News

Special Report: Travel Weekly Cyber Security Summit

More than 130 delegates hear from host of cybercrime experts at Travel Weekly event in London. Report by Ian Taylor

‘Fraud and cybercrime are absolutely rife in travel’

Cybercrime is rife in travel and the sector is subject to “a lot of bad practices”, according to the head of the travel industry’s fraud-prevention body.

Barry Gooch, chairman of Prevention of Fraud in Travel, said: “There are very big frauds going on in travel. You don’t get to hear about it. But we produce a monthly report of cyber breaches and fraud – it’s going on all the time.

“There are a lot of bad practices in the industry. Fraud and cybercrime are absolutely rife.”

Gooch told the Travel Weekly Cyber Crime Summit: “You are dealing with highly organised, wellfinanced crime. It is incumbent on everyone to take steps to protect their business. You could probably stop 70% of attacks.”

Helen Holmes, risk management product director at Worldpay, explained there is increased risk of cyber fraud in travel.

She said: “There is a tension between fraud protection and oneclick, friction-free payments.

“Travel is a particularly high risk sector. It has higher average transaction values, but low margins. It is highly competitive, and service is a key differentiator.”

Holmes noted: “Every payment counts. Every time someone clicks ‘pay’ it represents hundreds of pounds in investment.”

She added: “Data is key to fraud protection. For the least friction [in a transaction], don’t ask for anything [additional to confirm a user’s identity], but that will affect your fraud risk.

“Saving [users’] card details is the way things are going, but account takeover [by fraudsters] is one of the highest risks travel has.”

Asked the scale of the problem, Holmes said: “I heard a specialist say ‘There is more breached data out there than there are fraudsters to exploit it.”

‘We lost £1.5m in phishing fraud – you could too’

ATD Travel Services chief Oliver Brendon warned delegates not to be complacent as he revealed how the firm lost £1.5 million in a ‘phishing’ fraud in 2015.

Brendon told the Travel Weekly Cyber Security Summit in London: “We were totally focused on sales, not thinking about risk. We’re quite risk-averse now.”

The company, which operates attraction ticket brands including Attractions Tickets Direct and Do Something Different was the victim of a sophisticated phishing attack by a criminal gang.

Phishing attacks aim to obtain the information to facilitate a fraud, often through fake emails.

Brendon said: “Phishing scams are surprisingly common.” He was on leave when he received an email supposedly from a company he had invested in.

By the time he realised it was fake and had changed his passwords it was too late. His email was compromised, along with his mobile which was synched with his laptop, and a virus had shut down the phone.

He said: “The fraudsters were filtering my email. They knew I had no phone and where I was.”

While he was out of contact, the firm’s finance director was sent mocked-up invoices “with reassuring messages as if from me” urging payments to accounts in Dubai and Malaysia. Over five days, more than £1.8 million in payments were made to the fraudulent accounts.

Brendon said: “You may ask why our bank allowed these payments, but they did. We lost almost all our balance sheet.

“I called the City of London Police and wrote to the police commissioner. The police sought cooperation in Dubai and Malaysia. I even wrote to the home secretary.

“We hired expensive lawyers who said we could get a court order in Dubai but the money would be gone. So we gave up.”

The company did recover some of the payments. But Brendon said: “I realised that apportioning blame would not get the money back. The problem was we focused solely on sales and not on risk. We had got complacent.

“Now we have very strict security in payment processes, more monitoring and good insurance.”

Brendon told the summit: “I know you’re thinking ‘this could never happen to me, but it can.”

Travel call centres ‘are vulnerable to fraud’

Call centres are “a gaping black hole” in travel sector fraud prevention, according to Simon Beeching, a director at telecoms service provider Syntec.

Beeching told the summit: “There are 5,000 contact centres in the UK employing one million staff. It’s an important part of the payment system.

“There are three million contact centre staff in the US. That is an awful lot of people exposed to other people’s data. It is a gaping black hole.”

He said: “There has been a huge upsurge in call centre fraud because chip and pin technology has made contact fraud more difficult.”

Beeching suggested call centre fraud involved both ‘insider’ and ‘outsider’ fraud, since “someone can park outside an office and listen to VoIP [Voice over Internet Protocol] calls and get card details”.

He asked: “How many people like reading out their card details over the phone? Reading out card details is becoming a barrier to transaction.”

Beeching argued: “Our mantra is ‘If you don’t need the data, don’t take it’. Making sure you don’t have data is the best way to make sure there is no breach.”

Syntec offers a payment-by-phone keypad system, CardEasy, which lets a customer enter their card details on a phone keypad rather than
read them out.

Security expert says cyber threats are a fact of life

Cyber threats “are a fact of life” and the security response is “always a bit behind the curve”.

Don Randall of security consultancy ICTS Consult, and a former security adviser to the Bank of England, told the summit: “Whenever someone produces a [security] product, someone will produce a counter to it. That is what criminals do.

“We are always a bit behind the curve, though we are good at recovery.”

He insisted: “Cyber threats are a fact of life. There were 23,000 fraud and cybercrimes reported in the UK in 2013-14, but 80% are not reported.

“With a malware attack, it takes an average 220 days for the organisation affected to discover the breach but just 12 days on average to extrapolate the data the perpetrators want.”

But Randall said: “80% of cyber-enabled fraud can be reduced or stopped by educating staff not to click on what they shouldn’t.”

Profit promotes free tools to fight phishing and spam

Industry body Prevention of Fraud in Travel (Profit) recently launched a campaign to promote initiatives to cut cybercrime in the sector, enabling businesses to sign up to two free programmes to slash phishing emails and spam.

Both are freely available through the non-profit Global Cyber Alliance (GCA).

One project involves DMarc, or Domain-based Message Authentication Reporting and Conformance. This checks email comes from the claimed source through an ID check of the domain name, preventing unauthorised use of a firm’s name.

Organisations using DMarc receive about a quarter of the email threats of those which don’t. Yet only an estimated 31% of travel businesses use DMarc.

The second programme involves a Domain Name Server (DNS) email filter which removes malicious emails.

Profit chairman Barry Gooch said: “Spam and rogue emails are the biggest threat. Infected emails increased 6,000% in 2016.”

For more details, go to:
globalcyberalliance.org
profit.uk.com
ondmarc.com

Share article

View Comments

Jacobs Media is honoured to be the recipient of the 2020 Queen's Award for Enterprise.

The highest official awards for UK businesses since being established by royal warrant in 1965. Read more.