Hotels Lead the Industry In Credit Card Theft

katarn writes "A study released this year found that, of the credit card hacking cases last year, 38 percent involved the hotel industry. At hotels with inadequate data security, the greatest amount of credit card information can be obtained using the simplest methods. It doesn't require brilliance on the part of the hacker. Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to store or transmit this kind of data properly, and that starts with the point-of-sale credit card swiping systems."

Re:Wait...what?

[Voulnet]

Pedantry. One of the disadvantages of living with a nerd.

People with too much time on their hands

[Tisha_AH]

What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.

Re:People with too much time on their hands

[garcia]

We have been vacationing on Hilton Head Island for over 20 years. Back in the late 1980s/early 1990s we were ripped off in a hotel employee scam. My mother would always pay in cash. Four crisp 100 dollar bills were laid on the counter and slid across to the staffer behind for our week long stay in paradise (we always found it hilarious that it was 1/6th as expensive as a shitty two bed hotel room on the Jersey shore). This year, however, the clerk requested that we put down a credit card to cover any damages which may occur during our stay. My mother, not one for hucksters, agreed reluctantly only because a young boy of no more than 10 or 11 was whining in the backseat of the minivan about how he had to pee.

After another excellent vacation we arrived home and a letter came in the mail with our receipt of a credit card charge in the amount of $400. My mother knowing this had to be a mistake as she had a similar receipt for $400 in cash called and explained the situation and expected it to be cleared up--after all we always paid with cash and never had problems before. After accusations of lying and trying to scam the resort out of money it was later determined that 7 or 8 other families met similar fates.

One of the employees was pocketing the cash and charging the credit cards. We were later begged to stay, free of charge, the next summer. My parents ignored the request and we spent the next few years in a far less cozy location on the other side of the island.

So yeah, some employees truly do suck--always have and always will.

Re:People with too much time on their hands

[NoPantsJim]

I used to be one of these night shift people. I was definitely underpaid, but I used my spare time on the job with a laptop and a book learning to program.

Here's the scary thing, plenty of people made it extra, extra easy for an employee to steal. We had this ridiculous backup process that had to be run nightly which would make our computers inoperable for about 90 minutes. If someone with a reservation came to check in I could do so, but any walk-ins would have to wait. Around 2-3 times a month people would come in so exhausted from driving all day that they'd just hand me their credit card and say "I'll pick it up in the morning, just give me a room key". I think that since it was an upscale Marriott people just assumed everything was safe.

Re:People with too much time on their hands

[Yvanhoe]

So yeah, some employees truly do suck--always have and always will.

And should not be trusted with consumer financial data, which is a management error that is totally avoidable.

Re:People with too much time on their hands

[guruevi]

That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.

Re:People with too much time on their hands

[pandrijeczko]

My company insists we put business expenses on company-provided AMEX cards.

However, about four years ago, AMEX started requesting to do personal credit checks before they renewed expiring cards and I refused to let them do it; my credit rating is fine, I've nothing to hide, but I just don't like AMEX as a company and don't want my personal details on their's (or any other company I refuse to deal with) database.

The company couldn't force me to give them permission to do the credit check on me, so I now use my personal credit card and enjoy the loyalty bonuses as a result.

Re:People with too much time on their hands

[JWSmythe]

    Cash may be outdated, but it's really hard for someone to duplicate your cash and make it disappear from your pocket. Credit cards on the other hand, are trivial to duplicate, and if you know the mark is traveling, it's easy to get away with charges for days before they find out there is any fraudulent activity.

    Cash is hard to lose, if you maintain proper control over it. If you aren't advertising that you carry large amounts of cash, random people won't know you have it. The physical risk of being liberated of the cash is then just as good as the physical risk of being liberated of your credit cards. And of course we shouldn't forget about the evidence trail that using credit cards exclusively gives. Using a card on a regular basis lets the issuing bank know what your purchasing trends are. It may require a warrant for law enforcement to acquire the evidence, but the banks are more than happy to take advantage of the information for their own purposes.

Re:People with too much time on their hands

[radish]

Just because the hotel needs a credit card from me doesn't mean the guy behind reception needs to see the data. Simply put a swipe machine on the customer side of the desk, and don't show anything other than "OK"/"NOT OK" to the employee. If Best Buy can manage it anyone can :)

I read the article

[tepples]

Based on the article, it appears to mean that 38 percent of the fraud across all merchants that take payment cards involves a hotel. So the "hotel industry" is responsible for 38 percent of payment card fraud in "industry" in general.

Re:I read the article

[Hijacked+Public]

That is an inversion of purposes, between the headline and the article.

The Slashdot editors have dug down past simpleton level grammar and emerged not at the bottom of the scale, but somehow at the top, and turned the industry on its ear.

Which industry? I have no idea.

Re:Wait...what?

[Pojut]

And nose snorts. Don't forget about the nose snorts.

Not surprising...

[duplicate-nickname]

I recently had a hotel leave one of those quick check-out forms partially slid under my door. The problem was that it had my credit card information printed on it. It would have been quite easy to walk down the how and grab a dozen names, credit card numbers and expiration dates. On top of that, who knows what happens to the forms once you sign them as I highly doubt they go through a shredder.

Re:Not surprising...

[sconeu]

They don't. I'll name names.

I was at the Doubletree in Crystal City, VA (just outside DC). I used the "Print from your room" facility.

My printout was on the BACK of printouts that included names, addresses, and phone numbers (no CC's though). I told the front desk that they might want to look into their paper recycling policy...

they can also clone your card to a room key as wel

[Joe+The+Dragon]

they can also clone your card to a room key as well if they want to I don't think they do that by default any more.

Why do merchants need to retain CC info?

[JSBiff]

Obviously, at the time of transaction, the CC info is needed to make the transaction, but why do they retain the info after that? Don't the credit card networks issue a transaction ID for every transaction? If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?

This, it seems to me, applies to almost every merchant - retail, dining, entertainment, services, hotels, whatever. Why do they need to retain the info?

If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants. A hacker can't steal what isn't there (although, a hacker could still potentially capture the CC info in real-time at the moment of the transaction, but at least you've reduced stored-data attacks).

Re:Why do merchants need to retain CC info?

[mounthood]

If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants.

They used to call it Fraud and it was the banks problem. Now they call it Identity Theft and it's your problem.

Re:they can also clone your card to a room key as

Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...

...and outright fraud

[Just+Some+Guy]

I recently stayed at a cheap chain motel while traveling for a softball tournament. They had a sign posted (in the disused lavoratory, etc.) along the lines of:

Theft is a problem. We have a safe in your room. If you use it and someone steals your stuff, we'll insure you up to $10,000. For your convenience, a $1.50 charge will be added to your bill for the rental of the safe. If you don't want to pay the charge, let us know and we'll remove it.

(Part in bold is as verbatim as my memory allows.)

When I checked out the next morning, I asked the clerk to remove the $1.50 fee. She kind of huffed, spent the next 5 minutes messing around with the computer, then gave me a receipt for the correct amount that I expected to pay. Two days later, I noticed that my online statement was off $1.50+tax. Sure enough, they'd charged me anyway. When I called them to say that I wanted it fixed - yes, I am that stubborn and nitpicky - they assured me that this never happens and they were so sorry.

As cheap as the motel was, that was an extra 3% or so in automatic free revenue. If they're operating at a 10% profit margin, that's about a 66% increase in actual profit. How many times to people look that closely at their credit card bills? I'd be willing to bet that 99 times out of 100, people see that the charge was correct to the nearest $10 and don't check it to the penny, or they figure it's not worthwhile and don't follow up on it.

Re:...and outright fraud

[tkohler]

One time I was staying at a not-so-cheap hotel in upstate UK. The hotel offered a choice of breakfasts: Continental or Full, with about a US$10 price difference. Each day I chose a breakfast, changing based on mood and hunger, about splitting the choices evenly through my 5 day stay. (I was attending a conference at the same hotel) The waiter took my selection and room number each day. Upon checkout, I found they had charged me (and everyone else) for the Full breakfast everyday. I asked them why and they said they assumed that everyone would chose the "much better breakfast" and made that section for them "as a convenience". I then asked why the waiter bothered to ask the choice if they were going to only charge one price. The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.

Thank you

[tpstigers]

I'd just like to thank the author for not using the ridiculous term 'identity theft'.

Re:they can also clone your card to a room key as

[JDmetro]

Wouldn't it just be easier to have some blank mag-stripe cards? One of the local computer stores sells them for $60 for a 25 pack.

wonder if it includes the social engineering side

[cybrthng]

Hackers often target hotel pbx systems to call rooms and "confirm" credit cards with people staying there.. Its one of those big issues you never hear about until someone is caught and its easily done since 99% of the hotel rooms don't offer any caller-id functionality. So if you get a call while in a room to confirm your credit card, just ask to go downstairs and confirm at desk.

Wardriving

[CODiNE]

I remember years ago I drove around a little with my laptop on the passenger seat recording the SSIDs I'd passed. Always fun to see how people name things. One that stood out was a Pik N Save or something... they strangely had a Wifi setup but the name was.

PIKSAVPOS

Yeah, their Point of Sales network was unencrypted and accessible throughout the huge parking lot and onto the main road.

Nice.

Perhaps the hotels used the same contractor. Very cheap and fast setup, works great.

Re:Wardriving

[kent_eh]

Now with smartphones people aren't quite so retarded.

Ummm... We found one of the office girls plugged in her little Apple Air-Port Express to the LAN under her desk, so she could use the WLAN on her iPhone at her desk.
When was confronted, she couldn't comprehend why it was a bad thing she was doing.
Fortunately the policy (which we thoughtfully presented her with a paper copy of) clearly states that allowing strangers onto the company LAN can be a firing offense.
That she understood (if not why)

Re:they can also clone your card to a room key as

[Tool+Man]

Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...

They don't need to create new, valid-looking cards on-site. Besides, all the fun stuff is replicated in tracks 1 and 2.

The room-key card system could provide a means of swiping (hah!) customer credit cards that doesn't require the same level of auditing that the actual payment systems should have. That could give them an easy way to grab the data for later.

Re:Wait...what?

[david+duncan+scott]

Seems obvious because you didn't use the card ever again after that?

I could be wrong, but if I were walking into a Walmart with a rigged-up card, I think I'd want a fresh number, something from the previous 48 hours, maybe. Sixty days seems like an awfully long time in hot-CC-number-years. If nothing else, it shows tremendous restraint on the part of a small-time criminal, most of whom can't seem to wait sixty minutes before they spend the money (unless, of course, her name badge read, "D. B. Cooper.")