Summer travel is ramping up—even as flights are being scaled back, delayed, or canceled. While you can’t avoid long TSA lines, bad weather, or pilot shortages, there is an element of travel that you can take control of: your digital security.
With the rising cost of airline tickets, you want to be absolutely certain your reservation won’t be tampered with. Additionally, you want to know that you can trust airlines or third-party booking apps with your personal information.
A friend of mine recently booked a flight to visit me. We’d been continually tracking prices as they fluctuated from “no way,” to “exorbitant, but it will have to do.” Eventually, he ripped off the bandaid and bought a ticket, only for the price to drop dramatically the following day.
Pressed for time to cancel and rebook the flight at a lower cost, I volunteered to cancel his flight directly from the airline app, if possible. Two pieces of information were required to cancel the flight: his confirmation number, which was in the email he screenshotted and sent to me, and his last name. I entered the info, and his flight was canceled instantaneously.
This led me to wonder if a cybercriminal could achieve the same, and what their motivation might be.
Your confirmation code, usually a six-digit string of letters or numbers, is randomly generated and identifies you as a unique passenger. Confirmation codes are needed to change or update a flight. Along with the barcode on your boarding pass, this code is linked to personal information, including your contact info, frequent flier number, and passport and license details.
To keep this number secure, never post a photo of your boarding pass on social media or toss your printed boarding pass in a trash can at the airport. United Airlines, for example, had to remind customers to delete their personal info from Twitter while trying to get in touch with the airline for a refund.
A personal password manager with features such as secure notes and secure file storage can ensure you have somewhere safe to store these codes. Using 2-factor authentication adds another layer of security to all your emails and accounts.
Back in 2019, white-hat hacker Rachel Tobac demonstrated to a CNN reporter, Donnie O’Sullivan, how easy it is to steal and manipulate flight information. To pull it off, she lifted information from O’Sullivan’s social media. He had tweeted at an airline and a hotel during one vacation, and this gave Tobac all of the information she needed to pose as him on the phone (using a voice changer, of course), transfer O’Sullivan’s hotel points to herself, and put him in a middle seat during his flight, all without access to his email or his password.
The airline’s standard verification questions may not be enough to thwart a savvy hacker. To avoid this yourself, O’Sullivan suggests adding additional security to your account, such as a verification code that the airline can send to your device while you’re on the phone with them. He admits that not all companies offer this as an option, but it doesn’t hurt to ask.
Apps like Kayak and Hopper aggregate data to show customers a range of options across carriers. Both of these booking sites have privacy policies that protect user data and allow customers to opt out of data sharing or the selling of their information.
Like airline apps, third-party apps collect personal information, though Hopper, for one, uses your phone number to log into your account and sends an authentication code to your device. This adds another layer of security.
Third-party apps pull pricing information from a variety of sites. Kayak, for example, has led customers to the booking site Tripmonster, which received an alarmingly low rating on Trustpilot for its lack of customer service and zero recourse for customers whose flights got canceled.
The takeaway? Be sure you can trust any company involved in booking your flight that has access to your personal information.
Another watchout for all airline customers is refund phishing scams, which rose in 2020 as hackers exploited frequent flight cancellations and demands for refunds. Cybercriminals have tools that scrape sites for confirmation numbers (including social media sites). These numbers can be bought and sold on the dark web and used to defraud customers. This social engineering scheme is so prevalent that Hopper warns of refund scams on their sites, urging customers to double-check emails that claim to be from Hopper, and to be aware that their customer service reps will never ask for a credit card number in order to refund a flight.