Hotels Lead the Industry In Credit Card Theft

katarn writes "A study released this year found that, of the credit card hacking cases last year, 38 percent involved the hotel industry. At hotels with inadequate data security, the greatest amount of credit card information can be obtained using the simplest methods. It doesn't require brilliance on the part of the hacker. Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to store or transmit this kind of data properly, and that starts with the point-of-sale credit card swiping systems."

People with too much time on their hands

[Tisha_AH]

What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.

Why do merchants need to retain CC info?

[JSBiff]

Obviously, at the time of transaction, the CC info is needed to make the transaction, but why do they retain the info after that? Don't the credit card networks issue a transaction ID for every transaction? If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?

This, it seems to me, applies to almost every merchant - retail, dining, entertainment, services, hotels, whatever. Why do they need to retain the info?

If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants. A hacker can't steal what isn't there (although, a hacker could still potentially capture the CC info in real-time at the moment of the transaction, but at least you've reduced stored-data attacks).

Re:I read the article

[Hijacked Public]

That is an inversion of purposes, between the headline and the article.

The Slashdot editors have dug down past simpleton level grammar and emerged not at the bottom of the scale, but somehow at the top, and turned the industry on its ear.

Which industry? I have no idea.

Thank you

[tpstigers]

I'd just like to thank the author for not using the ridiculous term 'identity theft'.

Re:they can also clone your card to a room key as

[JDmetro]

Wouldn't it just be easier to have some blank mag-stripe cards? One of the local computer stores sells them for $60 for a 25 pack.

Re:People with too much time on their hands

[Yvanhoe]

So yeah, some employees truly do suck--always have and always will.

And should not be trusted with consumer financial data, which is a management error that is totally avoidable.

Re:People with too much time on their hands

[JWSmythe]

    Cash may be outdated, but it's really hard for someone to duplicate your cash and make it disappear from your pocket. Credit cards on the other hand, are trivial to duplicate, and if you know the mark is traveling, it's easy to get away with charges for days before they find out there is any fraudulent activity.

    Cash is hard to lose, if you maintain proper control over it. If you aren't advertising that you carry large amounts of cash, random people won't know you have it. The physical risk of being liberated of the cash is then just as good as the physical risk of being liberated of your credit cards. And of course we shouldn't forget about the evidence trail that using credit cards exclusively gives. Using a card on a regular basis lets the issuing bank know what your purchasing trends are. It may require a warrant for law enforcement to acquire the evidence, but the banks are more than happy to take advantage of the information for their own purposes.

Re:Why do merchants need to retain CC info?

[mounthood]

If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants.

They used to call it Fraud and it was the banks problem. Now they call it Identity Theft and it's your problem.

Re:People with too much time on their hands

[radish]

Just because the hotel needs a credit card from me doesn't mean the guy behind reception needs to see the data. Simply put a swipe machine on the customer side of the desk, and don't show anything other than "OK"/"NOT OK" to the employee. If Best Buy can manage it anyone can :)

Re:Wait...what?

[david duncan scott]

Seems obvious because you didn't use the card ever again after that?

I could be wrong, but if I were walking into a Walmart with a rigged-up card, I think I'd want a fresh number, something from the previous 48 hours, maybe. Sixty days seems like an awfully long time in hot-CC-number-years. If nothing else, it shows tremendous restraint on the part of a small-time criminal, most of whom can't seem to wait sixty minutes before they spend the money (unless, of course, her name badge read, "D. B. Cooper.")