Security

We have created this section to inform you about our security methods against fraudulent attacks or high suspicion of fraud.

In our TravelC system, we have the following indications for prevention:

Agency/User level prevention

1- Disable user's access

Users can be restricted so that they can only carry out certain actions from their profile on the ''disable profile permits'' screen. To set ups this permits, go to Ideas and Users > users > manage user, as shown in the image:

In the drop-down menu look for the permit or type the permit to restrict it to that user.

2- Check users' change history

In your ideas and users menu > users > edit user > edit user > Changes history tab, you can see all the changes made by a particular user on a microsite, and record suspicious activity.

3- Create a collective password

At agency level you can set up a ''collective password''. In addition to the user's password, the system will also ask for a collective password for the agency. This tool is only for B2B users.

To set up this collective password go to your BackOffice > ideas and users > agencies > Domains tab.

Enter the collective password and click on the save button.

4- Do not share accounts between multiple users.

5- Security PIN for payment by agency credit/deposit:

For agency credit/deposit payment you can set up a security pin to be requested from the B2B user at the time of payment with such a deposit.

To do this you must first have the credit/deposit payment check enabled in the Credit/Deposit tab within an agency profile:

Then, we will access the bottom of the page, where you will be able to set up a security PIN:

The same system recommends for security reasons to set a PIN and to keep a limited credit balance.

6. Activate the two-step validation for payments when booking a trip:

To configure this check go to your Backoffice > microsites > settings > general settings > booking process settings.

Due to the increasing number of hacker attacks, we have developed a tool available to increase the cybersecurity of your users when completing a booking, which we recommend to activate during the weekends, especially when you don't have a team to take care of the bookings as is often the case on public holidays.

For this reason, you can request that your customers who are going to make a reservation with a deposit payment are asked for a security/validation code that will be sent to the user's email during the payment process and that they must then enter it in this last step prior to completing the reservation:

This step is also explained in the Front Office manual > Booking flows in all search engines > Payment section.

7. Limit the agency's credit

In each agency's profile, in the credit/deposit window, we can see the payment movements, and activate or deactivate the credit/deposit payment allowed.

At the bottom, the total balance and the PIN are displayed.

Our recommendation is to limit the credit of the agencies. You should be the one to choose the limit based on the needs of each agency.

8. Ask passengers their ID as compulsory

You can activate a check so that when someone is purchasing a trip, all passengers are asked for their identity document.

Find this setting in your backoffice > microsites > microsite settings > microsite settings > passenger data settings.

9. Precautions when using unsecured devices

Take extra precautions when accessing your accounts from devices other than your usual ones, especially if their security cannot be guaranteed, as they may be exposed to malware or other threats that could compromise the integrity of your information.

Microsite level prevention

1- IPS Ranges

To be able to define IPS ranges for accessing a specific microsite.

Any connection from an IP that is not in that range will be blocked.

To configure it, go to your back office > microsites > settings > web settings > Allow B2B IPS. For B2B users only.

❗️Contact with your account manager or support to set up this tool. ❗️

2- Check the USERS LOGIN from time to time to see suspicious user logins.

Access this tab from your back office > ideas and users > user login registry

Based on this information we can go to active users (back office > data > active users) and see what each user has done and quoted.

From here we can also see the ip and the country of login. With all this information we can trace fraud patterns and assess whether or not to deactivate/ban the user.

To complement this information we can see the payment attempts made by a particular user, to do this we go to the back office > ideas and users > ideas, and in the list that appears, select the filter ''purchase attempt'' and if we go to ideas (in ideas and users) we can see the trip that was trying to buy:

You will see information about the time and day of the attempt, who the user is, and from which microsite and agency the attempt was made.

3 - Review bookings on a daily basis:

Compare passenger details, email, and phone number to ensure they match the user who made the booking or come from similar regions. Significant discrepancies can be suspicious.
Check the email domain used. Be cautious with domains that don’t exist or are extremely uncommon.
If the email name does not match any of the passenger names or the user who created the booking, this may be a red flag.
Watch for last-minute departures, especially within the next 24 hours.
Be alert to flight-only bookings with imminent departures from countries such as Turkey, Indonesia, or Brazil.
Also review hotel bookings with imminent check-ins at luxury properties in countries like Turkey, Indonesia, or Brazil.

In general, flag any booking that does not follow the usual patterns of your regular customers or agencies.

3- Block countries

On the Countries page (in your back office > microsites > countries) you have the possibility to mark Fraud countries based on 2 criteria (fraud risk and manual registration).

4- Payment gateways: Payment gateways that the operator detects as less secure can be restricted so that only B2B users can use them.

❗️ Contact your account manager or support to enable or disable payment gateways. ❗️

5- Release days

Most fraud bookings are with imminent departures. On each microsite you can set up a ‘’xx days advance purchase days‘’ where you are not allowed to search for dates that are within those release days. This can be set up for B2B and B2C users.

Go to your backoffice > microsites > settings > search engine > release days

By default the release its two days, but you can set it up according to your preferences.

6- Check the notifications screen from time to time

Find this tab in your back office > operations > notifications

On this screen you will see the real time number of users registering. If an abnormal pattern is detected, such as a large increase in registrations, different countries, emails with strange formats, these are usually indicative of fraudulent users.

7- Limit the number of operator users

We recommend that you limit the number of users who have the role of operator and keep them under control.

This type of profile greatly compromises the security of the site as they are allowed to do everything. We recommend that you give access to as few users as possible with an operator profile.

WHAT TO DO DURING A FRAUD ATTACK?

1-Massively reset the passwords of all users.

To configure this tool, go to your backoffice > microsites > configurations > web settings tab.

This is a drastic measure as no user will be able to log in with their passwords. These users will have the possibility to remember their passwords (they will be sent an email with a link to reset them).

2- Based on the records we see in point 2 above, we can deactivate and ban that user.

3- Be very attentive to point 6 above for a period of time (notifications).

4- Consider temporarily deactivating the payment gateway or gateways that are being used by fraudulent users.

If a suspicious fraudulent booking has nevertheless been entered, try to contact the telephone number and email of the booking to confirm. If you do not receive a response (as usual) you should try to minimise damage by cancelling what you can.

If you need help setting up any of the above recommendations, contact your account manager or operations:

Customer service hours:

Monday to Friday from 8:30h (am) to 02:00h (am) and Saturday from 10:00h (am) to 01:00h (am) (Spain time).
Contact phone: +34 971557243 (OPTION 2)
WhatsApp: +34 683196600 // +52 9982142684

Google Sites

Report abuse