Protecting Digital Keys to Prevent Fraud

By Doriel Abrahams, Principal Technologist

According to a study from Deloitte Digital, 60% of travelers prefer a hotel that offers contactless check-in and keyless room entry. I’m partial to it myself — I love walking into a hotel knowing my key is already in my pocket and that I can skip a queue at reception. Even better, for me, is knowing that I don’t need to worry about losing a physical key card; I just need my trusty smartphone (and then to make sure I don’t lose it).

As a fraud analyst, I can never turn off the part of my brain that looks for loopholes and wonders how a bad actor could take advantage of a situation. Unfortunately, while the digital key experience is fantastic and convenient, it also poses vulnerabilities. As I usually say, “If it’s easier for us, it’s easier for the fraudsters.”

Digital Keys Make Hospitality Bookings Into Digital Transactions

One of the traditional protections that benefited the hospitality industry was that it was inherently a physical experience. The whole point was that someone physically arrived and occupied space in the accommodation you were offering. 

That dynamic came with multiple defenses in place by nature. Someone arrived at a hotel, for example, presented themselves and their identification and their payment method to an actual person at a desk, had a conversation, and only after that received a key. 

With digital keys, however, that’s all changed. The physical interaction becomes a digital transaction with all the risks that come with it. Not every hospitality organization has realized that that’s what’s happening and that they need protections in place the way eCommerce sites do. 

When digital fraud comes into play, stolen payment methods become a risk, particularly since cards are often not charged until the guest arrives. Triangulation, with fake travel agents making bookings, can also be a problem. Fraudsters may additionally sell on a booking to good customers at a “discount,” leaving brands with the challenge of whether to honor a bad booking or offend a good customer.   

Opening the Door to Bad Behavior

In addition to the digital fraud element, a further complicating factor with digital keys and bad actors is that they may not be aiming to monetize the digital transaction but rather abuse the hospitality itself. 

In these cases, malicious actors use the space themselves for illicit activities. This may:

  • Negatively impact the experience for good customers
  • Cause reputational or physical damage
  • Lead to activities on the premises which are against the terms of service
  • Lead to illegal activities occurring on the premises, which, in the worst case, may even result in law enforcement’s involvement

Unlocking the Last Minute Challenge

Fraudsters are particularly likely to make a last-minute booking within the next 48 hours. It’s worth noting that this dynamic changes for chains that don’t charge for payment until a guest checks in since there’s no risk of a booking being made further out. Where that’s not a factor, though, last-minute bookings are up to 5x more dangerous than bookings for at least one week into the future. 

This is a challenge for the hospitality industry because many legitimate bookings are last minute. That’s just the nature of travel. For many brands, it might be typical for 20%-40% of bookings to be last minute and completely legitimate. I’ve contributed to those stats more than once, whether because of an unexpected work trip or a spontaneous getaway. 

Don’t You Know Who I Am?

At the risk of sounding like a broken record on this, the answer to the digital key conundrum really does take us back to the question of identity. 

When someone checks in in person, you have a range of clues you can use to analyze their validity and behavior. Once digital keys shift the balance to digital interactions, you need to rebalance your protections to take that into account. 

The good news is that a wealth of information is available as part of online interactions that can be used to substitute for real-life behavior, appearance, and conversation. It’s basically looking for the same clues but as a digital fingerprint. Knowing what you’re looking for is as good as a real fingerprint from a person standing before you.

The hospitality industry needs to lean into the cyber intelligence, behavioral analytics and identity graph technology that digital commerce relies on to protect their sites and apps. 

Leveraging technology to reach a deep understanding of online identities means that brands can ensure a smooth, seamless red-carpet experience for every legitimate customer while showing bad actors the door long before they get anywhere near the door of your hotel. 

If you have some creative ways of approaching the problem, or if you’re seeing the challenges and would like to talk them through to a sympathetic ear, reach out. I’m always happy to chat about fraud


Doriel Abrahams is the Principal Technologist at Forter, where he monitors emerging trends in the fight against fraudsters, including new fraud rings, attacker MOs, rising technologies, etc. His mission is to provide digital commerce leaders with the latest risk intel so they can adapt and get ahead of what’s to come.