Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hotels Lead the Industry In Credit Card Theft

kdawson posted about 4 years ago | from the shred-everything dept.

Crime 135

katarn writes "A study released this year found that, of the credit card hacking cases last year, 38 percent involved the hotel industry. At hotels with inadequate data security, the greatest amount of credit card information can be obtained using the simplest methods. It doesn't require brilliance on the part of the hacker. Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to store or transmit this kind of data properly, and that starts with the point-of-sale credit card swiping systems."

cancel ×

135 comments

Sorry! There are no comments related to the filter you selected.

Wait...what? (1, Redundant)

Pojut (1027544) | about 4 years ago | (#32849812)

Hotels lead the industry in credit card theft.

Wait...which industry? The hotel industry? So hotels lead the hotel industry in credit card theft?

Redundant statement is redundant. Or poorly worded. Or just plain stupid.

Re:Wait...what? (4, Funny)

Voulnet (1630793) | about 4 years ago | (#32849840)

Pedantry. One of the disadvantages of living with a nerd.

Re:Wait...what? (4, Funny)

Pojut (1027544) | about 4 years ago | (#32849876)

And nose snorts. Don't forget about the nose snorts.

Re:Wait...what? (1)

404 Clue Not Found (763556) | about 4 years ago | (#32851686)

And nose snorts. Don't forget about the nose snorts.

Fascinating. Are you implying that more advanced nerds can develop snorts from other body parts?

Re:Wait...what? (1)

Pojut (1027544) | about 4 years ago | (#32851932)

Brother, you don't even want to KNOW what body parts my fiancee can use to make snorting sounds...

Re:Wait...what? (1)

commodore64_love (1445365) | about 4 years ago | (#32851762)

>>>>>Pedantry. One of the disadvantages of living with a nerd.

Where I come from, we call them anal-retentive bastards. Or grandpas. Same difference.
.

>>>Wait...which industry? The hotel industry?

"Hotels lead the [credit] industry in credit card theft." There. Fixed that for you. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=14s [youtube.com]

I was a victim of this. I stayed in a Motel 6 in Oregon. About two months later some guy in California spent $3500 at Wal-Mart on my Discover credit account. Seems obvious the girl behind the desk sold the number, or else used it herself.

I read the article (4, Informative)

tepples (727027) | about 4 years ago | (#32849856)

Based on the article, it appears to mean that 38 percent of the fraud across all merchants that take payment cards involves a hotel. So the "hotel industry" is responsible for 38 percent of payment card fraud in "industry" in general.

Re:I read the article (3, Insightful)

Hijacked Public (999535) | about 4 years ago | (#32849962)

That is an inversion of purposes, between the headline and the article.

The Slashdot editors have dug down past simpleton level grammar and emerged not at the bottom of the scale, but somehow at the top, and turned the industry on its ear.

Which industry? I have no idea.

Re:I read the article (0)

Anonymous Coward | about 4 years ago | (#32851312)

I was thinking about the card theft industry myself.

Re:Wait...what? (1)

commodore64_love (1445365) | about 4 years ago | (#32850128)

>>>Wait...which industry? The hotel industry?

"Hotels lead the [credit] industry in credit card theft." Fixed it. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=13s [youtube.com]

I think I was a victim of this a few years ago. I had driven to Oregon for a vacation where I stayed in a Motel 6. About two months later some guy in California spent $3500 at Walmart on my Discover credit account. Of course I didn't have to pay, since my signature did not appear on any of the Walmart receipts.

Re:Wait...what? (0)

Anonymous Coward | about 4 years ago | (#32850596)

"This video contains content from WMG, who has blocked it in your country on copyright grounds. "

LOL sad

Re:Wait...what? (1)

commodore64_love (1445365) | about 4 years ago | (#32850876)

>>>"This video contains content from WMG, who has blocked it in your country on copyright grounds. "
>>>LOL sad

Yep. This link might work, although you won't get to see her sexy asian-european-american body :-( http://s0.ilike.com/play#Michelle+Branch:Are+You+Happy+Now:28704:s526903.8517444.2883784.0.2.20%2Cstd_b74cb0d1d0f64605a4ed1cfaaef4553a [ilike.com]

Re:Wait...what? (1)

Sporkinum (655143) | about 4 years ago | (#32851088)

This just happened to us on a trip to Colorado. We stayed at a Super 8 and a Motel 6 while there, and at a Super 8 in Omaha. About a week after we got back we got 4 charges on our card that appeared to originate in Mexico. 2 of them were blocked by fraud detection of the card issuer, and 2 made it through. As it was a debit card, we were liable for $50 of the $600 in charges that made it through. Card was canceled and a new one issued. We are also going to use a credit card instead, so the card company in on the hook, not us.

We were concerned about this happening, so we paid everything by cash on the trip. The bad thing was we had to use the card number to reserve the rooms.

Re:Wait...what? (1)

commodore64_love (1445365) | about 4 years ago | (#32851692)

>>>As it was a debit card, we were liable for $50 of the $600

Why oh why do people continue using debit cards? If you had used a credit card, you would have been liable for *nothing*. And even if the Visa/Mastercard company tried to collect, you don't have to pay the bill. The money would be sucked from their account, not yours.

>>>We are also going to use a credit card instead

Good.

Re:Wait...what? (0, Offtopic)

mcgrew (92797) | about 4 years ago | (#32850140)

Redundant statement is redundant. Or poorly worded. Or just plain stupid.

Like the guy who moderated your post "redundant". Why are people with two digit IQs allowed at a nerd site, anyway?

Re:Wait...what? (1)

Pojut (1027544) | about 4 years ago | (#32850184)

Because they would sue for discrimination otherwise. One has to wonder if they crash Mensa parties...

Re:Wait...what? (1)

singingjim1 (1070652) | about 4 years ago | (#32850528)

Poorly worded. I think industry is supposed to be the credit card industry, not the hotel industry.

Nigger Killing Cop on BART (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#32849820)

I'm glad that a pure (all white) jury called it 'involuntary manslaughter' when a police officer killed an unarmed man who was already face down on the ground at a BART station in Oakland.

I guess 'just a nigger' isn't a valid legal term anymore...

Re:Nigger Killing Cop on BART (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#32849872)

Dude, if it doesn't fit, you must acquit.

People with too much time on their hands (4, Insightful)

Tisha_AH (600987) | about 4 years ago | (#32849848)

What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.

they can also clone your card to a room key as wel (2, Interesting)

Joe The Dragon (967727) | about 4 years ago | (#32849932)

they can also clone your card to a room key as well if they want to I don't think they do that by default any more.

Re:they can also clone your card to a room key as (5, Informative)

Anonymous Coward | about 4 years ago | (#32849990)

Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...

Re:they can also clone your card to a room key as (2, Informative)

Tool Man (9826) | about 4 years ago | (#32850622)

Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...

They don't need to create new, valid-looking cards on-site. Besides, all the fun stuff is replicated in tracks 1 and 2.

The room-key card system could provide a means of swiping (hah!) customer credit cards that doesn't require the same level of auditing that the actual payment systems should have. That could give them an easy way to grab the data for later.

Re:they can also clone your card to a room key as (0)

Anonymous Coward | about 4 years ago | (#32851142)

Might as well just take a dump of the card, or several hundred thousand, and keep em on a thumb drive. Keep all the data, and replicate later at your leisure. (Same AC as before...I really need to register already.)

Re:they can also clone your card to a room key as (1)

commodore64_love (1445365) | about 4 years ago | (#32851818)

On television they showed how waitresses, clerks, and other staff snake-in a machine (looks like a cellphone) and swipe the card directly through it. They can compile about 100 numbers per day and then produce fake cards in their home basement. ----- I was a victim of this. I stayed in a Motel 6. About two months later some guy in California spent $3500. Seems obvious the girl behind the desk swiped the number off my card.

>>>Wait...which industry? The hotel industry?

"Hotels lead the [credit] industry in credit card theft." There. Fixed that for you. - Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=14s [youtube.com]

Re:they can also clone your card to a room key as (0)

Anonymous Coward | about 4 years ago | (#32850098)

They have never done that as default. Honestly, where do people get that idea?

Re:they can also clone your card to a room key as (2, Insightful)

JDmetro (1745882) | about 4 years ago | (#32850146)

Wouldn't it just be easier to have some blank mag-stripe cards? One of the local computer stores sells them for $60 for a 25 pack.

Re:they can also clone your card to a room key as (1)

oldspewey (1303305) | about 4 years ago | (#32851144)

Seems to me a blank magstripe card is a whole lot more suspicious than a room key card.

Re:People with too much time on their hands (4, Informative)

garcia (6573) | about 4 years ago | (#32849982)

We have been vacationing on Hilton Head Island for over 20 years. Back in the late 1980s/early 1990s we were ripped off in a hotel employee scam. My mother would always pay in cash. Four crisp 100 dollar bills were laid on the counter and slid across to the staffer behind for our week long stay in paradise (we always found it hilarious that it was 1/6th as expensive as a shitty two bed hotel room on the Jersey shore). This year, however, the clerk requested that we put down a credit card to cover any damages which may occur during our stay. My mother, not one for hucksters, agreed reluctantly only because a young boy of no more than 10 or 11 was whining in the backseat of the minivan about how he had to pee.

After another excellent vacation we arrived home and a letter came in the mail with our receipt of a credit card charge in the amount of $400. My mother knowing this had to be a mistake as she had a similar receipt for $400 in cash called and explained the situation and expected it to be cleared up--after all we always paid with cash and never had problems before. After accusations of lying and trying to scam the resort out of money it was later determined that 7 or 8 other families met similar fates.

One of the employees was pocketing the cash and charging the credit cards. We were later begged to stay, free of charge, the next summer. My parents ignored the request and we spent the next few years in a far less cozy location on the other side of the island.

So yeah, some employees truly do suck--always have and always will.

Re:People with too much time on their hands (0)

Anonymous Coward | about 4 years ago | (#32850226)

Wow, you really stuck it to that hotel by refusing to stay there free of charge and instead moving to an inferior hotel because of the actions of one employee. I'd rather stay free of charge at the better hotel who are now more vigilant with regards to this scam, personally.

Re:People with too much time on their hands (0)

Anonymous Coward | about 4 years ago | (#32850272)

It's probably not because of the scam, but how the hotel handled the aftermath. Read the post again, the hotel accused them of lying and more.

I'd never go back there either. Not even if they paid me.

Re:People with too much time on their hands (0)

Anonymous Coward | about 4 years ago | (#32850938)

I would have gone back. I guarantee I would have ended up being a lot more than $400 worth of trouble.

Re:People with too much time on their hands (1)

arkane1234 (457605) | about 4 years ago | (#32852348)

Which would go onto your card.. you know, the one held for potential damages...

Re:People with too much time on their hands (3, Insightful)

Yvanhoe (564877) | about 4 years ago | (#32850244)

So yeah, some employees truly do suck--always have and always will.

And should not be trusted with consumer financial data, which is a management error that is totally avoidable.

Re:People with too much time on their hands (1)

homer_s (799572) | about 4 years ago | (#32851816)

And who is the "management" if not employees themselves?

Re:People with too much time on their hands (1)

arkane1234 (457605) | about 4 years ago | (#32852386)

if an employee doesn't take your payment, who will?
I mean, even when I make a payment for a hotel through Expedia, hotels always want a credit card or they won't allow entry into the room. You're basically forced to do something stupid for the sake of the business owner...

Re:People with too much time on their hands (0)

Anonymous Coward | about 4 years ago | (#32850248)

had a similar thing happen with a doctors office this year... paid $35 in cash and I disputed it!

Re:People with too much time on their hands (3, Interesting)

guruevi (827432) | about 4 years ago | (#32850260)

That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.

Re:People with too much time on their hands (2, Insightful)

JWSmythe (446288) | about 4 years ago | (#32851772)

    Cash may be outdated, but it's really hard for someone to duplicate your cash and make it disappear from your pocket. Credit cards on the other hand, are trivial to duplicate, and if you know the mark is traveling, it's easy to get away with charges for days before they find out there is any fraudulent activity.

    Cash is hard to lose, if you maintain proper control over it. If you aren't advertising that you carry large amounts of cash, random people won't know you have it. The physical risk of being liberated of the cash is then just as good as the physical risk of being liberated of your credit cards. And of course we shouldn't forget about the evidence trail that using credit cards exclusively gives. Using a card on a regular basis lets the issuing bank know what your purchasing trends are. It may require a warrant for law enforcement to acquire the evidence, but the banks are more than happy to take advantage of the information for their own purposes.

Re:People with too much time on their hands (1)

RobertM1968 (951074) | about 4 years ago | (#32851992)

That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.

Define reputable bank. When the idiot Lypozene scam kept charging my card, after I'd notified them to stop (in writing even), the cc company did "investigate" and reversed the charges - then added back the charges, even though I cited the fraud charges against them, simply because they claimed the Lypozene people claimed their website said what they were doing was ok.

The bank was Chase, btw.

Re:People with too much time on their hands (0, Offtopic)

xaxa (988988) | about 4 years ago | (#32850388)

My flatmate works in one of the fancy hotels in Central London (I can never remember the name, the standard rooms are £300 a night or so).

Every couple of weeks she tells me about one of the rich Arabs that stays for months and insists on paying in cash. They like to flaunt their wealth, so they wait for reception to be really busy, then dump £30,000 in £20 notes on the desk. Most other guests pay by card (using the PIN, if their card supports it)

Re:People with too much time on their hands (0)

Anonymous Coward | about 4 years ago | (#32850884)

We have been vacationing on Hilton Head Island for over 20 years.

Man, that is one really long vacation!

Re:People with too much time on their hands (0)

Anonymous Coward | about 4 years ago | (#32852128)

Happened to me at one of the largest insurance companies in the US. I had just moved to the area, bought a new car and started a new auto policy and paid the first six months in cash. We didn't know but the agent at the office took the cash and then quit. Luckily, she actually marked the policy as paid in full. It took a while to get that straightened out and at first, we were treated like potential accomplices.

Re:People with too much time on their hands (5, Interesting)

NoPantsJim (1149003) | about 4 years ago | (#32850148)

I used to be one of these night shift people. I was definitely underpaid, but I used my spare time on the job with a laptop and a book learning to program.

Here's the scary thing, plenty of people made it extra, extra easy for an employee to steal. We had this ridiculous backup process that had to be run nightly which would make our computers inoperable for about 90 minutes. If someone with a reservation came to check in I could do so, but any walk-ins would have to wait. Around 2-3 times a month people would come in so exhausted from driving all day that they'd just hand me their credit card and say "I'll pick it up in the morning, just give me a room key". I think that since it was an upscale Marriott people just assumed everything was safe.

Re:People with too much time on their hands (1)

AnonymousClown (1788472) | about 4 years ago | (#32850188)

If they have a decent bank behind their credit card or an AMEX, they weren't liable for anything over $50 - for personal cards. Business cards there's no limit on the liability. (Never get a 'business'' credit card. Use a personal CC and reimburse yourself.)

Anyway, if you went apeshit, they could dispute the charges as fraud. It's kind of a pain in the ass (faxed signed affidavit ) but if you have a decent bank, they'll stand behind you.

Re:People with too much time on their hands (4, Interesting)

pandrijeczko (588093) | about 4 years ago | (#32850278)

My company insists we put business expenses on company-provided AMEX cards.

However, about four years ago, AMEX started requesting to do personal credit checks before they renewed expiring cards and I refused to let them do it; my credit rating is fine, I've nothing to hide, but I just don't like AMEX as a company and don't want my personal details on their's (or any other company I refuse to deal with) database.

The company couldn't force me to give them permission to do the credit check on me, so I now use my personal credit card and enjoy the loyalty bonuses as a result.

Re:People with too much time on their hands (1)

oldspewey (1303305) | about 4 years ago | (#32851324)

I now use my personal credit card and enjoy the loyalty bonuses as a result

My company also forces us to use a corporate Amex card for all business-related expenses ... and I am happy to do so because the Amex rewards program is actually way better than any of the other loyalty programs I've come across. The rewards points accrue to me, personally, rather than my company, and the rewards/expenditure ratio is really nice.

Re:People with too much time on their hands (1)

NoPantsJim (1149003) | about 4 years ago | (#32850282)

You're right, but it still struck me as odd that people would just say "Hey stranger, take my card for the next 8 hours." It was pretty rare that I would still be there in the morning when they checked out, so that means I'd have to pass their card off to another low-wage employee to trust it with.

It was kind of crazy how often my GM would have to fight these dispute charges. People would get enraged that their breakfast wasn't gluten free or that the tv in the room wasn't big enough and then have their CC companies claim they never stayed at our hotel. 99% of the cases were decided in our favor, but it was still a massive hassle from people deciding to throw a fit.

Seems to me that people who submit false claims for disputing charges should be held liable for fraud themselves.

Re:People with too much time on their hands (1)

wkk2 (808881) | about 4 years ago | (#32850472)

There might be problems with using a personal CC in the near future. I believe you will be required to give every vendor a 1099 for business purchases over $600/yr. The record keeping will be a lot of trouble. I'm sure it's only the first step to a VAT.

Re:People with too much time on their hands (1)

ericbrow (715710) | about 4 years ago | (#32850298)

Amen to that. When I worked 3rd shift at a hotel while going to college, the pay was crap. I got a "raise" of 10 cents above minimum, then minimum wage went up 15 cents, and they called it another raise. 23 years old, and the only employee on site in charge of a multi-million dollar property and hundreds of lives, getting paid minimum wage. I was never tempted to steal, but I was often tempted to walk out.

Re:People with too much time on their hands (1)

RobertM1968 (951074) | about 4 years ago | (#32851736)

What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.

New York has enacted legislation to help prevent some of this type of fraud, by making it illegal to print whole CC numbers on receipts or to store them in the terminal (meaning immediate processing, with batches being done by transaction number IDs and not the CC number).

Problem is, I have STILL walked into places where the whole CC number and exp date are printed - even though it's in violation of the law. Makes it pretty easy to print out a list of the day's cc receipts, whole credit card numbers and expiration dates intact.

Hopefully, (1) other states (or the Feds - c'mon Feds, be useful) will jump on similar legislation, and (2) they will start enforcing it with the merchant services providers, since many dont seem to care around here (while others, such as BoA, sent one of our customers a letter telling them they were going to remotely disable their terminal if they didnt bring it in for software upgrade).

Re:People with too much time on their hands (1)

Talahaski (711819) | about 4 years ago | (#32852278)

Fault of the Hotel, Credit Card information should NOT be accessible to ANY staff member after the initial swipe into the computer system. Get some software that immediately encrypts the credit card information at check-in and does not allow anybody to view the unencrypted information after that.

Re:People with too much time on their hands (1)

MikeBabcock (65886) | about 4 years ago | (#32852646)

I travel a lot, and frequently grit my teeth when I call a hotel I've stayed at before and confirm only my name before they ask if I'd like to use the same card I used before, then reserve the room for me on the stored card info.

QSL (0)

Anonymous Coward | about 4 years ago | (#32849862)

This would be avoidable except the fuckers require a credit card to get a room.

Still waiting for the the liability laws to reflect the part poor security of issuers play in this, and distribute liabilty accordingly.

Not surprising... (4, Informative)

duplicate-nickname (87112) | about 4 years ago | (#32849884)

I recently had a hotel leave one of those quick check-out forms partially slid under my door. The problem was that it had my credit card information printed on it. It would have been quite easy to walk down the how and grab a dozen names, credit card numbers and expiration dates. On top of that, who knows what happens to the forms once you sign them as I highly doubt they go through a shredder.

Re:Not surprising... (1)

v1 (525388) | about 4 years ago | (#32850090)

I highly doubt they go through a shredder.

Paranoid as I tend to be, I would hope most of them would. Dumpster diving at a hotel would seem like an otherwise excellent way to dug up some fraud otherwise. If not just for the hotel staff then for the patrons. Makes one wonder just how much sensitive information gets casually tossed in the hotel room trashscan by the average guest? I can't say that I've EVER seen a shredder next to the bible and alarm clock before.

Re:Not surprising... (1)

mcgrew (92797) | about 4 years ago | (#32850356)

Technology is supposed to solve problems, but often creates problems. Back before computers and the internet when a CC transaction involved simply a pre-printed form with carbon paper and the card's embossed name/number, these security problems were very rare. But technology isn't the problem here, it's merchants who treat the new technology like it was identical to the old technology, and governments who fail to keep regulation up to date being aware of how new technology can create new problems. Merchants are lax with security because there's no reason not to be. If the law said if their security was breached and you were harmed, you could collect three times damages, this crap would be rare.

Re:Not surprising... (1)

oldspewey (1303305) | about 4 years ago | (#32851382)

carbon paper and the card's embossed name/number, these security problems were very rare

Rare, but not unheard of.

I know of somebody who had a fraudulent transaction applied against their credit card, and after investigating the police determined that some fraudster must have gone dumpster diving for discarded carbon slips, and copied the information/signature from there.

Re:Not surprising... (1)

rjstanford (69735) | about 4 years ago | (#32851578)

Merchants are lax with security because there's no reason not to be.

Not exactly the case... a merchant found to be in breach of their PCI standards (which you agree to when you set up a gateway account) can have their charge privileges suspended or denied. And a hotel who couldn't process Visa/MC/Amex/Disc cards wouldn't last very long at all. You can argue that there should be more sport-checks, but PCI auditing is already a very expensive process, especially for smaller companies (you can easily spend $50K+ on an audit at PCI level one).

And then what? (0)

Anonymous Coward | about 4 years ago | (#32850434)

So you have all these names and numbers. Then what? As far as I know, online stores only ship to the address on the card. I.e. not where you live.

I fail to see how you could benefit from having just these numbers and not also having control over the residence of the card owner. Care to enlighten me?

Re:And then what? (1)

Convector (897502) | about 4 years ago | (#32850580)

Many places let you specify a shipping address that's different from a billing address. For example, I've ordered items off Amazon and had them sent directly to the intended recipients. I've had whole batches of Christmas presents shipped to my in-laws' house where we would be spending the holidays, since there seemed no point in having everything come to my house and then haul it all cross-country on a plane.

Re:And then what? (1)

izomiac (815208) | about 4 years ago | (#32850798)

Care to enlighten me?

  • Online goods and services don't need to be shipped.
  • Virtually all companies I've done business with ask for a billing address and a shipping address.
  • AFAIK, that's all the information you need to make a passable clone of the card.

It doesn't seem very logical to get stuff shipped to your house that you bought with a stolen credit card. I mean, chances are that you'll have police knocking at your door before the package even arrives.

Re:Not surprising... (1)

helix2301 (1105613) | about 4 years ago | (#32850916)

I have noticed that about the quick check-out forms. I have also had an issue where someone elses room was charged to my CC. I have also had situation where I give them the new card or a different card and they charge the one that's on file.

Re:Not surprising... (0)

Anonymous Coward | about 4 years ago | (#32850944)

Clear violation of credit card data standards. Report them: http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html

Re:Not surprising... (2, Funny)

sconeu (64226) | about 4 years ago | (#32851482)

They don't. I'll name names.

I was at the Doubletree in Crystal City, VA (just outside DC). I used the "Print from your room" facility.

My printout was on the BACK of printouts that included names, addresses, and phone numbers (no CC's though). I told the front desk that they might want to look into their paper recycling policy...

WIFI (0, Redundant)

ZaSz-RH (923115) | about 4 years ago | (#32849922)

Unprotected WIFI with default-passworded routers?

Why do merchants need to retain CC info? (4, Insightful)

JSBiff (87824) | about 4 years ago | (#32849958)

Obviously, at the time of transaction, the CC info is needed to make the transaction, but why do they retain the info after that? Don't the credit card networks issue a transaction ID for every transaction? If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?

This, it seems to me, applies to almost every merchant - retail, dining, entertainment, services, hotels, whatever. Why do they need to retain the info?

If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants. A hacker can't steal what isn't there (although, a hacker could still potentially capture the CC info in real-time at the moment of the transaction, but at least you've reduced stored-data attacks).

Re:Why do merchants need to retain CC info? (1, Interesting)

Anonymous Coward | about 4 years ago | (#32850066)

I think with hotels the issue is less of a refund than it is an extra charge. Let's say someone checks out at 10am and leaves town. The cleaning staff get to the room at 11:30 to find that anything not nailed down was taken (carried out a side door at 2am) and the room completely trashed. Hotels keep those numbers to protect themselves without putting a reserve of $1,000 on your card for a one-night stay in a two-star hotel.

I can't think of any reason for other merchants to keep your data beyond the point of sale.

Re:Why do merchants need to retain CC info? (1)

delinear (991444) | about 4 years ago | (#32850330)

So if I check out at 10am, some guy comes in and trashes the place, steals everything not nailed down and bails, the hotel are going to automatically charge my credit card and let me sort out the fallout? Surely a better system would be for them to, I don't know, check my room as I leave. When I get a hire car they always check over the vehicle with me when I hand the keys back, they don't leave it a few hours and if someone clips it with their 4x4 on the way out of the car park, just charge my credit card. Of course, such a system would require hotels to have plenty of staff available, which means they'd have to make less profit. Much better to shift all the responsibility onto the customer.

Re:Why do merchants need to retain CC info? (0)

Anonymous Coward | about 4 years ago | (#32851170)

So if I check out at 10am, some guy comes in and trashes the place, steals everything not nailed down and bails, the hotel are going to automatically charge my credit card and let me sort out the fallout? Surely a better system would be for them to, I don't know, check my room as I leave.

Yes, that would definitely be a better system, but the scenario you describe is not very likely. You lock the door when you leave, and it stays locked until the room is re-made by the cleaning person. How often does someone break into a hotel room just to vandalize it?

When I get a hire car they always check over the vehicle with me when I hand the keys back, they don't leave it a few hours and if someone clips it with their 4x4 on the way out of the car park, just charge my credit card.

Except they do retain your CC info, and may still charge you if they "discover" additional damage after the "inspection." Beware.

Re:Why do merchants need to retain CC info? (1)

rjstanford (69735) | about 4 years ago | (#32851614)

With a decent gateway you don't even have to do that. You take your gateway credentials and the credit card information, and use them to create a unique storable key. The only thing you can do with that key is to move money between that one particular CC and your gateway account (refund, add'l charge, etc). Technically someone could steal it and either issue refunds or make additional charges, but they generally wouldn't because there's no incentive for them to do so. Far safer (and more PCI compliant) than retaining the CC number itself.

Re:Why do merchants need to retain CC info? (1)

MobyDisk (75490) | about 4 years ago | (#32851422)

Hotels might have a valid reason. Other merchants do not. They can refund charges without having the number. This is another case where I think we have to resort to legislation making it illegal to retain credit card numbers. It's stupid though on so many levels though.

1. The merchant shouldn't retain the credit card number (it is in their own best interest NOT to, since they are liable for the resulting fraud).
2. The credit card company shouldn't let the store retain the credit card information (fraud costs them money, PR, and customers).
3. The credit card company shouldn't even issue credit card numbers - there are far better ways to do it than having one magical number that gives anyone access to your account.
4. Credit cards shouldn't have personal information on them anyway.

The credit card system is wrong on so many levels it is just silly.

Re:Why do merchants need to retain CC info? (1)

billtom (126004) | about 4 years ago | (#32851780)

It's my understanding that the CC companies are moving towards what you are talking about (store transaction tokens, not CC details). But the CC companies are very reluctant to really push all the merchants to upgrade their systems.

The merchants, of course, don't want to spend any money updating their systems. And the CC companies can't afford to simply cut off large numbers of merchants that won't upgrade or comply to guidelines.

Re:Why do merchants need to retain CC info? (2, Insightful)

mounthood (993037) | about 4 years ago | (#32851926)

If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants.

They used to call it Fraud and it was the banks problem. Now they call it Identity Theft and it's your problem.

...and outright fraud (5, Interesting)

Just Some Guy (3352) | about 4 years ago | (#32850072)

I recently stayed at a cheap chain motel while traveling for a softball tournament. They had a sign posted (in the disused lavoratory, etc.) along the lines of:

Theft is a problem. We have a safe in your room. If you use it and someone steals your stuff, we'll insure you up to $10,000. For your convenience, a $1.50 charge will be added to your bill for the rental of the safe. If you don't want to pay the charge, let us know and we'll remove it.

(Part in bold is as verbatim as my memory allows.)

When I checked out the next morning, I asked the clerk to remove the $1.50 fee. She kind of huffed, spent the next 5 minutes messing around with the computer, then gave me a receipt for the correct amount that I expected to pay. Two days later, I noticed that my online statement was off $1.50+tax. Sure enough, they'd charged me anyway. When I called them to say that I wanted it fixed - yes, I am that stubborn and nitpicky - they assured me that this never happens and they were so sorry.

As cheap as the motel was, that was an extra 3% or so in automatic free revenue. If they're operating at a 10% profit margin, that's about a 66% increase in actual profit. How many times to people look that closely at their credit card bills? I'd be willing to bet that 99 times out of 100, people see that the charge was correct to the nearest $10 and don't check it to the penny, or they figure it's not worthwhile and don't follow up on it.

Re:...and outright fraud (0)

Anonymous Coward | about 4 years ago | (#32851308)

I was one of those people who said the value looks about right; then I discovered jGnash (open source accounting software) and started tracking how I am spending money. Aside from being a good way to save money, it wants me to reconcile my accounts. I do that against credit card and bank statements, and verify everything is correct.

(Note, there are other open source options as well, jGnash does have a few picky details I don't care for)

Re:...and outright fraud (1)

Just Some Guy (3352) | about 4 years ago | (#32851538)

I used KMyMoney for quite a while before going with a checkbook program on my iPod. It's always with me and I've gotten in the habit of entering transactions as I'm standing at a store checkout and waiting for my transaction to be approved.

PS: Why, oh why, can't someone write a iPhone checkbook app that understands the conception of reconciliation as a batch transaction?

Re:...and outright fraud (3, Interesting)

tkohler (806572) | about 4 years ago | (#32851510)

One time I was staying at a not-so-cheap hotel in upstate UK. The hotel offered a choice of breakfasts: Continental or Full, with about a US$10 price difference. Each day I chose a breakfast, changing based on mood and hunger, about splitting the choices evenly through my 5 day stay. (I was attending a conference at the same hotel) The waiter took my selection and room number each day. Upon checkout, I found they had charged me (and everyone else) for the Full breakfast everyday. I asked them why and they said they assumed that everyone would chose the "much better breakfast" and made that section for them "as a convenience". I then asked why the waiter bothered to ask the choice if they were going to only charge one price. The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.

Re:...and outright fraud (1)

Just Some Guy (3352) | about 4 years ago | (#32851680)

The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.

I worked the night shift at a reasonably nice motel when I was in college so that I could study during all the down-time. Although the management had their own set of annoyances like overcharging for every little thing, they were scrupulously honest. For example, the phones had the ridiculous rates printed on the face around the buttons so you could easily see the prices, and part of my night audit job was to compare the phone system's logs with the room charges. If I found that we'd accidentally overcharged someone, we'd refund it even after they'd already checked out and gone home.

I think that's why it always especially pisses me off when motels are dishonest. The place I worked for had a good reputation and a lot of repeat business, and I'm naive enough to expect that other companies want the same.

Thank you (2, Insightful)

tpstigers (1075021) | about 4 years ago | (#32850086)

I'd just like to thank the author for not using the ridiculous term 'identity theft'.

Re:Thank you (1)

Sulphur (1548251) | about 4 years ago | (#32850274)

Does using your email name for spam qualify?

--

I was cold called by someone offering "indemnity theft."

POS (0)

Anonymous Coward | about 4 years ago | (#32850102)

Things that are bad... POS machines on the same subnet as the Guest WLAN...

wonder if it includes the social engineering side (4, Interesting)

cybrthng (22291) | about 4 years ago | (#32850220)

Hackers often target hotel pbx systems to call rooms and "confirm" credit cards with people staying there.. Its one of those big issues you never hear about until someone is caught and its easily done since 99% of the hotel rooms don't offer any caller-id functionality. So if you get a call while in a room to confirm your credit card, just ask to go downstairs and confirm at desk.

My college advisor told us about this years ago (1)

moller (82888) | about 4 years ago | (#32850332)

Although it was about traveling outside the country.

He was teaching the Networking course, and during a brief section on security and encryption he mentioned how he had recently been traveling (he wouldn't say where, but he was born in India) and stayed at a five-star hotel while he was out of the country. He then pointed out how he had requested a new/temporary credit card from his bank for the trip, which he only used to pay for the hotel, and he canceled the card as soon as he was back in the US.

By the time he had gotten back to the states, the card had already been stolen/compromised.

Wardriving (3, Interesting)

CODiNE (27417) | about 4 years ago | (#32850350)

I remember years ago I drove around a little with my laptop on the passenger seat recording the SSIDs I'd passed. Always fun to see how people name things. One that stood out was a Pik N Save or something... they strangely had a Wifi setup but the name was.

PIKSAVPOS

Yeah, their Point of Sales network was unencrypted and accessible throughout the huge parking lot and onto the main road.

Nice.

Perhaps the hotels used the same contractor. Very cheap and fast setup, works great.

Re:Wardriving (1)

pandrijeczko (588093) | about 4 years ago | (#32850416)

Just one observation...

Of course an unecrypted WLAN is a *VERY BAD* idea but just because the WLAN isn't encrypted doesn't mean you'll be able to sniff anything on it if all the transmissions on it go over SSL or some other encryption method.

Personally, I'd hope that anything involving a credit card transaction anywhere goes over SSL by default.

Re:Wardriving (1)

CODiNE (27417) | about 4 years ago | (#32850624)

That's true but anyone could sit in the parking lot and record everything going over that wire for months. Or hide a little sniffer box under a bush somewhere and record all year long. It was probably around 2000 that this happened so I'm gonna guess they weren't using RC4 or anything like that. Eventually you could brute force it with so many samples.

Shoot in those days I opened up my laptop at work, it automatically joined the open wireless there and my boss screamed that I'd "Hacked" into the network. People seriously did not understand how far their wireless was reaching back then, and the thought was "We'd see anyone sitting around with a laptop acting suspicious". Now with smartphones people aren't quite so retarded.

Re:Wardriving (1)

pandrijeczko (588093) | about 4 years ago | (#32850670)

Oh, don't get me wrong - just because the connection is encrypted does not mean that you can't just hop onto the WLAN, hack a user account on a server somewhere and pull unencrypted credit card information from server itself!

Re:Wardriving (1)

PTBarnum (233319) | about 4 years ago | (#32851040)

Wait, you had your laptop configured to automatically join any available open wireless network? And you are worrying about other people's security practices?

Re:Wardriving (1)

CODiNE (27417) | about 4 years ago | (#32851548)

I don't have any services on, and that was 10 years ago.

No punishment for the crooks anyhow? (1)

wealthychef (584778) | about 4 years ago | (#32850446)

Do the credit card companies care yet? when my friend's identity was stolen a few years back, they had no interest in finding and prosecuting those responsible, even when he did the research and found them. It was cheaper for them to just pay him off and forget about it. So if it's a no-risk crime, then it doesn't matter which industry leads the ... uh... industry. I'd prefer to see how many such crimes are solved and prosecuted successfully.

Re:No punishment for the crooks anyhow? (1)

pandrijeczko (588093) | about 4 years ago | (#32850618)

Unfortunately, you've highlighted the major problem with business today.

No business nowadays is ever interested in striving towards ensuring every customer gets the best possible service from them, they just puff their chests out and crow when they achieve a particular statistical level of performance.

"95% of calls to us are answered within 10 seconds" - the 5% of callers who were cut off or who sat were sat listening to ringing tone for 10 minutes do not matter.

"Acme Disinfectant kills 99.9% of all germs" - so if you get food poisoning it's because of the 0.1% of germs that it left behind.

Credit card companies are no different - they predict they will have a maximum of a certain amount of fraud over a year and as long as it stays under that level, they can be sure the honest customers are covering the cost of it in their interest charges.

That's the problem with American-style management that has plagued our modern world - as long as the various management levels have some nicely coloured pie-charts to pass between themselves then they can justify their jobs and bonuses.

Sad but true.

Re:No punishment for the crooks anyhow? (1)

Eskarel (565631) | about 4 years ago | (#32851086)

Come on. That's totally pathetic.

To try and make a point about people evaluating the cost of particular actions(like prosecuting credit card fraud) and occasionally choosing an option which is cheaper for them but worse for everyone else, which is bad, and then try to compare it to companies being realistic about their ability to deliver. Then you throw in a dig towards the US.

You can't ever guarantee 100% of anything. No matter how many people you employ in your call center there's always a call rate which will overwhelm it. No matter how good a disinfectant is it won't kill 100% of germs. Companies who try to achieve impossible goals(100% is impossible, you probably couldn't even promise that 100% of calls wouldn't be answered) go out of business and no one wins.

I'm not arguing that the way credit card companies deal with fraud is bad for everyone, including over the long term the credit card companies, but the rest of your examples don't match that behavior, nor is this behavior specifically American. Lord knows there are problems with US business practices, but given that credit cards(and for that matter a lot of banking) is a risk vs rewards analysis business, you can't really be surprised that banks all over the world do the same thing. The nature of their work makes them see things this way.

I worked night audit... (1)

ch_rob (655367) | about 4 years ago | (#32850458)

...granted many years ago. But at that time, at check in, we took an imprint of the CC info, got an authorization for the expected amount of the stay. Then after check out, the imprinted forms were updated with the actual amount of the bill and signed (if the guest came to the desk), and left for the night audit crew.

The night auditors would go through the thousand or so CC slips, and using CC software on a PC, pull up the authorization by CC Number and enter the final amount.

Anyway... long story longer... we had access to many, many credit card numbers every night.

At least at our hotels, the early check out forms left under the guests' door did not contain CC info.

My experience in Geneva . . . (1)

PolygamousRanchKid (1290638) | about 4 years ago | (#32850612)

I had a business trip there about 15 years ago. About a year later, I got a snail mail birthday card greeting from the hotel. I thought that is was kind of cute, and mentioned it to another colleague who often traveled to Geneva at that time. He is a security weenie, and told me:

Just think what will happen when the hotel retires their PC, and gives it to a child of one of the employees, without scrubbing the disk.

There goes your name, credit card number, and birthday info . . .

screw (0)

Anonymous Coward | about 4 years ago | (#32850828)

That's what happens when you have a cheap owner and your not PCI compliant....(Thanks Miracle Springs Resort).

Analog or digital? (1)

sootman (158191) | about 4 years ago | (#32850840)

There are two ways to steal credit card numbers: getting them from a computer system of some kind (up to an including things like putting a stripe reader on the front of an ATM) and the old-fashioned way of a clerk or waiter or whoever just looking at a card and copying the numbers. Does anyone know of any data showing which is more common?

No Credit Card, No Stay (0)

Anonymous Coward | about 4 years ago | (#32851094)

There are almost no hotels that let you stay without a credit card, so it makes them a prime target as every transaction has to have a credit card, even if in the end you use cash to pay for the stay. I feel sorry for the portion of the public that refuses to use plastic, and only uses cash. I realized this early on in collage when I had to stay in my car since no hotels would accept cold hard cash.

My experiences with this (0)

Anonymous Coward | about 4 years ago | (#32851104)

I used to do IT for a large luxury resort, and this was one of the things that was always on my mind. They had an extremely expensive, quirky, and bug laden PMS (Property Management System). It did everything on the resort grounds from scheduling on the golf course to restaurant outlets (pos) to guest reservations. Once I started digging into it I realized that it had ~7 years worth of all of our customers data- credit card numbers etc etc. I wanted to archive all of that data in a safe (or destroy it) but in order to do so we would have had to spend way more $ than we had in the budget to upgrade to the latest version of the PMS with a new, clean database. (Parts of it were largely remotely administered, since the majority of the important parts of the software were password protected by a code that changed every 15 minutes, and they routinely changed the algorithm that produced the code.)

All of that information could have fit on a DVD several times over (just an SQL DB). I am used to being in positions of responsibility, but to me this was a huge disaster waiting to happen, and it brought clarity to my opinions into just how important it is to have an IT person with high moral standards. Nevertheless, all it takes is one unscrupulous person anywhere in the loop to cause massive trouble to others at very little effort on their part.

I recommend that you only pay cash, for everything, if at all possible. I mean, if that data from the resort would have gotten lifted by someone that sold the information, noone is going to have a clue that their information was obtained from their stay at a random resort some 6 years ago.

Re:My experiences with this (0)

Anonymous Coward | about 4 years ago | (#32851888)

I worked IT at a large conference center. Our database was on huge access file (It was an awful mess)

In order to see every guest ever's name, address, cc info, expiration date, and the RAW CC values on the magnetic strip, all a janitor had to do was know how to dump that section of the database while changing room clean statuses. We aren't talking trust in the IT side of things, but every single person in the company. When I brought this to the attention of the department responsible for the database I was told I shouldn't be poking around in places I don't belong.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>