It should be no surprise that hotels are, increasingly, the target of online crime
Consider Marriott Hotels, which purchased Starwood Hotels and Resorts Worldwide Inc in 2015. The legacy database Starwood used continued to be the primary IT infrastructure long after the purchase. Unfortunately, this was breached, causing personal customer details, such as names, credit or debit card details, house address, and other information to fall into criminals’ hands.
The breach was made public in 2018 and as a result, Marriott was fined an estimated $120 million due to the loss of the details of 500 million customers breaching the GDPR in 2019.
In a global study, the Association of Certified Fraud Examiners found that hospitality and food services lose an estimated $114,000 in revenue to fraudulent activities every year.
In order to mitigate against various types of digital attacks, scams and fraud, user/guest identity verification steps have been proposed – and introduced by some organizations.
But how are they best implemented and at which touchpoints?
Firstly, let us think about identity verification as a concept.
This refers to the process which confirms a user’s identity. There are several avenues to this, including:
- whether a person online is who they claim to be – in this case, a guest making a reservation
- whether the guest arriving at the hotel is the legitimate guest for whom the reservation was made.
Most industry professionals will probably already be thinking about how when a guest arrives, they are asked for the debit or credit card they used to make the reservation and, often, a form of personal ID, to ensure they are who they claim to be.
During their stay, a rudimentary form of identity validation is introduced through requiring keycards to access elevators, or even through biometric checks at various locations, ensuring no outsiders are accessing guest-only areas.
However, beyond this, it is important to keep in mind that there are other means and stages at which this takes place – or at which it might be beneficial to introduce verification.
There are several benefits to introducing efficient user verification on a hotel’s website and/or booking platform, for example. When someone creates a new account, they may be asked to verify their identity, or this may be done behind the scenes by the software.
Similarly, when making a booking and/or payment, they are normally required to provide a form of ID, which will be checked at Reception when they arrive at the hotel.
In most cases, to make online reservations, the customers must input their credit or debit card details, which will get processed with their name, phone number, and address.
Such online payments are a “card-not-present” channel. Card not present refers to transactions made remotely without the card’s physical copy – for example, online or over the phone. These hide several opportunities for criminals to take advantage.
For instance, fraudsters can test stolen credit or debit cards through hotel online reservations, as it shows whether the card is “live” – in other words, still working – and allows them to use the card.
That was an example of hotel booking systems as a testing platform to enable further fraud, but there are many more potential pitfalls, from account takeovers to hotel app abuse, as well as chargebacks.
There are several ways in which such activity can affect hospitality businesses, their bottom line and their reputation.
- Loss of funds: Allowing criminals to sign up on your platform means they can attempt all manner of fraud, including getting their hands on your money with false claims. They could, for instance, pose as legitimate past guests demanding money back for sub-par service.
- Chargebacks: If fraudsters manage to make payments using stolen card credentials, the legitimate cardowners are very likely to request chargebacks. This affects you in manifold ways, from chargeback processing fees to increased chargeback ratio and even getting blacklisted by banks or card issuers.
- Fines: To add insult to injury, certain actions a fraudster takes can make you eligible for hefty fines. For instance, if you have EU-based customers and fail to protect their personal information, you are subject to GDPR fines of up to 4% of your annual revenue or 20 million euros – whichever is greater.
- Reputational damage: Letting bad users interface with your platform increases the risk of data breaches and other major incidents that could make it on the news and affect your public image – as we saw above.
- Fake bookings: Bad actors can also make a long series of reservations in order to sabotage or blackmail you – or for other gain. This would mean a limited or non-existent number of accommodation options are left available for legitimate customers to book.
But by introducing user verification at signup and/or payment, a large portion of fraudsters and other opportunists can be kept away, thus reducing fraud and similar events.
The question thus becomes when and how to best introduce user verification on your website.
There is a range of verification tools that may be the answer to catching potential fraudsters. They include uploading a copy of their passport or other identification, but there’s more.
Let’s look at two up-and-coming user verification methods and the benefits and shortcomings of each.
A biometric scan examines unique features of the customer’s appearance, such as facial characteristics, fingerprints or their voice. This can assist both the front desk staff and automated systems on the premises to identify customers.
Beyond this, biometrics can be used as 2FA for mobile and other hotel applications to confirm the identity of registered guests and thus fight remote account takeovers.
However, when it comes to assessing the intentions of newcomers to your website, biometrics have limited application.
One way to deploy this method is by asking guests to upload their ID and then take a selfie or selfie video to prove they are the same person. At this point, an algorithm or human expert will assess if it is a match.
Though it can have benefits, one negative of this method is friction: many customers don’t appreciate how much more time they take to complete the process because of these checks, plus they can also have privacy concerns.
A different option has to do with the technique known as digital footprinting, which can be done manually or automatically through data enrichment.
In simple terms, digital footprinting means locating and combining into a profile all the public elements associated with an email address or phone number that we can:
- Do they have social media accounts? How many?
- Is the email domain free or paid?
- Has this email address been included in any data breaches? This helps us know its approximate age.
- Is this person on any instant messaging apps such as WhatsApp or Viber?
- Does public information on their online accounts match their IP and card issuer geolocation?
The above is all information that this user has chosen to make public and only helps assess whether they appear to be a legitimate guest, rather than telling us details about their life. Using all of this, fraud prevention platforms can assign a risk score, thus streamlining the process.
Digital footprinting helps you to stop fraudulent activity when the user signs up on the hotel's site. Importantly, it is also a frictionless method because it works behind the scenes, using only the customer-provided email address and/or phone number.
Implementing user identity verification can protect hotels from digital and other fraud, allowing you to focus on serving guests and achieving growth. It can even help the staff work better.
When considering the best way to do this, however, it pays to avoid introducing friction into the online booking or check-in experience – after all, satisfied guests are key in hospitality.
About the Author
Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He's the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager / Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what's happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.