Data security is a big deal in the digital world of online booking.
As the General Data Protection Regulation of the European Union and the likes of POPI locally look to ensure consumers are safeguarded as best as possible - it seems some online companies are failing to put the bare-basic security measures in place.
SEE: What exactly happened with the Uber hack and should users be worried going forward?
A 2018 travel website password power analysis survey shows that a number of the top sites are leaving their users' data critically vulnerable to hackers.
According to the Dashlane rankings, which rated password and account security on 55 of the world’s most popular travel-related sites, "89% of travel-related sites leave their users’ accounts perilously exposed to hackers due to unsafe password practices".
Dashlane researchers tested each website on five critical password and account security criteria.
A site received a point for each criterion it met, for a maximum score of 5/5. Sites included the likes of Bookings.com and Tripadvisor.
Airbnb was the only site to score a perfect 5/5.
"Any score below 4/5 was considered failing and not meeting the minimum threshold for good password security."
Only 11% (6/55) passed with a score of 4/5 or better. The travel website category with the worst average score belongs to the cruise industry (1.67/5), closely followed by booking websites (2/5). On the other end of the spectrum, rental car websites as a group scored the best on average (2.86/5), but across all categories the scores were poor.
Unlike Airbnb, companies like American Airlines and Carnival Cruise Lines failed, both receiving a score of 1/5. The websites even allowed Dashlane researchers to set up accounts with alphanumeric passwords “12345” and “password.”
“I believe that traveling is the single greatest opportunity to de-stress from daily life and broaden our horizons,” states Emmanuel Schalit, CEO at Dashlane.
READ MORE: Cyber Scams: SA one of the top 10 most targeted countries - Here's what you need to know
'Digital thieves are the real threat'
“However, the modern traveller has to reckon with the many digital hazards associated with a journey—from booking flights, to reserving hotel rooms, to renting a car or looking online for recommendations—which creates many chances for personal data to become compromised.
"Our intention in ranking travel sites is not to scare people away from one of life’s greatest pleasures, but to make the modern traveller more aware. The days of worrying about just pickpockets are over. Digital thieves are the real threat.”
Critical Security Lapses
Dashlane says travel sites failed to protect user data in two main ways:
1. 2FA failings: A staggering 96% travel sites tested do not provide 2FA (two-factor authentication). The security benefits of enabling 2FA are well documented. In fact, Dashlane recommends enabling 2FA on all sensitive accounts.
Additionally, Dashlane found that 81% of travel sites did not even provide users with a password strength assessment tools during the account creation process.
2. Poor security practices: When compared to results of Dashlane’s 2017 rankings of leading consumer websites, and the more recent 2018 rankings comparing the cryptocurrency exchanges, travel sites performed especially poorly. In the consumer rankings, which examined sites such as Apple, Facebook, and PayPal, only 36% received a failing score. That is in extremely stark contrast to the 89% of sites that failed Dashlane’s 2018 travel examination.
Schalit says the travel industry should treat their cybersecurity failings seriously and "make the necessary changes—such as adding 2FA—in order to protect customers’ digital privacy".
WATCH: Cyber-attacks: What's putting SA's travel industry at risk
Travel Security Best Practices
Dashlane, who have engineered a password manager and secure digital wallet app say all it takes are six simple steps to improve your own online security:
Use a unique password for every online account
Generate passwords that exceed eight characters
Create passwords with a mix of case-sensitive letters, numbers, and special symbols
Avoid using passwords that contain common phrases, slang, places, or names
Use a password manager to help generate, store, and manage your passwords
Never use an unsecured WiFi connection (e.g. public WiFi) while traveling
1. 8+ character password
Tested by creating a new account on each website. Dashlane researchers attempted to create passwords less than 8 characters irrespective of the site’s stated minimum password requirements.
Tested by creating a new account on each website. Researchers attempted to create passwords with all letters (“password”) or numbers (“123456”).
3. Password strength assessment
Tested by creating a new account on each website. If the site provided any notification of password strength, such as a meter or color-coded bar, they were credited as providing an assessment. Sites that only provided confirmed password length or where requirements were met did not receive credit.
4. Account creation email
A site was credited if they sent the user a confirmation or activation email after the account was created. If the site sent a password in plain text they did not receive credit.
5. 2-factor authentication
Sites were credited if they provide any form of two-factor authentication.