Security in travel: are your shields up?

Martin Cowen

Contributing Editor

This content is only available in this language.

Martin Cowen is a contributing editor to the Amadeus Blog. He is a freelance writer, editor and moderator with a global perspective on B2B travel technology and B2C trends. This is the third in a series of posts highlighting his takeaways from our T3CH event. He will also be discussing other travel tech related topics in the coming months.

‘Security” is an area where most travel conferences fear to tread. In contrast, T3CH – the first ever technology conference for the travel industry  - approached the subject head on, which made for some uncomfortable if essential listening.

Across travel there are many component parts to the security conversations. Some are bigger picture generic system issues – how can I make my ecommerce website secure for shoppers? Some are specific to travel – how can I wifi-enable my fleet of A380s without allowing hackers to get into critical aircraft systems?

Some are both. There are macro and micro concerns. There are bad actors making money, nation states making trouble, peers spying on peers. There are phishing websites, spam, malignant bots and worms. Wherever there is a system, someone somewhere will be trying to access it without consent – or even with consent but not doing what they were authorised to.

And the criminals accessing systems have methods of their own to share the stolen information with other criminals.

Securing systems is an endless task and it is often said that no system is 100% secure. But the blue-chip giants, niche security specialists are working with travel tech providers and suppliers to raise the security bar as high as possible.

Hackers, usually illustrated with a stock shot of a guy in a hoody hunched over a screen, are seen as the manifestation of all that is evil about the internet. But one of the best-received speakers at T3CH suggested that companies looking to improve their security should work with hackers.

This was the basis for a keynote from Keren Elazari, a researcher, author and speaker on cybersecurity and hacker culture who defines herself as a ‘friendly hacker’. She coined the phrase “hackers are the internet’s immune system” for a TED talk back in 2014, the video of which has been viewed more than 30 million times.

Her argument was that travel firms should work with hackers in a constructive way, encouraging them to find flaws in the system and rewarding them accordingly. Such programmes are commonplace and provide a structure for working with hackers. United Airlines has one of the highest profile bug bounty programmes in the industry.

Her presentation included some very specific travel examples, such as a screengrab of someone selling stolen hotel reward nights and access to some high-value frequent flyer accounts. She also referenced an Online Travel Agency for hackers to sell stolen travel inventory to other hackers, using cybercurrency as payment.

So what are the specific risks around travel? Distil Networks is a cybersecurity business which works across many verticals to mitigate the impact of bad practices. Account takeovers or hammering a system with search requests are the typical threats faced by any ecommerce operator.

Spinning however is something specific to travel and is targeting airlines which offer a “reserve your price” function. Bad bots check for seats at the airline dotcom and then hold or block them in a cart. The seat is taken off sale by the airline, pushing customers to look elsewhere. The bad bot operator meanwhile is trying to sell the seat at a higher price and pockets the difference.

The best way to combat this and other manifestations of bad bots is through data. Andrew Stein, chief architect for Distil, said that “the more we can see the traffic to a site, the easier it is for us to detect the outliers, and then to put processes in place to mitigate their impact.”

The data-driven approach is used by Amadeus which is taking a UEBA approach – user and entity behaviour analytics – a methodology which taps into machine learning and statistical models to identify anomalous patterns by comparing to an established base.

This approach can help secure a web site from fraud being carried out against customers, behaviours which also are impacting the operations and revenue flows of the airlines. Beyond the point of sale, however, questions around the security of aircraft and airports requires a more holistic, multi-agency approach.

Jeff Troy is president and CEO for the Aviation Information Sharing and Analysis Center (A-ISAC) – an organisation whose members include airlines, manufacturers and airports. His take is that while data is a vital weapon in the fight against cybercrime, data is what the criminals want – data about individuals, data about an airport’s staff from the payroll, data about the supply chain. His argument is that each touchpoint needs to have the same level of security in order to prevent hackers identifying a weakness which can let them in to the entire ecosystem.

Like many of the big enterprise tech themes discussed at T3CH, there is a corporate culture angle to helping mitigate fraud. Troy said that there needed to be structures in place so that there was as little time as possible between identifying a vulnerability and fixing it.

Security is, he believes, starting to get the C-suite attention it needs. “Security is moving from being a support service to something which is talked about from the very start. Security experts are involved in the business decisions and the early development cycles.”

Some of the stats around the scale of cybersecurity within the global economy are too big to have any real meaning – a leading expert expects that the cybercrime industry will cost the global economy $6 trillion by 2022. IATA said at the start of 2016 that payment fraud alone costs the aviation industry $858 million annually, some $640 million of which is a hit to the airline’s bottom line.

Security is an umbrella term which covers everything from old people losing their life savings thanks to a phishing email to industrial scale hacks of hospitality or airline systems with details sold on the dark web. The technology to help prevent fraud is getting more sophisticated, but so too are the tools available to cybercriminals. Sophisticated prevention software can help, but travel firms also need to have a culture in place that allows them to find and fix flaws in real time which could deter some of the less-committed cybercriminals.