This article is something a bit different for the blog which I hope you find useful – see my footnote at the end of the article for more on this!
Well, 2020 didn’t quite go as expected a year ago did it?! At the beginning of January last year, Corona to most people was a brand of Mexican beer and in the Western world, masks were more associated with Halloween fancy dress than the weekly shop.
With the roll-out of vaccines now underway, the second half of 2021 will, all being well, see travel open up again – and with that, travel sites offering everything from Transatlantic flights to a train ticket for a day out in London will likely start offering deals to tempt us back out again (once safe to do so).
With that, I’ve been taking the opportunity to review the security of my personal information when booking a trip away. As travel demand increases, so too will the opportunities for fraudsters to trick people into handing over anything from login information to credit card details. In this article, I’ll go through the main things I’ve been keeping an eye out for, and offer some tips on how to keep your details secure.
It’s often only the high-profile data breaches that are reported in the news – unfortunately there are lots of usernames/passwords made available on the ‘dark web’ with much greater frequency than those breaches picked up by the media. As such, having the same password across multiple sites is a bad idea.
Think of a password as a single key on a virtual bunch of keys – if that one key opened your car, house and garage, it’d be significantly more problematic if that single key was lost vs. losing one key on a bunch of keys. Now consider how problematic it would be if all of those virtual keys had your e-mail address printed on them – as a fair number of websites use an e-mail address/password combo rather than username/password for access, having the password for one site allows you to easily guess others too if they’re both the same.
Also think about the complexity – longer passwords including at least one special character are much better than simpler varients. It doesn’t have to be difficult to remember. Using word phrases is one good option – ‘Cuddles-is-Mike’s-giant-teddy-bear-which-he-got-aged-5’ is a lot more secure than just ‘cuddlesthebear’ – note I’ve also worked an apostrophe into the phrase too (and to make it even more secure, I could use M1ke’s rather than Mike’s to add another number in – or to take all the dictionary words out entirely, I could use the word phrase with each word typed backwards!).
Finally, do consider using a password manager – I use Dashlane (and you can get 6 months free to try it out here!). This will allow you to have truly random secure passwords for each site you use across your computer/ tablet and phone (it’s accessed by knowing one master password – I’d strongly suggest using a long word phrase or another strong mix of letters, numbers and symbols for this as per my example above). Dashlane will also ask you for a 2FA confirmation (via e-mail or from an existing authenticated device) every time you login on a new device.
2. Consider 2-Factor Authentication (where supported)
2-Factor Authentication (2FA) is another good tool against someone who has your username/e-mail address and password for a site – as it’s much less likely that they also have access to your mobile device!
2FA works by sending a unique code (or ‘token’) as a text message to your mobile phone or generated by an app such as Authy or Google Authenticator every time you log in. The latter is more secure – as a lot of devices will display text message contents on the lock screen – but less convenient… but my view is that either is a lot better than not having anything set up at all!
The main issue here is the number of sites that still don’t support it as an option – in particular, I feel the travel sector is behind the curve here. Of the major UK airlines and rail companies I looked at (including all those I personally book with in normal times with any regularity), only British Airways looks to have 2FA as an option you can opt-in to on their website. It may be that the travel companies feel there’s no particularly compromising data in the account but I’d disagree – alongside personal details such as your address and phone number being available, there’s also a potential issue with someone unknown having access to your travel itinerary (for example, they may know no-one is likely to be at home, considering they’ve got your address!).
3. Watch out for phishing scams
This may seem obvious but I’m going to include it here anyway, as phishing scams in recent years have been getting more intelligent. Always check that, when clicking on e-mail links, the web address matches that of the company you think you’re logging into.
I saw quite an interesting travel-related example of this recently. British Airways had an ‘Executive Club update’ for me and wanted me to log into my account. It was picked up by my spam filter but if it hadn’t been, I may very well have clicked the link – it was along the lines of https://ba.com.baexecclub.co.uk/login. Looks convincing – but the only bit of the URL that matters in terms of who owns that domain is baexecclub.co.uk – which isn’t owned by British Airways. Log in and all of a sudden the scammers running that site have your (real) British Airways login details, and possible access to your full personal details and flight itineraries (unless, as above, you’ve proactively enabled 2-Factor Authentication on the BA site!)
4. Ensuring you know if your data has been compromised
Data leaks happen in many locations – so keeping track of breaches for every single site you sign up to just isn’t easy or practical (particularly as the breached site may not always let you know quickly). Luckily – there’s a not-for-profit site called haveibeenpwned.com which catches the majority of major breaches. I’d recommend signing up to their alerts system, which will automatically e-mail you if your details are found in a data breach.
5. Want to learn more?
The above points are some basics of staying safe whilst booking your travel online for 2021 and beyond. If it’s an area you’d like to read more into, I’d recommend the Open University’s free course on security basics – this covers not just passwords/website safety but also offers useful network security tips.
(Oh, and speaking of the Open University, I’m excited to be starting their MSc. Cyber Security programme part time in May! As such, this article is a bit of a trial run – I’d be really interested in feedback on whether you find ‘crossover’ articles like this between online security and travel interesting, as I’m undecided whether to keep this blog just for more general interest travel experiences or include any interesting travel industry research from my Masters degree here too)