Aviation industry’s cybersecurity issue is significantly worse than other industries. The epicenter of the cyber breaches on airlines is websites and mobile apps. Recent attacks on British Airways, Canada Airways, and Cathay Pacific are examples of grave threats that airlines are facing from cybercriminals and malicious bots. Cyber attackers deploy bots to execute many of these security breaches that involve account takeover, API abuse, and DDoS attacks.
Airlines rely on Online Travel Agencies (OTAs) like Expedia or Booking.com as a channel to sell flight tickets. These platforms are authorized to scrape flight schedules, pricing, and other relevant flight information in exchange for a fee or under agreed-upon terms. Unauthorized OTAs also scrape from airlines. The difference here is unauthorized OTAs don’t have an agreement on timing for scraping or number of bots they should use to scrape. These portals unleash thousands of bots to scrape flight information. Competitors also deploy bots to scrape flight and pricing information to optimize their listings. Unscrupulous scraping of flight information causes unwanted GDS queries, which result in higher operational costs.
Also, the aviation industry is a fiercely competitive and low margin market, scraping of pricing information by competitors to optimize their pricing results in price erosion, particularly for budget airlines. In one of our recent conversations with a well-known budget airline, we learned that they have been losing a significant share of their customers to a competitor airline as the competitor has been optimizing its listings based on their pricing. This stiff competition and use of bots to scrape pricing in real-time resulted in some of their flights going half-empty, not to mention the revenue loss due to half-empty domestic and international flights.
In this blog, let’s examine the threats that airlines are facing from bots and how they are losing revenue due to bots:
Scraping of Flights Information, Fraudulent GDS Queries, and Skewed Look to Book Ratio
Scraping is a known malicious practice across industries. But for airlines, it’s evil. Scraping of flight information and pricing information by competitors, unauthorized OTAs and aggregators leads to unwanted GDS queries and skews look to book ratio. The unwanted GDS queries and increased look to book ratio result in increased fees for third party booking vendors. Scraping of flight information and pricing also impacts competitive advantage.
Denial of Flight Ticket Inventory
Competitors’ bots add hundreds of ticket to carts and abandon them later to prevent real travelers from buying tickets. Such automated attacks create artificial inventory exhaustion, reduce sales, skew conversion rates, and impair brand reputation.
Cyber attackers deploy bots to perform credential cracking and credential stuffing attacks to take over accounts. Attackers target user accounts to harvest personal information (PII), credit card details, gift card voucher, and travel history. They also make unauthorized transfers of virtual currencies such as reward points, wallet money, air miles, gift cards, etc.
Attacks and data breaches on poorly protected APIs are mounting. Fraudsters exploit API vulnerabilities to steal sensitive data, including user information (PII), business-critical content, etc. The extensive deployment of internal APIs, combined with mobile access and increased dependence on cloud-based APIs, means that web application security defense systems that defend only the external perimeter are ineffective. Also, as new APIs are being added and consumed by businesses on an ongoing basis, API security is not a one-time exercise.
Payment frauds such as carding and gift card cracking are carried out using bots. Carders deploy bots on merchant’s checkout pages to verify and build complete cardholder datasets. Accepting stolen-credit-cards lead to chargebacks and penalties. Excessive chargebacks result in termination of the merchant’s account. Airlines struggle to prevent carding attacks because such attacks go unnoticed by conventional application security measures. Successful carding attacks negatively affect your merchant history as well.
Automated attacks on the Application Layer (Layer 7) of your web and app infrastructure go undetected by conventional security measures. Application layer DDoS attacks cause spikes in application-specific and associated computing resources, leading to slowdowns and service disruptions.
The aviation industry is one of the most targeted industry by bad bots. However, most airlines have been overlooking the threats posed by these bots, which consequently results in some high-profile data breaches and loss of revenue. Half-empty flights are a known problem that airlines are struggling to deal with yet very few airlines have acknowledged the role of bots in half-empty flights. It’s time airlines act against bots to save revenue and competitive advantage. Stopping bots help airlines safeguard user privacy and secure competitive advantage.