Benjamin Fabre, DataDome: Why Bot Attacks Can Be Detrimental to Travel and Hospitality Companies

Bot attacks loom over consumer brands. According to DataDome’s research, bot attacks have increased more than 47% in the past 6 months. From DDoS, Server Overload, Credential Stuffing & Cracking, and Fake Account creation - bots can be detrimental to ecommerce companies - particularly in the travel and hospitality industries.


We sat down with Benjamin Fabre, co-founder and Chief Technology Officer, DataDome to discuss the threat of bot attacks and how companies in highly targeted industries can protect themselves.


Tell me about what you're seeing in terms of bot attacks?

Now that vaccines have become widely distributed, consumers are eager to travel and the demand for travel, lodging and dining is at an all-time high. High demand for travel isn’t the only thing on the uptick, however. According to DataDome’s research, bot attacks have increased more than 47% in the past 6 months. Cyber-attacks specifically targeted at the travel industry have skyrocketed since the start of Covid-19.

Why the increase?

To keep up with customer demand, stay competitive, improve customer convenience and promote safety this summer, many travel and hospitality organizations have embraced online and digital technologies. This means they have added new or upgraded reservation apps, contactless payment processing systems and loyalty programs that are all exposed on public networks, increasing the likelihood of attacks.

The industry shift to digital technologies combined with the wave of recovery in the hospitality industry is now bringing increased traffic to hospitality websites, mobile apps, and APIs. It has also given enterprising criminals another opening to launch malicious bots.

Why is the travel and hospitality industry particularly vulnerable?

When consumers book travel online, they have to provide valuable, personal information, such as credit card info, reward card numbers, addresses, and names. A travel site’s login page is the gateway to this information and as such, is rife for credential stuffing attacks, which can significantly slow down a website’s performance and may even take it down altogether. Even worse, when a credential stuffing attack is successful, hackers gain access to customer accounts.

Travel sites are also prone to inventory hoarding. Bots place large amounts of inventory-- like airplane seats and hotel rooms -- in a cart and hold it there. This not only skews your KPIs, it stops actual customers from booking a flight or a room because it might seem there aren’t enough seats or rooms. Inventory hoarding in travel and hospitality is especially frustrating, because inventory is both limited and short-lived. A bot that holds even just five seats in its cart for every flight can be a significant chunk of potential revenue that goes to waste.

What’s more, travel sites are particularly prone to carding attacks during times of high traffic, like holidays (or, in this case, post-pandemic demand). Hackers hope that the extra traffic will allow their bot attacks to go unnoticed -- and frankly, when hackers target loyalty coupons, discount codes, or gift cards, attacks are hard to notice, because affected customers don’t monitor coupons, codes, and gift cards as closely as they do their credit or debit cards.

What makes bot attacks particularly dangerous to travel and hospitality?

Bot attacks can negatively impact the two things most valuable to the travel industry: revenue (from inventory hoarding, for example) and customer trust. If a customer’s credentials are stolen or accounts taken over because your website isn’t properly protected from malicious bots, trust is broken.

Similarly, a carding attack fundamentally breaks the trust between consumers and a travel/hospitality brand. When the media picks up on a carding attack, it can damage a brand’s reputation. In addition, the targeted companies end up paying chargebacks for successful carding attacks or responding to complaints when customers notice their gift cards or coupons have been used without their permission.

How can companies mitigate the threat of bot attacks?

Each step of the customer journey in travel and hospitality can be an endpoint for bots to attack, so it’s necessary to protect each endpoint -- product and pricing pages, login pages, cart pages, and checkout pages.

To get maximum value from your bot protection solution, evaluate the following points:

  • Detection quality. If possible, test your candidates simultaneously against real traffic to see what they block and what they let through.

  • Ease of implementation. Ask potential vendors which integration options they provide, how extensive their documentation is, and what the onboarding process is like.

  • Autonomy. Choose a bot management solution that will handle bot attacks without your intervention, but that still offers detailed, real-time analytics and KPIs.

  • SOC. While your solution should block most attacks on autopilot, some situations may require a more hands-on approach. Ask providers how their bot SOC teams operate, and which services are included in your contract.

  • Flexibility. Don’t want to submit a ticket just to whitelist an IP address or change a rule for a domain? Check that the solution leaves you sufficient control over your settings.

  • Latency and scalability. There can’t be a tradeoff between business and security. To ensure zero impact on human visitors, choose a solution with a robust, auto-scaling infrastructure and plenty of PoPs.

###