6 min read
There’s no sector technology hasn’t disrupted — and tourism is no different. Advances in IoT and contactless solutions when it comes to mobility, hospitality and more mean better customer experiences for travellers than ever before.
But advances in tech also open up new opportunities for hackers to exploit victims, and steal personal customer data. In 2021, the Cyber Security Agency of Singapore (CSA) received 1,238 reports of cybersecurity incidents from businesses, and other organisations, an increase from the 972 reports it received in 2020.
This has also been made far worse by Covid-19; although travel came to a standstill during lockdown, people spent more and more time online, allowing hackers to perfect their craft.
“Cybercriminals capitalised on the widespread anxiety and fear wrought by the pandemic to conduct phishing campaigns and ransomware attacks for financial gain,” writes David Koh, Commissioner of Cybersecurity and Chief Executive of the CSA.
So what are the cybersecurity challenges threatening the global tourism industry in 2022? We dive into four of the biggest, and define some steps you can take to protect your business and customers. Keep in mind, these steps need not involve costly systems, but rather boosting education and awareness amongst your staff and putting in place regular checks and a clear strategy.
QR code hacks
Quick response (QR) codes are nothing new, but they’re becoming more widely adopted as a contactless solution. They work similarly to a URL shortening service; once scanned via a smart device, a user is instantly granted access to information, such as a webpage or WiFi password.
But they’re also a new point of exploitation for hackers. “QR code technology is safe in itself, but as reliance on it grows, cybercriminals are taking note,” says Anna Chung, Principal Cybersecurity Researcher at Palo Alto Networks. “These codes could offer an entryway to potential cyberattacks because they don’t provide visibility into the webpage, application, etc behind them. Instead, they automatically redirect users to web pages, app stores to download apps, make payments and more which provides cybercriminals with opportunities to insert themselves into the process.”
Hackers can use several methods to exploit QR codes:
- They could hack into a business’s website, and replace the QR code with a different, similar-looking one. Once scanned, a user could be tricked into providing user credentials, which could give a hacker access to email or a social media account, or get them to download a malicious app.
- They could create a “honeypot”, whereby a hacker sets up an unsafe “free” WiFi network, accessible via a QR code. Once scanned and connected, a hacker can intercept data being shared via the smart device, such as online banking credentials or payment information.
To protect their customers, tourism business owners should regularly carry out integrity checks on their websites and apps, to make sure the code and links they provide are correct.
“They can do this by regularly scanning the code to check if the link within the QR code is correct,” says Chung. “They need to check both the web and mobile browser version, as cybercriminals have been known to only compromise the latter to reduce the chance of detection.”
Users and customers can avoid being scammed by avoiding QR codes from strangers and installing mobile security in the form of online protection software.
Beware malware
Malware is the term for any program made to hack or damage a device such as a computer virus or ransomware. Ransomware is one of the most harmful forms, as the only way to remove it is to pay a ransom to the scammer controlling it.
Both are big business for fraudsters — organisations in Singapore hit by ransomware attacks pay an average ransom of nearly $1.5m. However, while paying up may get hackers off your systems for a short while, 56% of organisations that pay ransoms are hit a second time within 4 to 7 days.
Ransomware attacks on travel companies, in particular, are on the rise, with the CSA reporting a 154% increase from 2019 to 2021, largely due to Covid-19. Security professionals report criminals are upping their game, and launching increasingly sophisticated technical attacks.
“Ransomware is no longer a sporadic nuisance, affecting a handful of machines,” says Koh. “It has been transformed into a massive, systematic threat affecting entire networks of large enterprises.”
For example, Carnival, one of the largest cruise operators in the world, was hit by a ransomware attack in 2020. The company said hackers were able to access the customer data as part of an IT system for one of its cruise line brands.
So what can you do to protect your business?
Prevention is key. Organisations need to put in place stringent protective measures, such as readying a backup and recovery plan for data, backing up data regularly, storing that data offline and disconnected from an organisation’s network.
CSA also suggests organisations adopt industry best practices, which include enforcing segmentation between information technology (IT) and operational technology (OT) networks, using anti-virus software and mitigating risks when it comes to system and software vulnerabilities.
IoT security vulnerabilities
IoT — or the ‘internet of things’ — sums up all devices connected to each other by the internet. It’s created new opportunities for travellers, who are able to control more appliances and services through mobile applications, and companies that are able to gather and store customer data from IoT-enabled devices.
For example, a traveller returning to the same bed & breakfast every summer could have their air conditioning preferences tracked and recorded. The potential is huge, especially in the luxury sector.
A real-life example is the Walt Disney World MagicBand, a wristband that pairs with the My Disney Experience app. It allows visitors to enter the theme park, access their hotel room, make contactless purchases and more via RFID technology (radio frequency identification, a form of wireless comms).
But new opportunities for personalisation means new opportunities for hackers, as they operate in an open environment. Some IoT devices can’t be patched easily, meaning they are more easily compromised, and they’re also often not in compliance with security standards like data encryption.
When it comes to privacy, all personal data stored via an IoT device is at risk of being breached.
In order to fully harness IoT’s potential, businesses need to pay attention to secure data collection and storage, and ensure their IoT systems communicate between one another effectively.
The Singapore Tourism Board recently wrote about how to create impactful connections with IoT. Based on these insights, here are a few questions any travel company should be asking a technology partner include:
- Do you have established security protocols? What protection measures are in place?
- Are you open about privacy risks? Are you being transparent about what data is being collected? How is it being managed, and is it anonymised?
- Will the deployment scale as the project expands?
Go phish
Phishing is when scammers send emails under false identities, such as reputable companies, to get people to reveal personal information and data.
This type of scam is on the rise in the tourism sector; hackers are increasingly posing as tourism businesses online using their logo and branding to lure potential customers into false purchases.
While this negatively affects customers and travellers in the form of stolen passwords and credit card details, it also has a hugely negative effect on a businesses’ reputation. If a hacker poses as a known travel brand and manages to phish a customer’s personal information, it will create negative press for the business and make potential customers think twice about booking with them.
“Any company that does business through a website requiring a login could be at risk,” says Dr. Sal Stolfo, Founder of Allure Security, and Professor of CS at Columbia University. “That's why businesses must create a proactive, multipronged strategy to help protect customers' data from inevitable attempts at stealing it.”
So how can you stop a phishing scam from negatively affecting your business?
Stolfo says businesses should first understand how they work in order to be able to detect and mitigate them, this includes educating employees and staff.
Filtering out and blocking malicious emails that hackers may send to employees is a start, but it only addresses part of the problem. Businesses should also be able to detect spoof URLs.
“One way to improve detection is to embed snippets of tracking code into your company’s real website,” he says. “When a hacker attempts to copy that site, they replicate that code along with a website’s images and text. It’s invisible to the hacker but not to your security team.”
Once a phishing site is detected, companies should alert customers to ensure they don’t fall prey. This could not only stop a customer from having their information stolen, but it also helps build trust.
Cybersecurity threats are continuously evolving, but so are the tools and methods businesses can use to protect themselves. Remember: prevention is key, so be sure to have a stringent cybersecurity strategy in place which is reviewed and updated every six months.