Consumer Fight Back<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n A family that was targeted by scammers fear their experience has exposed a security loophole in an online travel agent’s booking platform.<\/p>\n Marion Tyler, from County Antrim, unwittingly called a scam number when attempting to phone loveholidays about a booking and then shared details that allowed fraudsters to access her account.<\/p>\n Later, when trying to resolve the issue, Ms Tyler’s daughter-in-law found she could access her mother’s account even after log in details had been changed.<\/p>\n She said she believed scammers “must be getting in again and again” because of an issue with the firm’s authentication process, but loveholidays has backed its system.<\/p>\n<\/div>\n It told BBC Radio Ulster’s Consumer Fight Back<\/a> programme it was sorry to hear about Ms Tyler’s experience but it was “confident that the industry standard two-factor authentication process ensures our platform and our customers’ data is secure”.<\/p>\n<\/div>\n Marion Tyler had booked a holiday through loveholidays.com for herself, her daughter and two grandchildren to Lanzarote in August. <\/p>\n When she wanted to pay off some of her balance, she phoned a number, from an online search, that she believed to be the firm but was actually a scam company. <\/p>\n The scammers tricked Ms Tyler into thinking she was speaking to loveholidays and she shared some details about her booking.<\/p>\n It is unclear how the scammers accessed a one-time passcode link that was sent to Marion’s email. This allowed them full access to her loveholidays reservation.<\/p>\n “I genuinely believed it was loveholidays, because she knew all the details of our holiday,” said Ms Tyler.<\/p>\n “She knew right down to the flight times, she knew everything.”<\/p>\n<\/div>\n After moving Ms Tyler to a WhatsApp conversation, scammers tricked her into transferring \u00a32,000, saying it would save her money on her holiday.<\/p>\n But when Ms Tyler rang the real loveholidays the next day to confirm her remaining balance, she was told the firm had not received any payment from her.<\/p>\n “I actually felt sick. I was in a state of panic,” she said.<\/p>\n “I was absolutely gutted and devastated. It really did affect me and I didn’t sleep. I was annoyed at myself for being stupid enough to do it and for falling for it.<\/p>\n<\/div>\n “It’s soul destroying, how easily they were able to access it and get that very definite information about the holiday.”<\/p>\n Ms Tyler alerted loveholidays to the scam and was advised to change the email address on her booking and add a password.<\/p>\n But, while she was on the call with loveholidays, changes were made to her booking – scammers were changing the destination of her holiday and the passenger times.<\/p>\n Ms Tyler’s family feared even after updating their security details, scammers could still access her booking.<\/p>\n<\/div>\n Her daughter-in-law, Marie Tyler, took over and contacted loveholidays.<\/p>\n During that call, she opened her internet browser and logged on to the firm’s website – having previously used the computer to access her mother-in-law’s account, she expected to have to log-in again as the account details had been changed.<\/p>\n To her surprise, however, the site brought her straight into Ms Tyler’s booking. <\/p>\n “I was in shock,” Marie Tyler said.<\/p>\n “I was getting ready to get the verification link sent over to me. I thought: ‘I’m in!'”<\/p>\n She said she told loveholidays’ customers service team that the scammers “must be getting in again and again because you’re not reauthenticating people”.<\/p>\n<\/div>\n The family has reported the scam to Action Fraud and contacted the Information Commissioner’s Officer over their data protection concerns. <\/p>\n They are also working with their bank to recover the money.<\/p>\n Loveholidays told Consumer Fight Back they were “sorry to hear about Marion’s experience after calling a number that was not associated with loveholidays and, unfortunately, falling victim to a scam”.<\/p>\n “The fraudster managed to maintain access to her booking through their cache. We have been in touch with the family and have secured the booking by transferring it to a new account with a new reference number,” the company said.<\/p>\n “We are confident that the industry standard two-factor authentication process ensures our platform and our customers’ data is secure, with the issue, in this case, stemming from the customer handing this access over to the scammer.”<\/p>\n The firm said it had “initiated further steps” should future customers find themselves in a similar position, including improving internal processes “to ensure access to the account is immediately revoked when we are alerted that a customer’s account is compromised”.<\/p>\n<\/div>\n Ms Tyler still hopes to go on the holiday later this year with her daughter and grandchildren.<\/p>\n “I’m actually really still annoyed about it.<\/p>\n “It’s not pleasant, it’s not nice and it’s a lot of money, but it’s not the worst thing that can happen in your life.<\/p>\n “We have to put it in perspective. What else can you do?”<\/p>\n You can listen to the full story on Consumer Fight Back with Holly Hamilton on BBC Sounds.<\/a><\/p>\n<\/div>\n<\/div>\n![\"BBC](\"https:\/\/ichef.bbci.co.uk\/news\/480\/cpsprodpb\/2bd3\/live\/4e95a600-f043-11ef-afe3-3909ee34e697.jpg.webp\")
BBC<\/span><\/div>\n<\/div>\nHow did the holiday scam work?<\/h2>\n<\/p>\n
‘I was in shock’<\/h2>\n<\/p>\n
![](\"https:\/\/www.bbc.com\/bbcx\/grey-placeholder.png\")
![\"Marie](\"https:\/\/ichef.bbci.co.uk\/news\/480\/cpsprodpb\/6425\/live\/acb85630-f04b-11ef-9d67-696683900f64.jpg.webp\")
<\/div>\n<\/div>\n‘We have to put it in perspective’<\/h2>\n<\/p>\n