Hotels Lead the Industry In Credit Card Theft

← Back to Stories (view on slashdot.org)

Hotels Lead the Industry In Credit Card Theft

Posted by kdawson on Friday July 9, 2010 @01:21AM from the shred-everything dept.

katarn writes "A study released this year found that, of the credit card hacking cases last year, 38 percent involved the hotel industry. At hotels with inadequate data security, the greatest amount of credit card information can be obtained using the simplest methods. It doesn't require brilliance on the part of the hacker. Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to store or transmit this kind of data properly, and that starts with the point-of-sale credit card swiping systems."

135 comments

Min score:

Reason:

Sort:

Wait...what? by Pojut · 2010-07-09 01:23 · Score: 1, Redundant

Hotels lead the industry in credit card theft.
Wait...which industry? The hotel industry? So hotels lead the hotel industry in credit card theft?
Redundant statement is redundant. Or poorly worded. Or just plain stupid.

--
Living With a Nerd
1. Re:Wait...what? by Voulnet · 2010-07-09 01:26 · Score: 4, Funny
  
  Pedantry. One of the disadvantages of living with a nerd.
2. Re:Wait...what? by Pojut · 2010-07-09 01:29 · Score: 4, Funny
  
  And nose snorts. Don't forget about the nose snorts.
  
  --
  Living With a Nerd
3. Re:Wait...what? by commodore64_love · 2010-07-09 01:53 · Score: 1
  
  >>>Wait...which industry? The hotel industry?
  "Hotels lead the [credit] industry in credit card theft." Fixed it. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=13s
  I think I was a victim of this a few years ago. I had driven to Oregon for a vacation where I stayed in a Motel 6. About two months later some guy in California spent $3500 at Walmart on my Discover credit account. Of course I didn't have to pay, since my signature did not appear on any of the Walmart receipts.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
4. Re:Wait...what? by mcgrew · 2010-07-09 01:55 · Score: 0, Offtopic
  
  Redundant statement is redundant. Or poorly worded. Or just plain stupid.
  Like the guy who moderated your post "redundant". Why are people with two digit IQs allowed at a nerd site, anyway?
  
  --
  Free Martian Whores!
5. Re:Wait...what? by Pojut · 2010-07-09 02:02 · Score: 1
  
  Because they would sue for discrimination otherwise. One has to wonder if they crash Mensa parties...
  
  --
  Living With a Nerd
6. Re:Wait...what? by singingjim1 · 2010-07-09 02:38 · Score: 1
  
  Poorly worded. I think industry is supposed to be the credit card industry, not the hotel industry.
7. Re:Wait...what? by Anonymous Coward · 2010-07-09 02:43 · Score: 0
  
  "This video contains content from WMG, who has blocked it in your country on copyright grounds. "
  LOL sad
8. Re:Wait...what? by commodore64_love · 2010-07-09 03:08 · Score: 1
  
  >>>"This video contains content from WMG, who has blocked it in your country on copyright grounds. "
  >>>LOL sad
  Yep. This link might work, although you won't get to see her sexy asian-european-american body :-( http://s0.ilike.com/play#Michelle+Branch:Are+You+Happy+Now:28704:s526903.8517444.2883784.0.2.20%2Cstd_b74cb0d1d0f64605a4ed1cfaaef4553a
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
9. Re:Wait...what? by Sporkinum · 2010-07-09 03:31 · Score: 1
  
  This just happened to us on a trip to Colorado. We stayed at a Super 8 and a Motel 6 while there, and at a Super 8 in Omaha. About a week after we got back we got 4 charges on our card that appeared to originate in Mexico. 2 of them were blocked by fraud detection of the card issuer, and 2 made it through. As it was a debit card, we were liable for $50 of the $600 in charges that made it through. Card was canceled and a new one issued. We are also going to use a credit card instead, so the card company in on the hook, not us.
  We were concerned about this happening, so we paid everything by cash on the trip. The bad thing was we had to use the card number to reserve the rooms.
  
  --
  "He's lost in a 'floyd hole"
10. Re:Wait...what? by commodore64_love · 2010-07-09 04:21 · Score: 1
  
  >>>As it was a debit card, we were liable for $50 of the $600
  Why oh why do people continue using debit cards? If you had used a credit card, you would have been liable for *nothing*. And even if the Visa/Mastercard company tried to collect, you don't have to pay the bill. The money would be sucked from their account, not yours.
  >>>We are also going to use a credit card instead
  Good.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
11. Re:Wait...what? by commodore64_love · 2010-07-09 04:30 · Score: 1
  
  >>>>>Pedantry. One of the disadvantages of living with a nerd.
  Where I come from, we call them anal-retentive bastards. Or grandpas. Same difference.
  .
  >>>Wait...which industry? The hotel industry?
  "Hotels lead the [credit] industry in credit card theft." There. Fixed that for you. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=14s
  I was a victim of this. I stayed in a Motel 6 in Oregon. About two months later some guy in California spent $3500 at Wal-Mart on my Discover credit account. Seems obvious the girl behind the desk sold the number, or else used it herself.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
12. Re:Wait...what? by Pojut · 2010-07-09 04:41 · Score: 1
  
  Brother, you don't even want to KNOW what body parts my fiancee can use to make snorting sounds...
  
  --
  Living With a Nerd
13. Re:Wait...what? by DinDaddy · 2010-07-09 07:00 · Score: 1
  
  I do now.
14. Re:Wait...what? by david+duncan+scott · 2010-07-09 13:51 · Score: 2, Insightful
  
  Seems obvious because you didn't use the card ever again after that?
  I could be wrong, but if I were walking into a Walmart with a rigged-up card, I think I'd want a fresh number, something from the previous 48 hours, maybe. Sixty days seems like an awfully long time in hot-CC-number-years. If nothing else, it shows tremendous restraint on the part of a small-time criminal, most of whom can't seem to wait sixty minutes before they spend the money (unless, of course, her name badge read, "D. B. Cooper.")
  
  --
  This next song is very sad. Please clap along. -- Robin Zander
15. Re:Wait...what? by Anonymous Coward · 2010-07-10 01:43 · Score: 0
  
  We are the Knights of Nerd, and our three principal weapons are pedantry, nose snorts, and tired clichéd worn-out jokes .... and self-referential self-deprecating attempts at humour.
  Wait ... our four principal weapons are ...
People with too much time on their hands by Tisha_AH · 2010-07-09 01:26 · Score: 4, Insightful

What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.

--
Tisha Hayes
1. Re:People with too much time on their hands by garcia · 2010-07-09 01:39 · Score: 4, Informative
  
  We have been vacationing on Hilton Head Island for over 20 years. Back in the late 1980s/early 1990s we were ripped off in a hotel employee scam. My mother would always pay in cash. Four crisp 100 dollar bills were laid on the counter and slid across to the staffer behind for our week long stay in paradise (we always found it hilarious that it was 1/6th as expensive as a shitty two bed hotel room on the Jersey shore). This year, however, the clerk requested that we put down a credit card to cover any damages which may occur during our stay. My mother, not one for hucksters, agreed reluctantly only because a young boy of no more than 10 or 11 was whining in the backseat of the minivan about how he had to pee.
  After another excellent vacation we arrived home and a letter came in the mail with our receipt of a credit card charge in the amount of $400. My mother knowing this had to be a mistake as she had a similar receipt for $400 in cash called and explained the situation and expected it to be cleared up--after all we always paid with cash and never had problems before. After accusations of lying and trying to scam the resort out of money it was later determined that 7 or 8 other families met similar fates.
  One of the employees was pocketing the cash and charging the credit cards. We were later begged to stay, free of charge, the next summer. My parents ignored the request and we spent the next few years in a far less cozy location on the other side of the island.
  So yeah, some employees truly do suck--always have and always will.
2. Re:People with too much time on their hands by NoPantsJim · 2010-07-09 01:56 · Score: 5, Interesting
  
  I used to be one of these night shift people. I was definitely underpaid, but I used my spare time on the job with a laptop and a book learning to program.
  
  Here's the scary thing, plenty of people made it extra, extra easy for an employee to steal. We had this ridiculous backup process that had to be run nightly which would make our computers inoperable for about 90 minutes. If someone with a reservation came to check in I could do so, but any walk-ins would have to wait. Around 2-3 times a month people would come in so exhausted from driving all day that they'd just hand me their credit card and say "I'll pick it up in the morning, just give me a room key". I think that since it was an upscale Marriott people just assumed everything was safe.
  
  --
  Name...That...Autocomplete!
3. Re:People with too much time on their hands by AnonymousClown · 2010-07-09 02:02 · Score: 1
  
  If they have a decent bank behind their credit card or an AMEX, they weren't liable for anything over $50 - for personal cards. Business cards there's no limit on the liability. (Never get a 'business'' credit card. Use a personal CC and reimburse yourself.)
  Anyway, if you went apeshit, they could dispute the charges as fraud. It's kind of a pain in the ass (faxed signed affidavit ) but if you have a decent bank, they'll stand behind you.
  
  --
  RIP America
  July 4, 1776 - September 11, 2001
4. Re:People with too much time on their hands by Anonymous Coward · 2010-07-09 02:08 · Score: 0
  
  Wow, you really stuck it to that hotel by refusing to stay there free of charge and instead moving to an inferior hotel because of the actions of one employee. I'd rather stay free of charge at the better hotel who are now more vigilant with regards to this scam, personally.
5. Re:People with too much time on their hands by Yvanhoe · 2010-07-09 02:11 · Score: 3, Insightful
  
  So yeah, some employees truly do suck--always have and always will.
  And should not be trusted with consumer financial data, which is a management error that is totally avoidable.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
6. Re:People with too much time on their hands by Anonymous Coward · 2010-07-09 02:11 · Score: 0
  
  had a similar thing happen with a doctors office this year... paid $35 in cash and I disputed it!
7. Re:People with too much time on their hands by guruevi · 2010-07-09 02:12 · Score: 3, Interesting
  
  That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
8. Re:People with too much time on their hands by Anonymous Coward · 2010-07-09 02:13 · Score: 0
  
  It's probably not because of the scam, but how the hotel handled the aftermath. Read the post again, the hotel accused them of lying and more.
  I'd never go back there either. Not even if they paid me.
9. Re:People with too much time on their hands by pandrijeczko · 2010-07-09 02:14 · Score: 4, Interesting
  
  My company insists we put business expenses on company-provided AMEX cards.
  However, about four years ago, AMEX started requesting to do personal credit checks before they renewed expiring cards and I refused to let them do it; my credit rating is fine, I've nothing to hide, but I just don't like AMEX as a company and don't want my personal details on their's (or any other company I refuse to deal with) database.
  The company couldn't force me to give them permission to do the credit check on me, so I now use my personal credit card and enjoy the loyalty bonuses as a result.
  
  --
  Gentoo Linux - another day, another USE flag.
10. Re:People with too much time on their hands by NoPantsJim · 2010-07-09 02:14 · Score: 1
  
  You're right, but it still struck me as odd that people would just say "Hey stranger, take my card for the next 8 hours." It was pretty rare that I would still be there in the morning when they checked out, so that means I'd have to pass their card off to another low-wage employee to trust it with.
  
  It was kind of crazy how often my GM would have to fight these dispute charges. People would get enraged that their breakfast wasn't gluten free or that the tv in the room wasn't big enough and then have their CC companies claim they never stayed at our hotel. 99% of the cases were decided in our favor, but it was still a massive hassle from people deciding to throw a fit.
  
  Seems to me that people who submit false claims for disputing charges should be held liable for fraud themselves.
  
  --
  Name...That...Autocomplete!
11. Re:People with too much time on their hands by ericbrow · 2010-07-09 02:15 · Score: 1
  
  Amen to that. When I worked 3rd shift at a hotel while going to college, the pay was crap. I got a "raise" of 10 cents above minimum, then minimum wage went up 15 cents, and they called it another raise. 23 years old, and the only employee on site in charge of a multi-million dollar property and hundreds of lives, getting paid minimum wage. I was never tempted to steal, but I was often tempted to walk out.
12. Re:People with too much time on their hands by xaxa · 2010-07-09 02:26 · Score: 0, Offtopic
  
  My flatmate works in one of the fancy hotels in Central London (I can never remember the name, the standard rooms are £300 a night or so).
  Every couple of weeks she tells me about one of the rich Arabs that stays for months and insists on paying in cash. They like to flaunt their wealth, so they wait for reception to be really busy, then dump £30,000 in £20 notes on the desk. Most other guests pay by card (using the PIN, if their card supports it)
13. Re:People with too much time on their hands by wkk2 · 2010-07-09 02:32 · Score: 1
  
  There might be problems with using a personal CC in the near future. I believe you will be required to give every vendor a 1099 for business purchases over $600/yr. The record keeping will be a lot of trouble. I'm sure it's only the first step to a VAT.
14. Re:People with too much time on their hands by Anonymous Coward · 2010-07-09 03:09 · Score: 0
  
  We have been vacationing on Hilton Head Island for over 20 years.
  Man, that is one really long vacation!
15. Re:People with too much time on their hands by Anonymous Coward · 2010-07-09 03:16 · Score: 0
  
  I would have gone back. I guarantee I would have ended up being a lot more than $400 worth of trouble.
16. Re:People with too much time on their hands by oldspewey · 2010-07-09 03:51 · Score: 1
  
  I now use my personal credit card and enjoy the loyalty bonuses as a result
  My company also forces us to use a corporate Amex card for all business-related expenses ... and I am happy to do so because the Amex rewards program is actually way better than any of the other loyalty programs I've come across. The rewards points accrue to me, personally, rather than my company, and the rewards/expenditure ratio is really nice.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
17. Re:People with too much time on their hands by RobertM1968 · 2010-07-09 04:26 · Score: 1
  
  What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.
  New York has enacted legislation to help prevent some of this type of fraud, by making it illegal to print whole CC numbers on receipts or to store them in the terminal (meaning immediate processing, with batches being done by transaction number IDs and not the CC number).
  Problem is, I have STILL walked into places where the whole CC number and exp date are printed - even though it's in violation of the law. Makes it pretty easy to print out a list of the day's cc receipts, whole credit card numbers and expiration dates intact.
  Hopefully, (1) other states (or the Feds - c'mon Feds, be useful) will jump on similar legislation, and (2) they will start enforcing it with the merchant services providers, since many dont seem to care around here (while others, such as BoA, sent one of our customers a letter telling them they were going to remotely disable their terminal if they didnt bring it in for software upgrade).
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
18. Re:People with too much time on their hands by JWSmythe · 2010-07-09 04:30 · Score: 2, Insightful
  
  Cash may be outdated, but it's really hard for someone to duplicate your cash and make it disappear from your pocket. Credit cards on the other hand, are trivial to duplicate, and if you know the mark is traveling, it's easy to get away with charges for days before they find out there is any fraudulent activity.
  Cash is hard to lose, if you maintain proper control over it. If you aren't advertising that you carry large amounts of cash, random people won't know you have it. The physical risk of being liberated of the cash is then just as good as the physical risk of being liberated of your credit cards. And of course we shouldn't forget about the evidence trail that using credit cards exclusively gives. Using a card on a regular basis lets the issuing bank know what your purchasing trends are. It may require a warrant for law enforcement to acquire the evidence, but the banks are more than happy to take advantage of the information for their own purposes.
  
  --
  Serious? Seriousness is well above my pay grade.
19. Re:People with too much time on their hands by homer_s · 2010-07-09 04:33 · Score: 1
  
  And who is the "management" if not employees themselves?
20. Re:People with too much time on their hands by RobertM1968 · 2010-07-09 04:47 · Score: 1
  
  That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.
  Define reputable bank. When the idiot Lypozene scam kept charging my card, after I'd notified them to stop (in writing even), the cc company did "investigate" and reversed the charges - then added back the charges, even though I cited the fraud charges against them, simply because they claimed the Lypozene people claimed their website said what they were doing was ok.
  The bank was Chase, btw.
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
21. Re:People with too much time on their hands by Anonymous Coward · 2010-07-09 05:01 · Score: 0
  
  Happened to me at one of the largest insurance companies in the US. I had just moved to the area, bought a new car and started a new auto policy and paid the first six months in cash. We didn't know but the agent at the office took the cash and then quit. Luckily, she actually marked the policy as paid in full. It took a while to get that straightened out and at first, we were treated like potential accomplices.
22. Re:People with too much time on their hands by Talahaski · 2010-07-09 05:15 · Score: 1
  
  Fault of the Hotel, Credit Card information should NOT be accessible to ANY staff member after the initial swipe into the computer system. Get some software that immediately encrypts the credit card information at check-in and does not allow anybody to view the unencrypted information after that.
23. Re:People with too much time on their hands by arkane1234 · 2010-07-09 05:20 · Score: 1
  
  Which would go onto your card.. you know, the one held for potential damages...
  
  --
  -- This space for lease, low setup fee, inquire within!
24. Re:People with too much time on their hands by arkane1234 · 2010-07-09 05:23 · Score: 1
  
  if an employee doesn't take your payment, who will?
  I mean, even when I make a payment for a hotel through Expedia, hotels always want a credit card or they won't allow entry into the room. You're basically forced to do something stupid for the sake of the business owner...
  
  --
  -- This space for lease, low setup fee, inquire within!
25. Re:People with too much time on their hands by MikeBabcock · 2010-07-09 05:43 · Score: 1
  
  I travel a lot, and frequently grit my teeth when I call a hotel I've stayed at before and confirm only my name before they ask if I'd like to use the same card I used before, then reserve the room for me on the stored card info.
  
  --
  - Michael T. Babcock (Yes, I blog)
26. Re:People with too much time on their hands by MikeBabcock · 2010-07-09 05:51 · Score: 1
  
  I keep a low-credit limit card from a large bank just for this purpose. I make various online purchases with it and use it for proof of solvency for reserving a room at a hotel or such, but never make a purchase over about $50 with it. Its very very easy to spot any fraud on the bill at the end of the month, and very easy to call and explain and have the charges removed. As a Canadian I can heartily recommend both Canadian Tire Credit and the Bank of Montreal Mastercards for being very quick and easy going about removing potentially fraudulent charges.
  In the case of CT Credit, they've even called me, checking to see if a purchase made with my card was fraudulent because it deviated from my usual purchase habits. It turns out it was not. I might add, they were also very professional about card security; something to the effect of "This is at Canadian Tire Credit. We'd like to discuss a security issue with your credit card. Could you please call me back at the toll-free number on the back of your credit card, and enter my extension, 5555 to continue the call."
  After proving to me that I was in fact speaking with the company in question, they verified my identity and we completed the discussion quickly, but I must say I was impressed with the basic professionalism.
  
  --
  - Michael T. Babcock (Yes, I blog)
27. Re:People with too much time on their hands by gotpoetry · 2010-07-09 06:08 · Score: 1
  
  My bank sends me a text message whenever a transaction over a certain amount is processed on any account I choose, including my CC account. I rarely make purchases over $150.00, so for me setting it at that level is a great way of getting warning that something is up. This works great for ACH scams as well.
28. Re:People with too much time on their hands by radish · 2010-07-09 06:52 · Score: 2, Insightful
  
  Just because the hotel needs a credit card from me doesn't mean the guy behind reception needs to see the data. Simply put a swipe machine on the customer side of the desk, and don't show anything other than "OK"/"NOT OK" to the employee. If Best Buy can manage it anyone can :)
  
  --
  ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
29. Re:People with too much time on their hands by radish · 2010-07-09 06:56 · Score: 1
  
  The physical risk of being liberated of the cash is then just as good as the physical risk of being liberated of your credit cards
  But the amount of the loss is 100% vs 0%. I simply don't understand carrying anything other than trivial amounts of cash - why take the (small, but non-zero) risk of loss? Why deal with the inconvenience of running out at an inopportune moment? Sure I'm trading away some degree of privacy, and if that's an issue for you then fine. It's not for me.
  
  --
  ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
30. Re:People with too much time on their hands by guruevi · 2010-07-09 07:35 · Score: 1
  
  I've heard similar stories from Chase so they might not be as good with it. PNC Bank also seems hesitant sometimes (will wait for the vendor to explain) but in the end always delivers. I have very good experiences with BoA (world platinum cards - immediately taking charges off the account, not charging interest while investigating), HSBC (commercial accounts) and local credit unions.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
31. Re:People with too much time on their hands by Reece400 · 2010-07-09 08:21 · Score: 1
  
  I expect it wasn't that employee's actions, but when they were later accused of being the scammers by management or whomever. Blaming the customer shouldn't be the first response.
32. Re:People with too much time on their hands by JWSmythe · 2010-07-09 11:05 · Score: 1
  
  I've found cash works a lot better for gray market purchases too. :)
  
  --
  Serious? Seriousness is well above my pay grade.
33. Re:People with too much time on their hands by Ritchie70 · 2010-07-09 14:28 · Score: 1
  
  There are in fact Federal laws about that - look here: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.shtm - but even if there weren't, there are many state laws, and there are network rules about it too, which you clearly know.
  A merchant cannot show more than the last 5 digits of the card number or the expiration date on the receipt.
  If you encounter a merchant in violation you can complain to the FTC.
  I made a bunch of changes to a POS system 7 to 8 years ago to start accepting credit cards. Our data structure only even has room for the last 4 characters of the card. (It also has room for the expiration date, which it does retain, but it was later changed to not ever print it on the customer copy. I think we may print it on the (rare) merchant copy to be in compliance with one of the network's requirements.)
  
  --
  The preferred solution is to not have a problem.
34. Re:People with too much time on their hands by rtb61 · 2010-07-09 17:23 · Score: 1
  
  Let's be fair. You take people, pay them minimum wage, a wage that provides for now future with the claim that they deserve it for not trying hard enough whilst simultaneously claiming that must fawn and bend over backwards to serve the slightest whim of whiny pretentious customers, that sort of psychological stress will result in poor behaviour.
  It would be interesting to see if this tendency is global or whether it's frequency closely aligns with with the paltriness of the salary and the attitude of customers ie. treat people poorly and they will behave poorly. I have worked in that annoying and offensive industry and I can assure there is nothing more irritating the working hard all day while everyone around you is eating drinking and making merry and you are not, in fact I can distinctly remember working from 10 o'clock in the morning till two o'clock the next morning with only one break for a meal upon a regular basis. Having the intellectual ability to move on, never took away my empathy for those who lacked the same ability to do so. So petty pilfering from those who treat underpaid waiters et al like peons, hmm.
  
  --
  Chaos - everything, everywhere, everywhen
35. Re:People with too much time on their hands by CaptainNerdCave · 2010-07-09 18:07 · Score: 1
  
  True! As an overnight front desk employee of a well-known, international hotel brand, I have access to a HUGE supply of credit/debit card numbers (often the actual physical card), and most of the customers' personal information. Add some malicious intent, and the whole scene becomes very ugly for everyone else very quickly.
36. Re:People with too much time on their hands by hab136 · 2010-07-11 19:37 · Score: 1
  
  So, you're able to hand in expenses using your personal card? (which contradicts the part about your company insisting on a corporate AMEX) Or you just don't get reimbursed?
  At my old company, your choices were comply with the requirements, don't get reimbursed, or leave the company (voluntarily or not). With dozens of thousands of people, they just didn't care about your personal feelings on third party vendors.
37. Re:People with too much time on their hands by mrchaotica · 2010-07-12 05:48 · Score: 1
  
  My mother knowing this had to be a mistake as she had a similar receipt for $400 in cash called and explained the situation and expected it to be cleared up--after all we always paid with cash and never had problems before. After accusations of lying and trying to scam the resort out of money it was later determined that 7 or 8 other families met similar fates.
  Your mother called who? The hotel, or the credit card company? You'll almost always have better results (and fewer accusations of lying) with the latter...
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I read the article by tepples · 2010-07-09 01:27 · Score: 4, Informative

Based on the article, it appears to mean that 38 percent of the fraud across all merchants that take payment cards involves a hotel. So the "hotel industry" is responsible for 38 percent of payment card fraud in "industry" in general.
1. Re:I read the article by Hijacked+Public · 2010-07-09 01:38 · Score: 3, Insightful
  
  That is an inversion of purposes, between the headline and the article.
  The Slashdot editors have dug down past simpleton level grammar and emerged not at the bottom of the scale, but somehow at the top, and turned the industry on its ear.
  Which industry? I have no idea.
  
  --
  "Sacrifice for the good of The State" - The State
2. Re:I read the article by Anonymous Coward · 2010-07-09 03:50 · Score: 0
  
  I was thinking about the card theft industry myself.
3. Re:I read the article by Anonymous Coward · 2010-07-09 07:28 · Score: 0
  
  I wish I had mod points... this is clever enough it deserves a +5.
QSL by Anonymous Coward · 2010-07-09 01:27 · Score: 0

This would be avoidable except the fuckers require a credit card to get a room.
Still waiting for the the liability laws to reflect the part poor security of issuers play in this, and distribute liabilty accordingly.
Not surprising... by duplicate-nickname · 2010-07-09 01:30 · Score: 4, Informative

I recently had a hotel leave one of those quick check-out forms partially slid under my door. The problem was that it had my credit card information printed on it. It would have been quite easy to walk down the how and grab a dozen names, credit card numbers and expiration dates. On top of that, who knows what happens to the forms once you sign them as I highly doubt they go through a shredder.

--
ÕÕ
1. Re:Not surprising... by v1 · 2010-07-09 01:50 · Score: 1
  
  I highly doubt they go through a shredder.
  Paranoid as I tend to be, I would hope most of them would. Dumpster diving at a hotel would seem like an otherwise excellent way to dug up some fraud otherwise. If not just for the hotel staff then for the patrons. Makes one wonder just how much sensitive information gets casually tossed in the hotel room trashscan by the average guest? I can't say that I've EVER seen a shredder next to the bible and alarm clock before.
  
  --
  I work for the Department of Redundancy Department.
2. Re:Not surprising... by mcgrew · 2010-07-09 02:23 · Score: 1
  
  Technology is supposed to solve problems, but often creates problems. Back before computers and the internet when a CC transaction involved simply a pre-printed form with carbon paper and the card's embossed name/number, these security problems were very rare. But technology isn't the problem here, it's merchants who treat the new technology like it was identical to the old technology, and governments who fail to keep regulation up to date being aware of how new technology can create new problems. Merchants are lax with security because there's no reason not to be. If the law said if their security was breached and you were harmed, you could collect three times damages, this crap would be rare.
  
  --
  Free Martian Whores!
3. Re:Not surprising... by helix2301 · 2010-07-09 03:13 · Score: 1
  
  I have noticed that about the quick check-out forms. I have also had an issue where someone elses room was charged to my CC. I have also had situation where I give them the new card or a different card and they charge the one that's on file.
  
  --
  http://www.thetechnologygeek.org
4. Re:Not surprising... by Anonymous Coward · 2010-07-09 03:17 · Score: 0
  
  Clear violation of credit card data standards. Report them: http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html
5. Re:Not surprising... by oldspewey · 2010-07-09 03:56 · Score: 1
  
  carbon paper and the card's embossed name/number, these security problems were very rare
  Rare, but not unheard of.
  I know of somebody who had a fraudulent transaction applied against their credit card, and after investigating the police determined that some fraudster must have gone dumpster diving for discarded carbon slips, and copied the information/signature from there.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
6. Re:Not surprising... by sconeu · 2010-07-09 04:01 · Score: 2, Funny
  
  They don't. I'll name names.
  I was at the Doubletree in Crystal City, VA (just outside DC). I used the "Print from your room" facility.
  My printout was on the BACK of printouts that included names, addresses, and phone numbers (no CC's though). I told the front desk that they might want to look into their paper recycling policy...
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
7. Re:Not surprising... by rjstanford · 2010-07-09 04:11 · Score: 1
  
  Merchants are lax with security because there's no reason not to be.
  Not exactly the case... a merchant found to be in breach of their PCI standards (which you agree to when you set up a gateway account) can have their charge privileges suspended or denied. And a hotel who couldn't process Visa/MC/Amex/Disc cards wouldn't last very long at all. You can argue that there should be more sport-checks, but PCI auditing is already a very expensive process, especially for smaller companies (you can easily spend $50K+ on an audit at PCI level one).
  
  --
  You're special forces then? That's great! I just love your olympics!
8. Re:Not surprising... by MikeBabcock · 2010-07-09 05:54 · Score: 1
  
  While a horrible practice, this is why the security code is printed on the back of the card and not included in normal credit card number print-outs.
  The security code should be required for any payment, but is never displayed for security reasons.
  
  --
  - Michael T. Babcock (Yes, I blog)
9. Re:Not surprising... by Ritchie70 · 2010-07-09 14:30 · Score: 1
  
  And some here will no doubt remember when those carbon forms went from having a single piece of carbon paper to a piece that was perforated half-way through where the card number would hit. Half the carbon would go in the garbage, the other half stayed with the merchant copy if I remember correctly.
  
  --
  The preferred solution is to not have a problem.
10. Re:Not surprising... by sjames · 2010-07-12 04:41 · Score: 1
  
  All of this because banks REFUSE to implement simple and effective security procedures using smart cards even though the technology to do so has been easily available for decades now.
11. Re:Not surprising... by mcgrew · 2010-07-13 03:58 · Score: 1
  
  They have no incentive to do so. If they had to pay through the nose for data breaches, you can bet that they would impliment those technologies.
  
  --
  Free Martian Whores!
12. Re:Not surprising... by sjames · 2010-07-13 05:14 · Score: 1
  
  I'm sure they would. But that means it's not a failure of technology, it's a failure of businessmen to do the right thing.
  As you say, as long as they are allowed to externalize the costs of their repeated failures, they will continue.
WIFI by ZaSz-RH · 2010-07-09 01:33 · Score: 0, Redundant

Unprotected WIFI with default-passworded routers?
they can also clone your card to a room key as wel by Joe+The+Dragon · 2010-07-09 01:35 · Score: 2, Interesting

they can also clone your card to a room key as well if they want to I don't think they do that by default any more.
Why do merchants need to retain CC info? by JSBiff · 2010-07-09 01:37 · Score: 4, Insightful

Obviously, at the time of transaction, the CC info is needed to make the transaction, but why do they retain the info after that? Don't the credit card networks issue a transaction ID for every transaction? If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?
This, it seems to me, applies to almost every merchant - retail, dining, entertainment, services, hotels, whatever. Why do they need to retain the info?
If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants. A hacker can't steal what isn't there (although, a hacker could still potentially capture the CC info in real-time at the moment of the transaction, but at least you've reduced stored-data attacks).
1. Re:Why do merchants need to retain CC info? by Anonymous Coward · 2010-07-09 01:47 · Score: 1, Interesting
  
  I think with hotels the issue is less of a refund than it is an extra charge. Let's say someone checks out at 10am and leaves town. The cleaning staff get to the room at 11:30 to find that anything not nailed down was taken (carried out a side door at 2am) and the room completely trashed. Hotels keep those numbers to protect themselves without putting a reserve of $1,000 on your card for a one-night stay in a two-star hotel.
  I can't think of any reason for other merchants to keep your data beyond the point of sale.
2. Re:Why do merchants need to retain CC info? by delinear · 2010-07-09 02:20 · Score: 1
  
  So if I check out at 10am, some guy comes in and trashes the place, steals everything not nailed down and bails, the hotel are going to automatically charge my credit card and let me sort out the fallout? Surely a better system would be for them to, I don't know, check my room as I leave. When I get a hire car they always check over the vehicle with me when I hand the keys back, they don't leave it a few hours and if someone clips it with their 4x4 on the way out of the car park, just charge my credit card. Of course, such a system would require hotels to have plenty of staff available, which means they'd have to make less profit. Much better to shift all the responsibility onto the customer.
3. Re:Why do merchants need to retain CC info? by Anonymous Coward · 2010-07-09 03:38 · Score: 0
  
  So if I check out at 10am, some guy comes in and trashes the place, steals everything not nailed down and bails, the hotel are going to automatically charge my credit card and let me sort out the fallout? Surely a better system would be for them to, I don't know, check my room as I leave.
  Yes, that would definitely be a better system, but the scenario you describe is not very likely. You lock the door when you leave, and it stays locked until the room is re-made by the cleaning person. How often does someone break into a hotel room just to vandalize it?
  
  When I get a hire car they always check over the vehicle with me when I hand the keys back, they don't leave it a few hours and if someone clips it with their 4x4 on the way out of the car park, just charge my credit card.
  Except they do retain your CC info, and may still charge you if they "discover" additional damage after the "inspection." Beware.
4. Re:Why do merchants need to retain CC info? by MobyDisk · 2010-07-09 03:58 · Score: 1
  
  Hotels might have a valid reason. Other merchants do not. They can refund charges without having the number. This is another case where I think we have to resort to legislation making it illegal to retain credit card numbers. It's stupid though on so many levels though.
  1. The merchant shouldn't retain the credit card number (it is in their own best interest NOT to, since they are liable for the resulting fraud).
  2. The credit card company shouldn't let the store retain the credit card information (fraud costs them money, PR, and customers).
  3. The credit card company shouldn't even issue credit card numbers - there are far better ways to do it than having one magical number that gives anyone access to your account.
  4. Credit cards shouldn't have personal information on them anyway.
  The credit card system is wrong on so many levels it is just silly.
5. Re:Why do merchants need to retain CC info? by rjstanford · 2010-07-09 04:13 · Score: 1
  
  With a decent gateway you don't even have to do that. You take your gateway credentials and the credit card information, and use them to create a unique storable key. The only thing you can do with that key is to move money between that one particular CC and your gateway account (refund, add'l charge, etc). Technically someone could steal it and either issue refunds or make additional charges, but they generally wouldn't because there's no incentive for them to do so. Far safer (and more PCI compliant) than retaining the CC number itself.
  
  --
  You're special forces then? That's great! I just love your olympics!
6. Re:Why do merchants need to retain CC info? by billtom · 2010-07-09 04:31 · Score: 1
  
  It's my understanding that the CC companies are moving towards what you are talking about (store transaction tokens, not CC details). But the CC companies are very reluctant to really push all the merchants to upgrade their systems.
  The merchants, of course, don't want to spend any money updating their systems. And the CC companies can't afford to simply cut off large numbers of merchants that won't upgrade or comply to guidelines.
7. Re:Why do merchants need to retain CC info? by mounthood · 2010-07-09 04:40 · Score: 2, Insightful
  
  If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants.
  
  They used to call it Fraud and it was the banks problem. Now they call it Identity Theft and it's your problem.
  
  --
  tomorrow who's gonna fuss
8. Re:Why do merchants need to retain CC info? by mybecq · 2010-07-09 06:39 · Score: 1
  
  If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?
  The fact that VISA/Mastercard/etc (or by proxy, most payment processors) provide no way to do that.
  
  Why do they need to retain the info?
  When the customer inquires about a charge, they don't/can't/won't have a transaction identifier. There is no transaction identifier issued by a card provider, just an approval and authorization code.
9. Re:Why do merchants need to retain CC info? by Anonymous Coward · 2010-07-09 08:17 · Score: 0
  
  Also with restaurants, if you leave a tip using a credit card, they keep the transaction open so they can charge the tip ("amend the charge", if you will) so the info is kept at least until then.
Re:they can also clone your card to a room key as by Anonymous Coward · 2010-07-09 01:40 · Score: 5, Informative

Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...
...and outright fraud by Just+Some+Guy · 2010-07-09 01:47 · Score: 5, Interesting

I recently stayed at a cheap chain motel while traveling for a softball tournament. They had a sign posted (in the disused lavoratory, etc.) along the lines of:

Theft is a problem. We have a safe in your room. If you use it and someone steals your stuff, we'll insure you up to $10,000. For your convenience, a $1.50 charge will be added to your bill for the rental of the safe. If you don't want to pay the charge, let us know and we'll remove it.
(Part in bold is as verbatim as my memory allows.)
When I checked out the next morning, I asked the clerk to remove the $1.50 fee. She kind of huffed, spent the next 5 minutes messing around with the computer, then gave me a receipt for the correct amount that I expected to pay. Two days later, I noticed that my online statement was off $1.50+tax. Sure enough, they'd charged me anyway. When I called them to say that I wanted it fixed - yes, I am that stubborn and nitpicky - they assured me that this never happens and they were so sorry.
As cheap as the motel was, that was an extra 3% or so in automatic free revenue. If they're operating at a 10% profit margin, that's about a 66% increase in actual profit. How many times to people look that closely at their credit card bills? I'd be willing to bet that 99 times out of 100, people see that the charge was correct to the nearest $10 and don't check it to the penny, or they figure it's not worthwhile and don't follow up on it.

--
Dewey, what part of this looks like authorities should be involved?
1. Re:...and outright fraud by Anonymous Coward · 2010-07-09 03:50 · Score: 0
  
  I was one of those people who said the value looks about right; then I discovered jGnash (open source accounting software) and started tracking how I am spending money. Aside from being a good way to save money, it wants me to reconcile my accounts. I do that against credit card and bank statements, and verify everything is correct.
  (Note, there are other open source options as well, jGnash does have a few picky details I don't care for)
2. Re:...and outright fraud by tkohler · 2010-07-09 04:04 · Score: 3, Interesting
  
  One time I was staying at a not-so-cheap hotel in upstate UK. The hotel offered a choice of breakfasts: Continental or Full, with about a US$10 price difference. Each day I chose a breakfast, changing based on mood and hunger, about splitting the choices evenly through my 5 day stay. (I was attending a conference at the same hotel) The waiter took my selection and room number each day. Upon checkout, I found they had charged me (and everyone else) for the Full breakfast everyday. I asked them why and they said they assumed that everyone would chose the "much better breakfast" and made that section for them "as a convenience". I then asked why the waiter bothered to ask the choice if they were going to only charge one price. The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.
3. Re:...and outright fraud by Just+Some+Guy · 2010-07-09 04:07 · Score: 1
  
  I used KMyMoney for quite a while before going with a checkbook program on my iPod. It's always with me and I've gotten in the habit of entering transactions as I'm standing at a store checkout and waiting for my transaction to be approved.
  PS: Why, oh why, can't someone write a iPhone checkbook app that understands the conception of reconciliation as a batch transaction?
  
  --
  Dewey, what part of this looks like authorities should be involved?
4. Re:...and outright fraud by Just+Some+Guy · 2010-07-09 04:20 · Score: 1
  
  The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.
  I worked the night shift at a reasonably nice motel when I was in college so that I could study during all the down-time. Although the management had their own set of annoyances like overcharging for every little thing, they were scrupulously honest. For example, the phones had the ridiculous rates printed on the face around the buttons so you could easily see the prices, and part of my night audit job was to compare the phone system's logs with the room charges. If I found that we'd accidentally overcharged someone, we'd refund it even after they'd already checked out and gone home.
  I think that's why it always especially pisses me off when motels are dishonest. The place I worked for had a good reputation and a lot of repeat business, and I'm naive enough to expect that other companies want the same.
  
  --
  Dewey, what part of this looks like authorities should be involved?
Thank you by tpstigers · 2010-07-09 01:49 · Score: 2, Insightful

I'd just like to thank the author for not using the ridiculous term 'identity theft'.
1. Re:Thank you by Sulphur · 2010-07-09 02:13 · Score: 1
  
  Does using your email name for spam qualify?
  --
  I was cold called by someone offering "indemnity theft."
Re:they can also clone your card to a room key as by Anonymous Coward · 2010-07-09 01:50 · Score: 0

They have never done that as default. Honestly, where do people get that idea?
POS by Anonymous Coward · 2010-07-09 01:50 · Score: 0

Things that are bad... POS machines on the same subnet as the Guest WLAN...
Re:they can also clone your card to a room key as by JDmetro · 2010-07-09 01:55 · Score: 2, Insightful

Wouldn't it just be easier to have some blank mag-stripe cards? One of the local computer stores sells them for $60 for a 25 pack.
wonder if it includes the social engineering side by cybrthng · 2010-07-09 02:07 · Score: 4, Interesting

Hackers often target hotel pbx systems to call rooms and "confirm" credit cards with people staying there.. Its one of those big issues you never hear about until someone is caught and its easily done since 99% of the hotel rooms don't offer any caller-id functionality. So if you get a call while in a room to confirm your credit card, just ask to go downstairs and confirm at desk.
My college advisor told us about this years ago by moller · 2010-07-09 02:21 · Score: 1

Although it was about traveling outside the country.
He was teaching the Networking course, and during a brief section on security and encryption he mentioned how he had recently been traveling (he wouldn't say where, but he was born in India) and stayed at a five-star hotel while he was out of the country. He then pointed out how he had requested a new/temporary credit card from his bank for the trip, which he only used to pay for the hotel, and he canceled the card as soon as he was back in the US.
By the time he had gotten back to the states, the card had already been stolen/compromised.
Wardriving by CODiNE · 2010-07-09 02:22 · Score: 3, Interesting

I remember years ago I drove around a little with my laptop on the passenger seat recording the SSIDs I'd passed. Always fun to see how people name things. One that stood out was a Pik N Save or something... they strangely had a Wifi setup but the name was.
PIKSAVPOS
Yeah, their Point of Sales network was unencrypted and accessible throughout the huge parking lot and onto the main road.
Nice.
Perhaps the hotels used the same contractor. Very cheap and fast setup, works great.

--
Cwm, fjord-bank glyphs vext quiz
1. Re:Wardriving by pandrijeczko · 2010-07-09 02:28 · Score: 1
  
  Just one observation...
  Of course an unecrypted WLAN is a *VERY BAD* idea but just because the WLAN isn't encrypted doesn't mean you'll be able to sniff anything on it if all the transmissions on it go over SSL or some other encryption method.
  Personally, I'd hope that anything involving a credit card transaction anywhere goes over SSL by default.
  
  --
  Gentoo Linux - another day, another USE flag.
2. Re:Wardriving by CODiNE · 2010-07-09 02:46 · Score: 1
  
  That's true but anyone could sit in the parking lot and record everything going over that wire for months. Or hide a little sniffer box under a bush somewhere and record all year long. It was probably around 2000 that this happened so I'm gonna guess they weren't using RC4 or anything like that. Eventually you could brute force it with so many samples.
  Shoot in those days I opened up my laptop at work, it automatically joined the open wireless there and my boss screamed that I'd "Hacked" into the network. People seriously did not understand how far their wireless was reaching back then, and the thought was "We'd see anyone sitting around with a laptop acting suspicious". Now with smartphones people aren't quite so retarded.
  
  --
  Cwm, fjord-bank glyphs vext quiz
3. Re:Wardriving by pandrijeczko · 2010-07-09 02:50 · Score: 1
  
  Oh, don't get me wrong - just because the connection is encrypted does not mean that you can't just hop onto the WLAN, hack a user account on a server somewhere and pull unencrypted credit card information from server itself!
  
  --
  Gentoo Linux - another day, another USE flag.
4. Re:Wardriving by PTBarnum · 2010-07-09 03:27 · Score: 1
  
  Wait, you had your laptop configured to automatically join any available open wireless network? And you are worrying about other people's security practices?
5. Re:Wardriving by CODiNE · 2010-07-09 04:07 · Score: 1
  
  I don't have any services on, and that was 10 years ago.
  
  --
  Cwm, fjord-bank glyphs vext quiz
6. Re:Wardriving by kent_eh · 2010-07-09 05:48 · Score: 3, Interesting
  
  Now with smartphones people aren't quite so retarded.
  Ummm... We found one of the office girls plugged in her little Apple Air-Port Express to the LAN under her desk, so she could use the WLAN on her iPhone at her desk.
  When was confronted, she couldn't comprehend why it was a bad thing she was doing.
  Fortunately the policy (which we thoughtfully presented her with a paper copy of) clearly states that allowing strangers onto the company LAN can be a firing offense.
  That she understood (if not why)
  
  --
  
  ---
  "I can't complain, but sometimes still do..." Joe Walsh
7. Re:Wardriving by Anonymous Coward · 2010-07-10 06:28 · Score: 0
  
  fuck you and fuck your policy.
And then what? by Anonymous Coward · 2010-07-09 02:30 · Score: 0

So you have all these names and numbers. Then what? As far as I know, online stores only ship to the address on the card. I.e. not where you live.
I fail to see how you could benefit from having just these numbers and not also having control over the residence of the card owner. Care to enlighten me?
1. Re:And then what? by Convector · 2010-07-09 02:42 · Score: 1
  
  Many places let you specify a shipping address that's different from a billing address. For example, I've ordered items off Amazon and had them sent directly to the intended recipients. I've had whole batches of Christmas presents shipped to my in-laws' house where we would be spending the holidays, since there seemed no point in having everything come to my house and then haul it all cross-country on a plane.
2. Re:And then what? by izomiac · 2010-07-09 03:00 · Score: 1
  Care to enlighten me?
  
  Online goods and services don't need to be shipped.
  
  Virtually all companies I've done business with ask for a billing address and a shipping address.
  
  AFAIK, that's all the information you need to make a passable clone of the card.
  It doesn't seem very logical to get stuff shipped to your house that you bought with a stolen credit card. I mean, chances are that you'll have police knocking at your door before the package even arrives.
3. Re:And then what? by david+duncan+scott · 2010-07-09 14:47 · Score: 1
  
  Vacant apartment. At least, that's how it was done when somebody spent $500 of my rent money on electronics. With rapid shipping, overly-relaxed merchants ("It's OK--your bank will take care of it.") and overburdened police, even though I caught the problem the morning after it happened the package was still successfully delivered to a vacant apartment in New York, and duly signed for (God knows what name they used.)
  
  --
  This next song is very sad. Please clap along. -- Robin Zander
No punishment for the crooks anyhow? by wealthychef · 2010-07-09 02:31 · Score: 1

Do the credit card companies care yet? when my friend's identity was stolen a few years back, they had no interest in finding and prosecuting those responsible, even when he did the research and found them. It was cheaper for them to just pay him off and forget about it. So if it's a no-risk crime, then it doesn't matter which industry leads the ... uh... industry. I'd prefer to see how many such crimes are solved and prosecuted successfully.

--
Currently hooked on AMP
1. Re:No punishment for the crooks anyhow? by pandrijeczko · 2010-07-09 02:45 · Score: 1
  
  Unfortunately, you've highlighted the major problem with business today.
  No business nowadays is ever interested in striving towards ensuring every customer gets the best possible service from them, they just puff their chests out and crow when they achieve a particular statistical level of performance.
  "95% of calls to us are answered within 10 seconds" - the 5% of callers who were cut off or who sat were sat listening to ringing tone for 10 minutes do not matter.
  "Acme Disinfectant kills 99.9% of all germs" - so if you get food poisoning it's because of the 0.1% of germs that it left behind.
  Credit card companies are no different - they predict they will have a maximum of a certain amount of fraud over a year and as long as it stays under that level, they can be sure the honest customers are covering the cost of it in their interest charges.
  That's the problem with American-style management that has plagued our modern world - as long as the various management levels have some nicely coloured pie-charts to pass between themselves then they can justify their jobs and bonuses.
  Sad but true.
  
  --
  Gentoo Linux - another day, another USE flag.
2. Re:No punishment for the crooks anyhow? by Eskarel · 2010-07-09 03:31 · Score: 1
  
  Come on. That's totally pathetic.
  To try and make a point about people evaluating the cost of particular actions(like prosecuting credit card fraud) and occasionally choosing an option which is cheaper for them but worse for everyone else, which is bad, and then try to compare it to companies being realistic about their ability to deliver. Then you throw in a dig towards the US.
  You can't ever guarantee 100% of anything. No matter how many people you employ in your call center there's always a call rate which will overwhelm it. No matter how good a disinfectant is it won't kill 100% of germs. Companies who try to achieve impossible goals(100% is impossible, you probably couldn't even promise that 100% of calls wouldn't be answered) go out of business and no one wins.
  I'm not arguing that the way credit card companies deal with fraud is bad for everyone, including over the long term the credit card companies, but the rest of your examples don't match that behavior, nor is this behavior specifically American. Lord knows there are problems with US business practices, but given that credit cards(and for that matter a lot of banking) is a risk vs rewards analysis business, you can't really be surprised that banks all over the world do the same thing. The nature of their work makes them see things this way.
3. Re:No punishment for the crooks anyhow? by wealthychef · 2010-07-09 08:20 · Score: 1
  
  It's not the nature of their work that makes them see it this way, it's the lack of responsibility for their impact on me. They should have to pay a heavy financial penalty when identity theft occurs, if all they care about is money. Then they will take action. The penalty should be automatic and paid to me personally since they are negligent in their security practices.
  
  --
  Currently hooked on AMP
4. Re:No punishment for the crooks anyhow? by Anonymous Coward · 2010-07-09 09:20 · Score: 0
  
  Some time, for interest's sake, locate yourself in a position of serving customers.
  You can not satisfy 100% of your customers. Sometimes customers are malcontents interested in wasting time or attracting attention or are simply cranks, and at some point need to be cut off. If a customer needs so much extra work done for his special need, that it would require great expenditure on your part, you can freely tell that customer to pay extra or to go forth and find someone else to satisfy his needs.
I worked night audit... by ch_rob · 2010-07-09 02:32 · Score: 1

...granted many years ago. But at that time, at check in, we took an imprint of the CC info, got an authorization for the expected amount of the stay. Then after check out, the imprinted forms were updated with the actual amount of the bill and signed (if the guest came to the desk), and left for the night audit crew.
The night auditors would go through the thousand or so CC slips, and using CC software on a PC, pull up the authorization by CC Number and enter the final amount.
Anyway... long story longer... we had access to many, many credit card numbers every night.
At least at our hotels, the early check out forms left under the guests' door did not contain CC info.
My experience in Geneva . . . by PolygamousRanchKid+ · 2010-07-09 02:44 · Score: 1

I had a business trip there about 15 years ago. About a year later, I got a snail mail birthday card greeting from the hotel. I thought that is was kind of cute, and mentioned it to another colleague who often traveled to Geneva at that time. He is a security weenie, and told me:
Just think what will happen when the hotel retires their PC, and gives it to a child of one of the employees, without scrubbing the disk.
There goes your name, credit card number, and birthday info . . .

--
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Re:they can also clone your card to a room key as by Tool+Man · 2010-07-09 02:46 · Score: 2, Informative

Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...
They don't need to create new, valid-looking cards on-site. Besides, all the fun stuff is replicated in tracks 1 and 2.
The room-key card system could provide a means of swiping (hah!) customer credit cards that doesn't require the same level of auditing that the actual payment systems should have. That could give them an easy way to grab the data for later.
screw by Anonymous Coward · 2010-07-09 03:03 · Score: 0

That's what happens when you have a cheap owner and your not PCI compliant....(Thanks Miracle Springs Resort).
Analog or digital? by sootman · 2010-07-09 03:04 · Score: 1

There are two ways to steal credit card numbers: getting them from a computer system of some kind (up to an including things like putting a stripe reader on the front of an ATM) and the old-fashioned way of a clerk or waiter or whoever just looking at a card and copying the numbers. Does anyone know of any data showing which is more common?

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
No Credit Card, No Stay by Anonymous Coward · 2010-07-09 03:31 · Score: 0

There are almost no hotels that let you stay without a credit card, so it makes them a prime target as every transaction has to have a credit card, even if in the end you use cash to pay for the stay. I feel sorry for the portion of the public that refuses to use plastic, and only uses cash. I realized this early on in collage when I had to stay in my car since no hotels would accept cold hard cash.
My experiences with this by Anonymous Coward · 2010-07-09 03:32 · Score: 0

I used to do IT for a large luxury resort, and this was one of the things that was always on my mind. They had an extremely expensive, quirky, and bug laden PMS (Property Management System). It did everything on the resort grounds from scheduling on the golf course to restaurant outlets (pos) to guest reservations. Once I started digging into it I realized that it had ~7 years worth of all of our customers data- credit card numbers etc etc. I wanted to archive all of that data in a safe (or destroy it) but in order to do so we would have had to spend way more $ than we had in the budget to upgrade to the latest version of the PMS with a new, clean database. (Parts of it were largely remotely administered, since the majority of the important parts of the software were password protected by a code that changed every 15 minutes, and they routinely changed the algorithm that produced the code.)
All of that information could have fit on a DVD several times over (just an SQL DB). I am used to being in positions of responsibility, but to me this was a huge disaster waiting to happen, and it brought clarity to my opinions into just how important it is to have an IT person with high moral standards. Nevertheless, all it takes is one unscrupulous person anywhere in the loop to cause massive trouble to others at very little effort on their part.
I recommend that you only pay cash, for everything, if at all possible. I mean, if that data from the resort would have gotten lifted by someone that sold the information, noone is going to have a clue that their information was obtained from their stay at a random resort some 6 years ago.
1. Re:My experiences with this by Anonymous Coward · 2010-07-09 04:37 · Score: 0
  
  I worked IT at a large conference center. Our database was on huge access file (It was an awful mess)
  In order to see every guest ever's name, address, cc info, expiration date, and the RAW CC values on the magnetic strip, all a janitor had to do was know how to dump that section of the database while changing room clean statuses. We aren't talking trust in the IT side of things, but every single person in the company. When I brought this to the attention of the department responsible for the database I was told I shouldn't be poking around in places I don't belong.
Re:they can also clone your card to a room key as by Anonymous Coward · 2010-07-09 03:35 · Score: 0

Might as well just take a dump of the card, or several hundred thousand, and keep em on a thumb drive. Keep all the data, and replicate later at your leisure. (Same AC as before...I really need to register already.)
Re:they can also clone your card to a room key as by oldspewey · 2010-07-09 03:35 · Score: 1

Seems to me a blank magstripe card is a whole lot more suspicious than a room key card.

--
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Comment removed by account_deleted · 2010-07-09 04:21 · Score: 1

Comment removed based on user account deletion
Re:they can also clone your card to a room key as by commodore64_love · 2010-07-09 04:33 · Score: 1

On television they showed how waitresses, clerks, and other staff snake-in a machine (looks like a cellphone) and swipe the card directly through it. They can compile about 100 numbers per day and then produce fake cards in their home basement. ----- I was a victim of this. I stayed in a Motel 6. About two months later some guy in California spent $3500. Seems obvious the girl behind the desk swiped the number off my card.
>>>Wait...which industry? The hotel industry?
"Hotels lead the [credit] industry in credit card theft." There. Fixed that for you. - Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=14s

--
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Re:they can also clone your card to a room key as by Tool+Man · 2010-07-09 05:59 · Score: 1

That said, I did read once that police were puzzled at one point when some people arrested were carrying large numbers of assorted gift cards for various retailers. It turns out that not only are they useful for laundering money, but many were over-written with stolen CC data.
Which hotels exactly is what I'd like to know by ndru82 · 2010-07-09 06:16 · Score: 1

I'm reading this story while sitting in limbo waiting for a replacement card to arrive, because my CC issuer recently called to say that my card had been flagged as "vulnerable". Of course the guy I'm talking claims (and I believe him) to have no information about what exactly led them to believe that my card is as vulnerable as they think it is.
So that got me thinking: wouldn't it be nice if I could know which vendor was responsible for the security breach? I'd definitely make it a point not to go back there, at least unless and until they demonstrated to me that they'd taken appropriate measures to reduce the likelihood of another breach happening. I've had probably half a dozen such reports from my cc company over the past five years. I always wondered what was up, because I kind of make a point of not using my card in a place that looks shady. But I do stay in a lot of hotels. So thanks to the originator of this story for helping me make sense of my experience.
I'm sure there would be lots of problems with forcing cc issuers to disclose the name of the vendor when cancelling a card for security reasons. But i'd still like to have that information to guide my future choice of vendors! It would also apply some market pressure to have hotels, or whoever else, get their security acts together.
This is what PA-DSS is about by ducomputergeek · 2010-07-09 06:50 · Score: 1

We'll be working on a build of our opensource POS designed for hospitality starting in October and ready for release early next year. We've gone through the PA-DSS audit process and frankly, with todays payment systems, if your POS system is storing any card holder data, you're doing it wrong. We off load that data to the CC processor and only store either a transaction ID that can referenced later or a token of that card, not the card data itself.

--
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
1. Re:This is what PA-DSS is about by Ritchie70 · 2010-07-09 14:53 · Score: 1
  
  Unless you're using POTS and modems for authorization, you're going to have some down time due to connectivity outages, due to the cheapo DSL your locations will probably have.
  During that time, it probably won't be acceptable to not accept credit cards, so what you do is accept it, save the card info, and hope it gets approved when connectivity returns. There's some risk to that method, but really, the vast majority of transactions get approved, so there isn't that much risk. And it's better than pissing off your customers. I know merchants who are willing to accept credit cards even when they absolutely know they will never see the money rather than piss off their customers.
  Now, if the connectivity is down due to the backhoe coming through, things get more interesting, because you're down for days or weeks. The cards you stored start expiring - about 1/36 of them - at the end of the month. So then your loss rate goes up.
  But, on the flip side, if you "tell" your acquirer/processor that it's a stored transaction, they can tell your customer's issuing bank that it's a stored transaction, and more of those will get approved - the issuing banks will be more lenient in their approvals. (I don't know the right term for this, I just know the AP "pushes harder.")
  And until connectivity comes back, all of that cardholder data is stored on a not-very-secure PC at the restaurant.
  Fun!
  
  --
  The preferred solution is to not have a problem.
One Time Password Credit Card Numbers by Doc+Ruby · 2010-07-09 08:55 · Score: 1

The only time my credit card was robbed was by a hotel, in Paris. The FBI ignored me, the French police ignored me, my credit card company ignored me after they canceled the charge (without evidence). It's a "cost of doing business" to them, but my hours of time, long distance phone bills, and inconvenience are a cost to me. And to the next person that hotel robs, or the hotel down the street.
It's obvious that credit cards should have one-time passwords for distribution. One password per transaction, assigned to a specific amount of money. The card's chip can keep a cache of them, to be read by merchant's machines or the owner's pocket display or USB.
Why do I even have to give my card to some waiter while they run it through their machine? They should bring me a wireless terminal and get my one time password for the bill amount.
And why can't I have a USB reader for submitting my one time password and billing info to a Web page, instead of having to retype it every time? How about connecting to my phone, so all I have to do to pay any bill is give a phone#, then say "OK" when the invoice message comes through, which sends back the one time password for that amount to that recipient?
$TRILLIONS flow through these cards. As they have for decades, including two decades on the Web and a decade while we've carried smartphones. Why isn't this simple and basically foolproof yet?

--
--
make install -not war
Low-tech management do not give a shit, really... by Anonymous Coward · 2010-07-09 13:11 · Score: 0

This is not surprising at all.
Nowadays CC info has to be stored in case of a no-show without cancellation or if the room is trashed.
Hotels have to store credit card info also for a very long time because bookings can be done like months in advance. Online booking agents take a 10% deposit and passes on the CC info to hotels, after that it can even be printed on paper and filed somewhere else than in a safe. That info is hardly ever destroyed in real-time, perhaps once in a year. CC-info can be sent unencrypted via email. Both clients and management may not be aware of any problems existing...
In general, most of the businesses operating in the industry are run by seriously low-tech people and here's the results.
http://www.weddingdressesin.com by Wedding+dresses+now · 2010-07-11 12:42 · Score: 0

One of the employees was pocketing the cash and charging the credit cards. We were later begged to stay, free of charge, the next summer. My parents ignored the request and we spent the next few years in a far less cozy location on the other side of the island.