It’s increasingly clear that cybercriminals now see the travel and hospitality industry as rich picking for their nefarious activities. They also see that the industry is inherently vulnerable but also that it is not as advanced from a cyber defence perspective than heavily regulated industries such as financial services or health care.

With its combination of high value transactions, seasonal workforce and aging computer technology, hotels are more susceptible to a Phishing attack or Malware infection resulting in the theft of computer usernames and passwords used by hotel staff (Account Takeover or ATO). ATOs are increasing at a rate that surpasses valid online transactions, with the retail hospitality sector becoming the latest target for fraudsters and costing the industry USD$60bn per annum and rising. Beyond the monetary impact, such attacks severely damage the reputation of affected hotels.

The Problem

Once the attackers have stolen users’ credentials, typically with a Phishing Email or weblink sent by the criminal to either a hotel or traveller (or with a fake reservation), they gain access to a treasure trove of client personal data to perpetrate fraud and identity theft. With these credentials, the attacker targets the hotel’s reservation system and third party online travel agencies (OTAs). The attacker then impersonates the hotel and the traveller to conduct a bi-directional fraud. Once the criminal has established an online connection to either the traveller or hotel, it’s a relatively straightforward task of deploying InfoStealer malware.

InfoStealer malware not only exfiltrates data from a device but also hijacks the communication channel between the hotel, its customers, and other parties in the booking value chain. This enables cybercriminals to impersonate either party, allowing them to execute a variety of fraudulent activities, such as soliciting advance payments or attempting to access payment card details. Additional third parties including OTAs and payment providers from part of the booking value chain.

The Solution

Industry experts, technologists and impacted companies in the travel and hospitality sector have come together to design a turnkey solution to mitigate the significant harm caused by ATO’s and associated fraud and cybercrime. The solution is suitable for almost any business or third-party provider in the travel and hospitality value chain including, but not limited to, hoteliers (all size hotels, groups and chains), online travel agents (OTA’s), connectivity providers, payment providers and rental accommodation hosts.

This solution combines the strengths of two companies, namely Island and GSA Global. Island, an innovative enterprise browser technology, seamlessly isolates and protects the entire booking process and customer interactions. Whereas, GSA Global, a highly respected professional services company with expertise in the travel and hospitality industry, offers a fully managed virtual desktop capability, deployment and operational management services.

Attacks such as ATO follow many familiar patterns such as identity and site spoofing, credential harvesting, malicious payload usage, etc. From the beginning from an end-user standpoint, it can be quite difficult to know what’s real versus what isn’t. Yet while the human element cannot easily discern such things, the Enterprise Browser is built to protect the entire experience.

GSA will equip your organisation with everything necessary to implement the solution successfully, ensuring you fully leverage its capabilities to keep your business safe and secure. In addition, our support will help protect your customers from disruptions to their travel plans caused by fraud and cybercrime.

Why Choose GSA Global?

GSA specialises in travel related risk and security services to ascertain the optimal configuration of the solution. GSA translates the elements of the Hotel Security Standard to implement bespoke policy and proportionate security controls. GSA Global provides assurance products such as travel certification and accreditation.

GSA Global has partnered with Island, a leading provider of an enterprise browser technology, to deliver a significant technology and service solution for the travel and hospitality industry. The solution not only enhances a hotel’s security and fraud prevention measures but also offers a wide range of additional benefits.

GSA ensures that hoteliers and other businesses implementing the solution derive maximum value with minimal overhead, all at a compelling price point.

 

Enquiry form

If you would like more information regarding our ATO Fraud Services, please complete our form below and a member of our team will get back to you as soon as possible.






    GSA

    Case study

    Fraud
    Case study

    Former Booking.com CSO Sounds the Alarm on Rising Account Takeover Fraud in Hospitality

    Read case study

    GSA

    Spencer Mott, ex. Group CSO of Booking Holdings and Booking.com discusses the impact of Account Takeover Fraud (ATO) on the Travel and Hospitality Sector.

    I’ve been working with criminals for over forty years—always on the right side of the law—first as a Detective at Scotland Yard and then for some of the world’s largest corporations. Times have changed; fraud and theft online now offer far greater rewards for criminals than physical crimes. Technology itself facilitates many crimes, from encrypted communications and bitcoin money laundering to ransomware attacks. Today’s detectives must be tech-savvy and able to leverage a global network of investigators.

    Subscribe to our newsletter to keep up to date with all the latest news

    Areas of interest

    Marketing permissions

    Please select all the ways you would like to hear from GSA Global:

    You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please see our privacy policy.

    We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices.

    GSA