Booking.com Extranet

How Booking.com helps partners tackle cybercrime

 | Save
The second part of our series on security and fraud. Matthew Hayhurst, Operations Manager - Account Security, delves into how Booking.com supports a secure experience for partners
Profile picture for the user

Senior Manager - Global Security Incident Management, Booking.com

Security is an immensely important part of the Booking.com partner experience and something we take very seriously. From event security to health and safety, data protection and accounts there are a lot of topics and specialisms covered by our teams, who work daily to protect our guests and partners.

Protecting partners with scalable solutions and innovations

We operate on a global scale - but so do fraudsters, so we need to make sure that whatever we develop is effective at that level while also being locally applicable. It’s key that whenever we come up with a solution it is scalable. We take a risk-based approach and tailor accordingly; if we see a certain type of partner is more vulnerable for being targeted we would adjust our controls accordingly. It's rarely a one size fits all.

One of the biggest challenges, especially from an account security point of view, is that we rely on partners knowing how to recognise the likes of phishing emails but that's not always the reality. A partner might be new to the industry and less aware of the risks, or in the case of big operators with higher staff turnover, it can be difficult to ensure staff are all trained for security-related topics. So, we try to avoid assumptions around awareness and do a lot in terms of education and communication, reaching out to partners whenever something critical might take place - whether its a general security update or a specific notification.

A lot of effort goes into the day-to-day security operations, developing the processes and tooling that help the business provide the right level of support. That keeps a focus on the foundations. Then working alongside that, we always have a dedicated team working on innovation, taking a forward-looking approach to prevention and detection. There are elements of security that are very reactive and in need of a rapid response, so sometimes innovation comes from these triggers - whether it’s external events or business needs. Then in other cases, there's more focus on resolving the likes of pain points for partners and guests with new developments.

Dealing with friction

Often, changes that are critical to ensuring a partner’s security can involve an element of friction but that undertaking is really vital in order to avoid what could ultimately be a bigger hurdle if an attack or breach happened. The ramifications of an incident can be far-reaching: payment solutions provider eNett reported that the indirect costs of fraud - revenue and operational losses, reputational damage - can actually be 2.5 times higher than the direct losses.

Multi-factor authentication (MFA) is a great example. It’s a necessity from a security point of view but the way in which it is implemented can introduce friction, particularly when the partner may have multiple team members needing to access the extranet. Keeping these credentials confidential and never sharing with third parties is absolutely critical. We have seen social engineering cases where a partner receives a call asking for their username and password as well as their MFA pin, and sometimes partners will divulge this information at which point they have granted access to their extranet account to an unauthorised user. It is important to note that we will never ask for these details. If partners understand how we operate they are better equipped to identify suspicious situations. To help ensure this and reduce any associated frictions, we develop guides in Partner Help to ensure the right materials are ready for partners whenever they might need support.

We also try to make it easy for partners to escalate issues to us. For example, we just launched a webform that partners can fill in if they think their account might have been compromised or they’ve received a phishing email. This comes directly to our team which allows us to provide a much faster and effective response to these critical escalations.

The preventative steps we take are rarely visible to a partner because they are designed, as far as possible, to be seamless. But the initial implementation of these measures may, at times, feel unwieldy - it can appear like effort for nothing. However, without this work, the impact could be far more serious and long-lasting. The possible threats are real, so on balance, it’s worth that extra input so we can protect partners from being hit by criminals. And once these foundations are in place our innovation teams can focus on providing a smooth experience in combination with robust protection.

 

What do you think of this page?

Takeaway
  • Booking.com's specialist teams work across the business in a variety of different disciplines, from event security to data protection and beyond
  • Solutions are developed to be scalable while also being adjustable to specific circumstances if a certain type of partner is more vulnerable to a particular threat
  • Awareness of suspicious is key to ensuring account security; guides in Partner Help offer guidance on topics like phishing and social engineering
  • Partners can report any concerns around security via a webform that goes directly to the security and fraud team