February 20, 2019
Holiday Blues: Cybercrime Rocks Travel Industry in Run-Up to Key Season
Posted November 20, 2018
Stolen identity data travels fast. But with a number of high-profile cyberattacks targeting travel industry companies, the challenge of authenticating digital users is becoming ever-more complex.
Throughout APAC and beyond, the industry has been under a sustained assault for the last several months. In October, for instance, word hit that a major airline suffered a massive breach that compromised the personal data of more than 9.4 million passengers. The stolen data included a treasure trove for identity thieves—including passenger name; nationality; date of birth; phone number; email; address; passport number; travel histories, and more.
Yet, it was hardly an isolated incident. In fact, mounting evidence suggests the travel industry is being specifically targeted by cybercriminals. And thieves are increasingly harvesting valuable identity credentials from company databases for exploitation far beyond the sphere of travel.
Planes, Trains & Cybercriminals
Over the last 6 months major security incidents have been disclosed, affecting hundreds of thousands of users, among major airlines and rail services in APAC, Europe and North America.
The travel industry is being hit with different types of incidents that are landing companies in the news for the most unfortunate reasons. Firstly, there are cyberattacks that are accessing new swathes of breached customer and payment information.
Additionally, travel companies are reporting automated login attacks on mobile and web applications which leverage previously stolen identity data in order to hack into users’ accounts.
Then there are fraudulent payments for airline tickets and more. During this summer’s World Cup football championships, for instance, one global travel company within the ThreatMetrix Digital Identity Network saw 20% growth in overall transactions—undercut by 46% growth in fraudulent transaction attempts.
That same company reported 52% growth in identity spoofing, as fraudsters sought to use stolen and synthetic identity credentials to take over or create fake user accounts in order to make purchases using stolen credit card numbers.
According to our data, fraudsters have found something even more lucrative: Loyalty.
Reaping Unjust Rewards
Today, it’s estimated more than $50 million in travel industry loyalty points lay dormant in accounts, ripe for takeover by fraudsters who use them to buy plane tickets, five-star hotel rooms and more. Once booked, tickets and reservations can be sold at rock bottom prices online.
Still, for all of this, it’s the personal identity information within these commandeered accounts that is most troubling to your customers. Readily sold online, these identity credentials can be used to take over bank accounts, open up lines of credit, apply for fraudulent loans, or make illegal purchases.
The price tag for businesses: As much as $4 trillion in losses worldwide this year. But for victims, the financial losses can be devastating. And with the speed at which stolen identity credentials make their way around the world these days, these consumers could be left watching their backs for years to come.
As for traditional remedies like free credit monitoring and website watching? Well, good luck with that.
Enter: Digital Identity?
The fact is, no amount of vigilance is going to stop attacks once personal information is set loose in the wild. Which means a reliance on static credentials as identity proof has become a dangerous proposition.
As a result, many airlines and other travel industry companies are seeking to boost defenses with step-up challenges or two-factor authentication.
But look for a growing number of businesses in the sector to deploy modern, digital identity-based user authentication and verification solutions that leverage behavioral analytics to understand legitimate user behaviors so they can accurately detect and disrupt the fraudulent use of stolen identity data.
Given the expectations of today’s online and mobile travel customer, organizations will likely gravitate toward solutions that enable them to passively authenticate users and make instant transaction decisions without generating added friction or false positives.
Critical to all of this: access to robust decisioning tools and the kind of globally crowdsourced threat intelligence from millions of daily consumer interactions—including locations, devices, new account applications, logins, payments and more—needed to spot cybercriminals the first time they use a business’s website or app.
All Aboard—or Else
Ultimately, whatever solutions they decide to put in place, travel industry businesses might want to throttle up the afterburners.
With the holiday travel season now in full swing, industrywide losses from cybercrime are expected to reach $21 billion by year’s end—and could top $25 billion by 2020. Factor in the average $7 million in costs associated with a data breach. And don’t forget potential regulatory fine mandates such as GDPR, which can run as high as €20 million, or up 4% of annual global revenue, whichever is greater.
Add it all together, and the price of staying put in the battle against cybercrime can be sky high—for both businesses and the traveling public they serve.
To learn how a digital identity-based approach to online & mobile fraud prevention can help the travel industry, check out our industry case study.