set up fraudulent Wi-Fi networks and even fake mobile hot spots to collect and record traffic that connects to them, especially in top destinations,” explains Matthew Gardiner, a cybersecurity expert at Mimecast, an email- and Web-security provider.
A 2018 report by Coronet, a cybersecurity company, identified San Diego International, John Wayne Airport in Orange County, California, and Houston’s William P. Hobby Airport as the airports where travelers were most at risk of being hacked through a public Wi-Fi network.
Avoiding a public network pays off in additional peace of mind, says Chandler Givens, CEO of TrackOFF, a provider of data-privacy software for consumers. “At the very least, try to stick to sites with “https” in front of the URL, and be careful what kinds of personal information you submit while surfing.”
That brings us to the solutions. You can stay off public hot spots, log into a secure public hot spot, such as Boingo, or use a virtual private network (VPN), which offers an extra layer of encryption.
“To protect yourself, for example, when at airports or hotels, find out the official Wi-Fi network of the facility from the management, and don’t connect to any others that you may find to be open,” says Gardiner, the Mimecast security expert. “Remember: How the Wi-Fi network is named means nothing.”
Incidentally, I used to be a skeptic about the risks of unsecured wireless networks until someone hacked my son’s laptop at the airport. The likely culprit: an unsecured hot spot.