The use of Internet Technology- A threat to the Hospitality Industry
NEERAJ AARORA, AICWA, LLB, PGD (Cyber Law), ACFE (USA)
The use of the Internet for communicating and transacting with customers has been growing rapidly in the worldwide tourism & hotel industry. There has been rapid increase in the online booking in the hospitality & tourism industry (e.g., e-booking of hotel/motel rooms, airline tickets, travel packages etc.) due to the fact that the industry is one of several services – which can be checked, inquired, and ordered online easily, and conveniently communicated and delivered electronically via the Internet. Â With the advantages, there certainly are some challenges and issues in the application of Internet technology in the hospitality industry (including e-booking). One major obstacle addressed most in the practice is the security concern. No doubt with the application of internet technology, the industry has suddenly become vulnerable to frauds taking place in cyber space. A report issued recently by the European Commission (EC) says that online fraud is considered the easiest due to the relative simplicity of stealing an identity in the online world.
According to a new report from security vendor MarkMonitor, Online travel sites is among the biggest victims of brand jacking which refers to “the criminal act of hijacking strong brands for profit by cyber squatting, phishing, false association, pay-per-click abuse and domain kiting
Some of the modus operandi of the online fraud perpetuated on the hospitality industry or its customers is detailed below in brief:
Domain Squatting or Cyber Squatting: The squatters are now reaping the profit by misusing the brand names of popular travel portal in the domain names and also in their html codes in generating the traffic which would have flown to genuine Travel Portal. Thus, the squatters are misusing the goodwill of the well known travel portal and thus, eating up their share of revenues besides creating negative publicity and loss of public faith.
Credit Card Skimming: The hospitality industry is plagued with the highest incidence of credit card skimming, the unscrupulous practice of swiping a customer’s card through a device, similar in size to a beeper, to record the magnetic strip data for the creation of fraudulent credit cards. Most of the skimming occurs in the otherwise hospitable environment. Some of the waiters or servers may be recruited by fraudsters who provide them the servers pocket-size “skimmers.” When you are through your dinner in a restaurant and give your credit card to a dishonest waiter for payment, he takes it to swipe in the restaurant’s credit card terminal, he also gives the card a quick swipe through the skimmer which he got from the fraudster. The skimmer gets the card’s information off its magnetic strip and stores it which is later on downloaded on their computers at home and sent to the fraudster who make cloned credit card from the stolen information.
The Card Mill
“Do you want to become a travel agent? Save 50%-60% on flights and hotels using special travel-agent-only rates. Getting a travel-agent card takes only 15 minutes!”
This internet scam, known as “card milling”, is on the increase. Greedy travellers are told that by spending significant amount of fee on a travel-agent ID card, they will become entitled for huge discounts on flights, hotels and, most commonly, cruises.
The customer is lured to give his credit-card details who in turn is provided with a ID card which is not accepted by many segment of travel industry.
Fake Website looking like genuine website
The fraudster in order to trap the potential customers also launch a website which looks exactly the same (like having same look & feel) Â Â like a legitimate website of the established hotel or travel agency with minor spelling variations which is very difficult to identify in first glance. The customers who take the website as the genuine one surf through the website which diverts them to another site which may be trap by the fraudster to extract sensitive information like credit card detail, passport number etc. from the customers in the guise of e-booking. Thus, the victim customer credit card is compromised and being misused by the fraudster.
Online Air ticket Scam: There are bogus airline ticketing websites which attract customers by undercutting airline ticket prices offered by other airlines. When you’re paying by entering your credit card number, they capture your credit card information. The customer then receives a message telling them that the credit card transaction has been declined or were told that due to technical problems they needed to submit the payment via western union money transfer. In this way the victim passes on his credit card information as well as transfer of payment via western union which is not recoverable. The easiest way to avoid consumer scams like this are to use only known and trusted web sites when conducting business online, including on line travel. The principle of caveat emptor applies to the online purchase of airline tickets as to the traditional purchase. ” if a deal seems too good to be true, there’s probably a catch.”
Unsecured Websites without adequate security features
There has been spurt in cases of online booking of airline/railway tickets, hotel bookings through stolen credit card number. Many hotel/airlines websites offering e-booking facility are without adequate security features to secure the webpages which contain the vital & sensitive information like credit card number information. Many such websites offering e-booking facility operates on HTTP (Hyper Text Transfer Protocol) rather than HTTPs. An additional (encryption) layer is added when HTTPs is used as the URL (Uniform Resource Locator) scheme. Secure websites, which are used for payments and any sensitive transactions, have an additional ‘s’ after HTTP, which stands for “Secure”. The website beginning with http:// means that the website is talking to your browser using the regular ‘unsecure’ language. In other words, it is possible for someone to “eavesdrop” on your computer’s conversation with the website. The unsecured page asks sensitive customer information such as credit card number, card expiry date, name on credit card, type of card. Any intruder sitting on the internet has full capabilities to tap all data transfer happening in a cleartext HTTP session. A lapse can lead to a financial loss or a customer’s credit card number being stolen and subsequently misused.
Email Phishing: One day you receive an email in your inbox from an unknown company congratulating you for winning a free or an inexpensive deal on a resort vacation or cruise. This kind of solicitation will most likely be a travel scam via phising. The email would come with a link which would connect you with a site asking for your credit card number to avail the freebies and some personal information. Hence, possibly compromising your credit card information for fraudulent online transactions.
Pharming: It is another variant of Phishing which is a method of redirecting internet traffic to a fake website through domain spoofing. ‘Pharmers’ don’t send emails to victims. Instead, when victim try to access a genuine website of a travel portal, they automatically re-direct them to their imitation one. Pharming uses DNS (Domain Name Service) hijacking to misdirect users to a fake site by altering the DNS for the target website or, the system redirects users to authentic websites through phisher-controlled proxies that can be used to monitor and intercept keystrokes. The spoofed sites collect credit card numbers, account names, passwords etc. Â which are later misused by the fraudsters to make online fraudulent transactions.
False Association with established hotel or Travel Association: Some illegitimate hotel and Travel Agents through their website falsely represent that they are accredited associate of the recognized hotel association or travel agency like they may represent that that are affiliated with Association of British Travel Agents (ABTA). Â It may also use the logo of the association to give a legitimate appearance. The customers believing that the Hotel or travel agency is a recognized one pass on their vital financial information like credit card number, internet account password which may be misused.
Over payment scam – Sorry! Can I have my money back!
The Fraudster emails to reserve a hotel room with other services for a week or two. There may be reservations for a religious retreat from the religious group to give it a genuine look. Next, an email comes that the cheque for the reservation is on the way – in some cases it arrives at the hotel first – but the amount is substantially more than the total cost of the stay. The scammer instructs the hotel to cash it and send the excess to someone: sometimes a fake rental car company, sometimes back to the “guest.” The cheque never comes or if it comes, it is from a fraudulent account. Another variation involves an advance reservation with a big cheque for payment in full, and a sudden emergency requiring cancellation and a refund – paid from your funds before the cheque clears. When the hotel authority tried to clear the cheque they discovered that the account was fraudulent.
Hotel/Travel Agency used as medium to withdraw the ill-gotten money from Phishing:
A recent case of Phishing in a reputed Bank has revealed that the fraudsters have booked the hotels and for the purpose they have electronically transferred the funds from the victim account to the hotels in Delhi say three lakhs. After that they telephone the hotel management pretending that they have to make immediate payment to some agent of theirs and payment of Rs. 1 Lakh (from the payment electronically transferred) be made to such agent (whose detail is already given by the fraudster to the hotel). The agent who happens to be an associate of the fraudster collects the payment from bank. Later on Hotel comes to know through the bank that the amount of three lakhs transferred to them electronically is a fraudulent electronic transfer. Thus, the hotel bears the brunt of cool Rs. 1 Lakhs as it has to return three lakhs to the bank. This is the recent MO (some what similar to overpayment scam) adopted by the fraudster in which they use the hotel as a tool/medium to withdraw the ill-gotten money through phishing instead of through fake accounts.
Crook Travel Agent:
Recently it has come to notice that some travel agents take cash from you for your air travel tickets but for booking of tickets they use the stolen credit cards and to delete their footprints, they fill wrong name & address of the traveler. When the ticket arrives at the hand of the traveler, the Travel Agent makes excuse that it may be printing error. This is another MO to withdraw the money from the stolen credit cards.
How to avoid being ripped off
For Hospitality Industry:
1. Go for a legal action in case your brand name has been misused by the squatters in the domain names of their website. You can file trademark infringement case in case your brand name is registered as Trademark or if it is not registered, you can still file a suit for passing off under the common law. You can also go for Domain name dispute redressal through UDRP- ICANN Policy. Please consult your trademark attorney.
2. Secure your website with Secure Sockets Layer (SSL) technology as you accept credit card, debit card, purchase card, or other online payments. Always remember your reputation depends on the privacy and integrity you provide to your valued customer.
3. Keep vigil on your employees who deal with online booking as they may pass the credit card information filled in by customers to the fraudsters.
4. Insist that each customer provides a complete address and valid telephone number. Ensure that the customer’s billing address matches the information on file with the credit card issuer or bank.
5. Send e-mail verification to the customer after he or she makes an online booking or purchase of package. Require the customer to reply and confirm the order via e-mail. Cross check the email & verify it from the credit card company. This greatly increases the odds that whoever has access to the e-mail address is the same person who made the online booking.
6. Screen each order by verifying the validity of the credit card, check and customer information.
7. Last but not the least, report each incident of suspected fraud to the authorities immediately. Keep complete records of all orders so that you can assist any police investigation.
For the public:-
1. Don’t give out your credit card number(s) online unless the site is a secure and reputable site of a Travel Agency or Hotel you are looking for. If a website ever asks you to enter your credit card information, you should automatically look to see if the web address begins with https://. If it doesn’t, don’t give away the sensitive information like a credit card number.
2. Be cautious when responding to special offers like heavy discounts on online hotel booking or airline ticket purchase (especially through unsolicited e-mail- It may be a phished site-Delete the email & do not respond). Just remember ” if a deal seems too good to be true, there’s probably a catch.”
3. Make sure the transaction is secure when you electronically send your credit card numbers.
4. Always ensure that the online travel portal is accredited or affiliated with the reputed Organization like IATA or The Association of British Travel Agents, commonly abbreviated to ABTA.
5. Always scratch out the last three digits known as card code verification number printed on signature panel of a credit or the debit card, after noting it down in a safe place. CCV is needed only when an online transaction is done. Remember that when you handover your credit card for any transaction at hotel or restaurant it is swiped and the machine reads data from the magnetic strip. Thus, if have not deleted the CCV from your credit card, it may be used for making fraudulent online transactions.
6. While booking airline tickets from the Travel Agent ensure that the Travel Agent is a recognized travel agent. Always insist on payment through cheque or credit card. When you get your ticket, please also verify that your name and address is correct.
7. Monitor credit card receipts and check them carefully against your statements.
If you notice any fraudulent transactions, report immediately to the credit card issuer and police.