Hotels are not usually in the purview of cybercriminals. More often than not, fraudsters are spending their time prying into financial organizations, healthcare facilities or even the public sector as part of their attacks. However, this trend has begun to change.
While criminals are not able to do much with a mere hotel reservation, their options quickly open up when they gain access to a guest’s account. Just as cybercriminals have targeted frequent flyers and their travel rewards in the past, they are now looking to hack into the accounts of hotel guests for their loyalty points.
At a time when many hotels are committing to digital transformation projects, cybersecurity strategy may end up on the backburner. With hospitality fraud posing a threat to more hotels and more guests, it is critical that layered security remains a key consideration. Let’s analyze how threat actors are capitalizing off of the hospitality industry and what hoteliers can do to ensure protection.
The Return
The COVID-19 pandemic rocked the world of hospitality in 2020 with international travel expenditures hitting a 25-year low. Fast forward to the present day and hotels have experienced a significant rebound with the resurgence of both business and leisure travel nearing pre-pandemic rates.
As much as guests have enjoyed returning to their travel plans, cybercriminals have arguably enjoyed this trend even more. Spikes in travel over the past few years have provided fraudsters with an ever-growing window of opportunity in the form of attacks on car rentals, airlines and of course, hotels.
These organizations have become the new targets of payment and loyalty fraud, information and account theft, credential stuffing attacks, and more. In one of the most recent notorious incidents, Marriott was hacked to the tune of more than 20 gigabytes of sensitive customer data.
The Value of Loyalty
Out of the key players in the hospitality industry, hotels have found themselves to be among the top targets of this spike in fraudulent activity. As travel has returned, hoteliers everywhere have felt the pressure to innovate and accelerate digital transformation goals as customers pursue an increasingly digital experience, including the likes of virtual check-ins, keyless entry and more.
What can be lost in the shuffle is an organization’s security posture, which then exposes a broad attack surface for potential cyber threats. This attack surface only grows as travelers plan more excursions.
How Exactly Are Cybercriminals Taking Advantage?
Should an attacker gain access to an account, either by way of a data breach, account theft, phishing scheme or other means, any rewards belonging to a guest can be sold away or stolen. Guests who have worked for months or even years to stockpile loyalty points can lose their status overnight. Alternatively, customers that book with less regularity may not realize their loss for some time. Inevitably, the theft creates an issue for any guest the next time they attempt to book a stay with those missing rewards.
Guess Who
For hotels, combatting hospitality fraud starts with a recommitment to the security basics. A strong security posture includes sufficient identity verification measures to ensure that guests are who they claim to be. Some hotel chains have even begun integrating identity verification technology right into their mobile apps.
Adding additional layers of security, like biometric verification, can protect customers by ensuring that guest accounts are only being accessed by authorized users. Biometrics are a stronger tool than a common password, security code, or even two-factor authentication technique. Plus, with the implementation of a practice like biometric verification, concerns around commonly used tactics like credential stuffing are eliminated completely.
The identity verification tools available today are intelligent enough to perceive the authenticity of a user’s request. Imagine that a fraudster is trying to create a second profile from a mobile device that has already been registered. Verification tech would note this discrepancy and redirect the user to additional security checks. Meanwhile, a customer attempting to perform a legitimate sign-in attempt would be recognized as such and able to pass by the extra security measures. Together, these technologies grant hotels peace of mind without tarnishing the customer experience.
The Road Ahead
With three years elapsed since the onset of the pandemic, there is no denying that travel is back in full force. As long as the travel and hospitality industries are experiencing success, threat actors will be looking for ways to get a piece of the action. Identity verification can go a long way toward securing customer accounts, streamlining reservation processes, and ensuring that loyalty points are remaining with their rightful owners. Hotels cannot afford to let security take a back seat, especially along the road of their digital transformation journeys.
Bala Kumar is chief product officer at Jumio.