Lax security measures on hotel booking sites mean there’s a good chance that your personal information has been compromised if you’ve stayed at a hotel recently. A new study by Symantec found that two out of three hotel booking sites let just about anyone see reservation information if they know where to look. That means hackers could have access to your full name, physical address, email address, phone number, basic credit card information (card type, expiration date, and last four digits of the card number), passport number, and any other information attached to your reservation.
While this doesn’t include full credit card numbers, this data can still be misused. With access to your booking information, hackers could cancel or change your reservation. Having your basic demographic information could help thieves steal your identity, and knowing your location gives them an opportunity to scam you or your friends. For example, one common scam — often associated with Facebook account cloning — is to convince your friends that a travel emergency has left you in need of cash, potentially turning your friends' concern for you into a payday for scammers. Knowing where you are and where you’re staying means scammers can make their scams much more convincing.
Unlike last year’s Marriott data breach, in which hackers stole similar information from 500 Starwood rewards accounts, this problem doesn’t involve hackers breaking into a corporate website. Instead it’s a problem with the way many hotels handle reservation data, which isn’t always secured. Typically when you book a hotel, you get a confirmation email that includes a link to your booking information. Symantec tested 1,500 hotels in 54 countries, including major chains, and found that most of them let you access bookings through these links, without requiring any extra authentication. The reservation system simply assumes that anyone with the link must be you and lets them see your booking data — which means anyone with the link can get your data.
That link is easier to get than you might think. Hotel reservation websites usually include advertisements and use third party analytics tools which send the full web address to third parties. Usually, that isn’t a security problem, but in this case, the address itself includes information that compromises your information. Even if you assume every third party organization your hotel does business with can be trusted with your reservation information, this kind of information is also very vulnerable to hackers. Because hotels don’t always encrypt the links they’re sending, if you access your reservation on an open wi-fi network, anyone may be able to see the web address. When you’re traveling, you could find yourself using public wi-fi at a hotel or airport to review your travel plans — and that’s all it takes for a hacker to walk away with your reservation data.
Worse, some of these reservation sites only require a reservation number to log in. And a reservation number is easy to guess: hackers can use a brute force attack to try every possible number until they find valid reservation numbers. It’s relatively simple to secure a website from attacks like this, and you’ve probably visited websites that locked you out or required extra authentication if you mistyped your password too many times. However, not all hotel websites protect themselves from such attacks, letting a hacker look up all valid reservations.
Unfortunately, there’s no good way to protect yourself from an attack like this — you’re relying on the hotel you’re staying at to use smart security practices, and many don’t. Still, you should avoid accessing your hotel reservation — or any other personal information — over public wi-fi networks. If you do need to get your reservation data, use a secure VPN service to keep your data safe.
[Image credit: hacking concept via BigStockPhoto]
