Christopher Elliott
Special To The Washington Post

Think the real world is a dangerous place for travelers? Try visiting the virtual one, a place filled with shady travel offers and criminals who want to steal your personal information.

Christopher Elliott

It is the time of year when people start planning their summer vacations, and with everyone watching the bottom line, the temptation to save a few dollars by booking online is strong. That might include searching the underside of the Internet for a bargain.

A recent survey by the British security company Comparitech should make you consider carefully where you buy. The research discovered a vibrant market for frequent-flier miles on the “dark web,” a hidden part of the internet that requires special software to access. On one site, Comparitech found that you can buy 100,000 points for as little as $884.

“The type of sites most commonly associated with the dark Web are marketplaces where illicit goods such as narcotics, firearms and stolen credit card numbers are bought and sold,” says the report’s author, Paul Bischoff. “The darkest corners are used to hire hit men, engage in human trafficking and exchange child pornography.”

Bischoff says that if you get caught with stolen airline miles or selling your own miles, the airline can wipe out your account and leave you with nothing.

“Airlines can even cancel your bookings if they’ve found you’ve broken the terms of service,” he says.

A study by Seon, a security consulting company, found any number of travel products available on the dark web. They included airline tickets, car rentals and, on one forum, tours sold at a 30 percent discount. On another forum, customers were “impressed with this seller’s ability to deliver flights bought with stolen credit cards,” the study notes. “With over 200 sales, they had only five-star reviews.”

The dark web is just one of the places travelers should avoid. Others include unsecured websites and wireless hotspots designed to collect personal information. Bottom line: Online security can be as important as physical safety for travelers.

You don’t have to visit the dark web to get into trouble. Jonathan Weber, a software developer from East Stroudsburg, Pennsylvania, recently found an airline ticket on a Russian carrier called Transaero through a website that specializes in airline ticket price errors. Fare errors are both risky and ethically problematic. Sometimes, airlines honor them, sometimes not. In Weber’s case, the airline went out of business during his trip.

“Luckily, Aeroflot picked up their remaining flights and got us home,” he says. “But it was a hell of a surprise at the airport.”

Even when visiting a legitimate travel site, you might not be entirely safe. Consider the data breach Marriott disclosed last year, in which hackers accessed its reservation systems over four years and exposed private information of up to 500 million customers. Experts say it’s not a question of if, but when the next data breach will happen.
How do you know if a company is taking security seriously? One way is to look for a little padlock icon next to the website address on any page where you can type in sensitive information, including credit card numbers.

That is missing from a lot of travel sites. At least that is the finding of Sectigo, a web security company. It recently studied major airline, hotel, travel comparison, car rental, and train websites and rated them on how effectively they were secured. It flagged the sites for Firefly, SkyWest and Ritz Carlton for triggering “not secure” warnings, and numerous others for lesser security issues.

“Many major travel brands fail to provide assurance of their sites’ security and identity,” says Tim Callan, a senior fellow at Sectigo.

But the most common danger to travelers may be the network of wireless hotspots — set up in public places such as airports, convention centers and hotels — that are designed to steal personal information.

“Malicious actors can set up fraudulent WiFi networks and even fake mobile hotspots to collect and record traffic that connects to them, especially in top destinations,” explains Matthew Gardiner, a cybersecurity expert at Mimecast, an email and Web security provider.

A 2018 report by Coronet, a cybersecurity company, identified San Diego International, John Wayne Airport in Orange County, California, and Houston’s William P. Hobby Airport as the airports where travelers were most at risk of being hacked through a public WiFi network.

Avoiding a public network pays off in additional peace of mind, says Chandler Givens, CEO of TrackOFF, a provider of data privacy software for consumers. “At the very least, try to stick to sites with “https” in front of the URL, and be careful what kinds of personal information you submit while surfing.”

That brings us to the solutions. You can stay off public hotspots, log into a secure public hotspot, such as Boingo, or use a virtual private network (VPN), which offers an extra layer of encryption.

“To protect yourself, for example, when at airports or hotels, find out the official WiFi network of the facility from the management, and don’t connect to any others that you may find to be open,” says Gardiner, the Mimecast security expert. “Remember: How the WiFi network is named means nothing.”

Incidentally, I used to be a skeptic about the risks of unsecured wireless networks until someone hacked my son’s laptop at the airport. The likely culprit: an unsecured hotspot.

Christopher Elliott is a consumer advocate, journalist and co-founder of the advocacy group Travelers United. Email him at [email protected]